Your message dated Sat, 18 Dec 2021 20:57:56 +0000 with message-id <7c5e58422d4fd1d02cfae36eca731d5d90ba0743.ca...@adam-barratt.org.uk> and subject line Closing bugs for p-u requests included in 11.2 (part the deux) has caused the Debian Bug report #1000707, regarding bullseye-pu: package keepalived/1:2.1.5-0.2 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1000707: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000707 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 [ Reason ] Keepalived ships a DBus policy allowing anyone to access and write any properties. We want to restrict this policy to only impact the properties owned by Keepalived. [ Impact ] Any user can read any DBus property and write any writable property. [ Tests ] Tested manually with: dbus-send --print-reply --system --dest=org.freedesktop.nm_dispatcher \ / org.freedesktop.DBus.Properties.Set \ string:com.example.Nope string:Nope variant:string:foo Thanks to Simon McVittie for its help on this. [ Risks ] Very low. I think most people don't enable DBus support, so we are unlikely to break anything. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Restrict allowed properties to org.keepalived.Vrrp1 destination. [ Other info ] - - Real impact seems small as most properties are already readable and are not writable. - - Security team is OK to use a point release to fix this. 9b4813899b1b -----BEGIN PGP SIGNATURE----- iQJGBAEBCAAwFiEErvI0h2bzccaJpzYAlaQv6DU1JfkFAmGiR6sSHGJlcm5hdEBk ZWJpYW4ub3JnAAoJEJWkL+g1NSX5S/gP/ipz9T9W02SEl2QOVw3falS9pQx4JUaV NYbwqbd+nocTjRTjk093QbtpfsGIxldwOBNy5cdZhEBQr+v4P+sj6zzBnP5s75mG foWBRviSQhD3XvwS9kZ5+4yhULdhv9iiSJE22nDmIRCOQ/zYvxeoaMxbjSoEetvE 4CzSNtVXP3uPmC+/FmdmdyoYxtbZTgnSkBv5bNNHtpMt9bl3jjRlLTx9vp1gbkzg nJUulyvv63wIm6pAiKbjrvW0gwutKlvlfNchlREgS4k8kAvuT/nUsZnsoMYw6m/B B8aR8z2HRTUYI/PmIqOG+UXvnL5M69SR5EB3bTGJfhgPhjDVG/M5yIdbBBBYHRdH 4/F42o5krlMPHSc96LRhaX8E1H5xcIGh3rwRq7EvP9i5C5O6Ox9cSRj+9kindvkR hBbjtdqXu4idmf9+unSk/NN+I2T+lOLKWeqhF00Wu8TtD9+JIEJbLnqcBoXc9QC7 d6qG3fuqKPyqrplliYgMEWb/GzQXvFnwx+JleBwFZ0nXXl5lGOLzOAVliYDowkZv a0w3qmdC0o46QfLzilGBPbFRLuoGCJ1ptQO9p/cK3esYEkxwicxgkhsAoSFqaWLT tvSt2KC9nC6FmuBpLrhUwK63zZOanHFwuTkVqsP+vQu+uHnDpnxaT4kvo78ckdhX e3DXALjBZLhd =uiHe -----END PGP SIGNATURE----->From 9b4813899b1bd0ba9b719f458d794534e9989d22 Mon Sep 17 00:00:00 2001 From: Vincent Bernat <ber...@debian.org> Date: Sat, 27 Nov 2021 15:53:33 +0100 Subject: [PATCH] Fix shipped too broad DBus policy. CVE-2021-44225 --- debian/changelog | 6 ++++++ debian/patches/2063.patch | 38 ++++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 45 insertions(+) create mode 100644 debian/patches/2063.patch diff --git a/debian/changelog b/debian/changelog index 51ee7b25efc1..2491770e8103 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +keepalived (1:2.1.5-0.2+deb11u1) bullseye; urgency=medium + + * Fix shipped too broad DBus policy. CVE-2021-44225. + + -- Vincent Bernat <ber...@debian.org> Sat, 27 Nov 2021 15:51:39 +0100 + keepalived (1:2.1.5-0.2) unstable; urgency=medium * Non-maintainer upload. diff --git a/debian/patches/2063.patch b/debian/patches/2063.patch new file mode 100644 index 000000000000..ea9d40ec2115 --- /dev/null +++ b/debian/patches/2063.patch @@ -0,0 +1,38 @@ +From 7977fec0be89ae6fe87405b3f8da2f0b5e415e3d Mon Sep 17 00:00:00 2001 +From: Vincent Bernat <vinc...@bernat.ch> +Date: Tue, 23 Nov 2021 06:50:59 +0100 +Subject: [PATCH] dbus: fix policy to not be overly broad + +The DBus policy did not restrict the message destination, allowing any +user to inspect and manipulate any property. + +Signed-off-by: Vincent Bernat <vinc...@bernat.ch> +--- + keepalived/dbus/org.keepalived.Vrrp1.conf | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/keepalived/dbus/org.keepalived.Vrrp1.conf b/keepalived/dbus/org.keepalived.Vrrp1.conf +index 2b78a575c..b5ced6085 100644 +--- a/keepalived/dbus/org.keepalived.Vrrp1.conf ++++ b/keepalived/dbus/org.keepalived.Vrrp1.conf +@@ -3,12 +3,15 @@ + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd";> + <busconfig> + <policy user="root"> +- <allow own="org.keepalived.Vrrp1"/> +- <allow send_destination="org.keepalived.Vrrp1"/> ++ <allow own="org.keepalived.Vrrp1" /> ++ <allow send_destination="org.keepalived.Vrrp1" /> + </policy> + <policy context="default"> +- <allow send_interface="org.freedesktop.DBus.Introspectable" /> +- <allow send_interface="org.freedesktop.DBus.Peer" /> +- <allow send_interface="org.freedesktop.DBus.Properties" /> ++ <allow send_destination="org.keepalived.Vrrp1" ++ send_interface="org.freedesktop.DBus.Introspectable" /> ++ <allow send_destination="org.keepalived.Vrrp1" ++ send_interface="org.freedesktop.DBus.Peer" /> ++ <allow send_destination="org.keepalived.Vrrp1" ++ send_interface="org.freedesktop.DBus.Properties" /> + </policy> + </busconfig> diff --git a/debian/patches/series b/debian/patches/series index e69de29bb2d1..c6683cd1715d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -0,0 +1 @@ +2063.patch -- 2.34.0
--- End Message ---
--- Begin Message ---Package: release.debian.org Version: 11.2 Hi, Each of the updates referenced by these requests was included in today's bullseye point release, but my original closure mail failed to correctly handle 7-digit bug numbers. Fixing that omission now. Regards, Adam
--- End Message ---
