--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: debian-security-supp...@packages.debian.org
Control: affects -1 + src:debian-security-support
Dear release team,
[ Reason ]
The reasons for this proposed update are:
* Fix two bugs already solved in bookworm (#986581 and #986333)
* Include samba in the list of packages with limited support (#1053109).
Currently, because of #986581 and #986333, d-d-s's check-support-status
silently ignores "golang*" packages, so users don't get any warning
about their limited support status.
[ Impact ]
Bullseye users will continue to don't get any warning about the limited
support regarding the golang.* packages installed in their systems.
As for the samba-related change, without the upload, users will lose a
change to get informed about its security support situation.
[ Tests ]
The changes include tests to verify #986581 and #986333 have been fixed.
I have also manually verified on a bullseye container how the current
and the proposed packages behave, and I can confirm the issues are
fixed, and I didn't identify any regression.
[ Risks ]
The relevant code has been included in bookworm since its release. They
were fully included in 1:12+2021.09.30:
https://tracker.debian.org/news/1263114/accepted-debian-security-support-11220210930-source-into-unstable/
The only difference in check-suppor-status.in between the proposed
update and bookworm is:
git diff HEAD bookworm -- check-support-status.in
diff --git a/check-support-status.in b/check-support-status.in
index 3ebf5e9..86b080a 100755
--- a/check-support-status.in
+++ b/check-support-status.in
@@ -13,7 +13,7 @@ VERSION='[% VERSION %]'
# Oldest Debian version included in debian-security-support
DEB_LOWEST_VER_ID=9
# Version ID for next Debian stable
-DEB_NEXT_VER_ID=12
+DEB_NEXT_VER_ID=13
if [ -z "$DEBIAN_VERSION" ] ; then
DEBIAN_VERSION="$(cat /etc/debian_version | grep '[0-9.]' | cut -d. -f1)"
So the risk of regression is miminum.
Regarding the change of adding samba in the list of packages with
limited support. That doesn't represent any risk.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
From d/changelog:
* Mark samba support limited to non-AD DC uses cases (Closes: #1053109)
The explanation is found here: https://www.debian.org/security/2021/dsa-5015
* Drop version-based check (Closes: #986581) and update test suite
accordingly. Backport changes made by Sylvain Beucler.
* Match ecosystems with limited support, test case updated. (Closes: #986333)
Backport changes by Sylvain Beucler.
These changes are reflected in check-support-status.in. The tests to
check them are found in t/check-support-status. To fix the relevant
bugs, the changes needed to remove a conditional to avoid comparing
against an installed version. Check that is kind of obsolete, and
didn't have any sense to compare against package name patters.
Second, the changes included the fix to compare against a regex
pattern, and avoid misidentifying packages whose name would match
the non-optimal "golang*". And that is the reason for:
* Use golang.* (as regex) instead of golang* in security-support-limited
[ Other info ]
N/A
Cheers,
-- Santiago
diff -Nru debian-security-support-11+2023.05.04/check-support-status.in
debian-security-support-11+2023.10.17/check-support-status.in
--- debian-security-support-11+2023.05.04/check-support-status.in
2023-05-04 14:27:19.000000000 -0300
+++ debian-security-support-11+2023.10.17/check-support-status.in
2023-10-17 13:08:20.000000000 -0300
@@ -175,12 +175,11 @@
# Create intersection
LEFT="$TEMPDIR/left"
-RIGHT="$TEMPDIR/right"
INTERSECTION_LIST="$TEMPDIR/intersection"
