Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: ikiwiki-host...@packages.debian.org, t...@security.debian.org,
Jonathan Nieder <jrnie...@gmail.com>, Simon McVittie <s...@debian.org>,
car...@debian.org
Control: affects -1 + src:ikiwiki-hosting
User: release.debian....@packages.debian.org
Usertags: pu
Hi
We (security-team) plan to release an update of git fixing several
CVEs, prepared by Jonathan Nieder and rebasing git version to 2.39.5
upstream, which uncovered regressions in both fcgiwrap (#1072394) and
ikiwiki-hosting (cf. #1076751).
They were triggered as well in autopkgtests with the prepared
git/1:2.39.5-0+deb12u1 version.
We discussed this, if we should release the update for ikiwiki-hosting
(real impact) and fcgiwrap (only autopkgtests) via a corresponding
update or a proposed-update is enough. We prpoose the later, and let
it go through the upcoming point release.
Attached ist the proposed debdiff for ikiwiki-hosting (note it still
contains the debian/.gitignore removal I would need to check why I
could not properly exclude it).
I have not yet uploaded the package, but CC'ing Simon.
Regards,
Salvatore
diff -Nru ikiwiki-hosting-0.20220716/debian/.gitignore
ikiwiki-hosting-0.20220716/debian/.gitignore
--- ikiwiki-hosting-0.20220716/debian/.gitignore 2023-03-30
11:56:12.000000000 +0200
+++ ikiwiki-hosting-0.20220716/debian/.gitignore 1970-01-01
01:00:00.000000000 +0100
@@ -1,8 +0,0 @@
-*.debhelper
-*.debhelper.log
-*.substvars
-/files
-/ikiwiki-hosting-common/
-/ikiwiki-hosting-dns/
-/ikiwiki-hosting-web/
-/tmp/
diff -Nru ikiwiki-hosting-0.20220716/debian/changelog
ikiwiki-hosting-0.20220716/debian/changelog
--- ikiwiki-hosting-0.20220716/debian/changelog 2023-03-30 11:56:12.000000000
+0200
+++ ikiwiki-hosting-0.20220716/debian/changelog 2024-09-07 11:38:42.000000000
+0200
@@ -1,3 +1,13 @@
+ikiwiki-hosting (0.20220716-2+deb12u1) bookworm; urgency=medium
+
+ [ Simon McVittie ]
+ * d/ikiwiki-hosting-web.{init,service}: Allow reading other users'
repositories.
+ Each website's git repository is owned by its own uid, and the
+ git-daemon running as ikiwiki-anon needs to be able to read them all.
+ (Closes: #1076751)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Sat, 07 Sep 2024 11:38:42 +0200
+
ikiwiki-hosting (0.20220716-2) unstable; urgency=medium