[% AWK %] -F'\t' '{print $3}' "$INSTALLED_LIST" | LC_ALL=C sort -u >"$LEFT"
-grep -v '^#' "$LIST" | LC_ALL=C sort | [% AWK %] '{print $1}' >"$RIGHT"
+PATTERNS=$(grep -vP '^(#|$)' "$LIST" | [% AWK %] '{print $1}' | paste -sd'|')
-LC_ALL=C comm -12 "$LEFT" "$RIGHT" >"$INTERSECTION_LIST"
+LC_ALL=C grep -P -x -e "$PATTERNS" "$LEFT" >"$INTERSECTION_LIST" || true
if [ ! -s "$INTERSECTION_LIST" ] ; then
# nothing to do
exit 0
@@ -190,9 +189,14 @@
mkdir -p "$TD"
cat "$INTERSECTION_LIST" | while read SRC_NAME ; do
+ LINE=$(grep -vP '^(#|$)' "$LIST" | while read pattern rest ; do
+ if echo $SRC_NAME | grep -q -P -x -e "$pattern" ; then
+ echo "$pattern $rest"
+ break
+ fi
+ done)
IFS="$(printf '\nx')"
IFS="${IFS%x}"
- LINE="$([% AWK %] '($1=="'"$SRC_NAME"'"){print}' "$LIST" | head -1)"
case "$TYPE" in
earlyend)
TMP_WHEN="$(echo "$LINE" | [% AWK %] '{print $3}')"
@@ -256,34 +260,28 @@
esac
# for earlyend and ended, check packages actually affected (if
TMP_WHEN not null)
if [ -n "$TMP_WHEN" ] || [ "$TYPE" = limited ] ; then
- if \
- [ -z "$ALERT_VERSION" ] ||
- [ "$BIN_VERSION" = "$ALERT_VERSION" ] ||
- dpkg --compare-versions "$BIN_VERSION" '<=' "$ALERT_VERSION"
- then
- # need to alert, but check status db first
- TOKEN="$BIN_NAME/$BIN_VERSION"
- if [ "$STATUSDB_FILE" ] && [ -f "$STATUSDB_FILE" ]; then
- if grep -qFx "$TOKEN" "$STATUSDB_FILE" ; then
- continue
- fi
+ # need to alert, but check status db first
+ TOKEN="$BIN_NAME/$BIN_VERSION"
+ if [ "$STATUSDB_FILE" ] && [ -f "$STATUSDB_FILE" ]; then
+ if grep -qFx "$TOKEN" "$STATUSDB_FILE" ; then
+ continue
+ fi
+ fi
+ echo "$BIN_NAME $BIN_VERSION" >>"$TD/$SRC_NAME.bin"
+ echo "$ALERT_VERSION" >"$TD/$SRC_NAME.version"
+ echo "$ALERT_WHEN" >"$TD/$SRC_NAME.when"
+ echo "$ALERT_WHY" >"$TD/$SRC_NAME.why"
+ if [ "$STATUSDB_FILE" ] ; then
+ # add to status db, remove any older entries
+ if [ -f "$STATUSDB_FILE" ]; then
+ TEMPFILE="$(mktemp --tmpdir="$(dirname "$STATUSDB_FILE")")"
+ [% AWK %] -F/ '($1!="'"$BIN_NAME"'"){print}' \
+ <"$STATUSDB_FILE" >"$TEMPFILE"
+ mv "$TEMPFILE" "$STATUSDB_FILE"
fi
- echo "$BIN_NAME $BIN_VERSION" >>"$TD/$SRC_NAME.bin"
- echo "$ALERT_VERSION" >"$TD/$SRC_NAME.version"
- echo "$ALERT_WHEN" >"$TD/$SRC_NAME.when"
- echo "$ALERT_WHY" >"$TD/$SRC_NAME.why"
- if [ "$STATUSDB_FILE" ] ; then
- # add to status db, remove any older entries
- if [ -f "$STATUSDB_FILE" ]; then
- TEMPFILE="$(mktemp --tmpdir="$(dirname
"$STATUSDB_FILE")")"
- [% AWK %] -F/ '($1!="'"$BIN_NAME"'"){print}' \
- <"$STATUSDB_FILE" >"$TEMPFILE"
- mv "$TEMPFILE" "$STATUSDB_FILE"
- fi
- echo "$TOKEN" >>"$STATUSDB_FILE"
- fi # maintain status db
- fi # package BIN_NAME's version is not supported
- fi
+ echo "$TOKEN" >>"$STATUSDB_FILE"
+ fi # maintain status db
+ fi # package BIN_NAME's version is not supported
done # read binary name and version for matching source name
done # each source package from intersection
diff -Nru debian-security-support-11+2023.05.04/debian/changelog
debian-security-support-11+2023.10.17/debian/changelog
--- debian-security-support-11+2023.05.04/debian/changelog 2023-05-04
14:27:19.000000000 -0300
+++ debian-security-support-11+2023.10.17/debian/changelog 2023-10-17
13:08:20.000000000 -0300
@@ -1,3 +1,15 @@
+debian-security-support (1:11+2023.10.17) bullseye; urgency=medium
+
+ * Team upload.
+ * Mark samba support limited to non-AD DC uses cases (Closes: #1053109)
+ * Drop version-based check (Closes: #986581) and update test suite
+ accordingly. Backport changes made by Sylvain Beucler.
+ * Match ecosystems with limited support, test case updated. (Closes: #986333)
+ Backport changes by Sylvain Beucler.
+ * Use golang.* (as regex) instead of golang* in security-support-limited
+
+ -- Santiago Ruano Rincón <santi...@freexian.com> Tue, 17 Oct 2023 13:08:20
-0300
+
debian-security-support (1:11+2023.05.04) bullseye-updates; urgency=medium
[ Holger Levsen ]
diff -Nru debian-security-support-11+2023.05.04/security-support-limited
debian-security-support-11+2023.10.17/security-support-limited
--- debian-security-support-11+2023.05.04/security-support-limited
2023-05-04 14:27:19.000000000 -0300
+++ debian-security-support-11+2023.10.17/security-support-limited
2023-10-17 13:08:20.000000000 -0300
@@ -11,7 +11,7 @@
cython Only included for building packages, not running them, #975058
ganglia See README.Debian.security, only supported behind an
authenticated HTTP zone, #702775
ganglia-web See README.Debian.security, only supported behind an
authenticated HTTP zone, #702776
-golang* See
https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#golang-static-linking
+golang.* See
https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#golang-static-linking
gnupg1 See #982258 and
https://www.debian.org/releases/stretch/amd64/release-notes/ch-whats-new.en.html#modern-gnupg
kde4libs khtml has no security support upstream, only for use on
trusted content
khtml khtml has no security support upstream, only for use on
trusted content, see #1004293
@@ -24,5 +24,6 @@
qtwebengine-opensource-src No security support upstream and backports not
feasible, only for use on trusted content
qtwebkit No security support upstream and backports not feasible, only
for use on trusted content
qtwebkit-opensource-src No security support upstream and backports not
feasible, only for use on trusted content
+samba Only non-AD Domain Controller use cases are supported. See
https://lists.debian.org/debian-security-announce/2023/msg00169.html
sql-ledger Only supported behind an authenticated HTTP zone
zoneminder See README.Debian.security, only supported behind an
authenticated HTTP zone, #922724
diff -Nru debian-security-support-11+2023.05.04/t/check-support-status.t
debian-security-support-11+2023.10.17/t/check-support-status.t
--- debian-security-support-11+2023.05.04/t/check-support-status.t
2023-05-04 14:27:19.000000000 -0300
+++ debian-security-support-11+2023.10.17/t/check-support-status.t
2023-10-17 13:08:20.000000000 -0300
@@ -208,6 +208,7 @@
iceweasel 3.5.16-20 2013-05-01
base-files 6.0squeeze9 2014-05-01 Some spaced explanation
debconf 1.5.36.0 2014-05-02
+node-.* 0 2020-02-20
https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#libv8
openjdk-6 6b35-1.13.7-1~deb7u1 2031-05-23 No perpetual term support
__EOS__
write_file ($list_limited, <<__EOS__);
@@ -221,6 +222,9 @@
[ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ],
[ 'ioi', 'php5', '5.3.3-7+squeeze19' ],
[ 'ioi', 'openjdk-6-jre', '6b35-1.13.7-1~deb7u1', 'openjdk-6' ],
+ [ 'ioi', 'supported-package', '1.0-1' ],
+ [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ],
+ [ 'ioi', 'libjs-marked', '0.3.2+dfsg-1', 'node-marked' ],
],
);
@@ -238,6 +242,16 @@
Affected binary package:
- base-files (installed version: 6.0squeeze9)
+* Source:debconf, ended on 2014-05-02 at version 1.5.36.0
+ Affected binary packages:
+ - debconf (installed version: 1.5.36.1)
+ - debconf-i18n (installed version: 1.5.36.1)
+
+* Source:node-marked, ended on 2020-02-20 at version 0
+ Details:
https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#libv8
+ Affected binary package:
+ - libjs-marked (installed version: 0.3.2+dfsg-1)
+
* Source:php5
Details: See README.Debian.security for the PHP security policy
@@ -260,6 +274,9 @@
my $got = read_file ($statusdb_file);
my $expect = <<__EOS__;
base-files/6.0squeeze9
+debconf/1.5.36.1
+debconf-i18n/1.5.36.1
+libjs-marked/0.3.2+dfsg-1
php5/5.3.3-7+squeeze19
openjdk-6-jre/6b35-1.13.7-1~deb7u1
__EOS__
@@ -299,8 +316,8 @@
$query_list,
[
[ 'ioi', 'base-files', '6.0squeeze9' ],
- [ 'ioi', 'debconf', '1.5.36.1' ],
- [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ],
+ [ 'ioi', 'supported-package', '1.0-1' ],
+ [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ],
],
);
@@ -543,8 +560,8 @@
$query_list,
[
[ 'doc', 'base-files', '6.0squeeze9' ],
- [ 'ioi', 'debconf', '1.5.36.1' ],
- [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ],
+ [ 'ioi', 'supported-package', '1.0-1' ],
+ [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ],
],
);
@@ -586,8 +603,8 @@
$query_list,
[
[ 'ioi', 'base-files', '6.0squeeze9' ],
- [ 'ioi', 'debconf', '1.5.36.1' ],
- [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ],
+ [ 'ioi', 'supported-package', '1.0-1' ],
+ [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ],
],
);
@@ -772,9 +789,9 @@
$query_list,
[
[ 'ioi', 'base-files', '6.0squeeze9' ],
- [ 'ioi', 'debconf', '1.5.36.1' ],
- [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ],
[ 'ioi', 'openjdk-6-jre', '6b35-1.13.7-1~deb7u1', 'openjdk-6' ],
+ [ 'ioi', 'supported-package', '1.0-1' ],
+ [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ],
],
);
@@ -834,8 +851,8 @@
mock_query_list (
$query_list,
[
- [ 'ioi', 'debconf', '1.5.36.1' ],
- [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ],
+ [ 'ioi', 'supported-package', '1.0-1' ],
+ [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ],
],
);
signature.asc
Description: PGP signature
--- End Message ---
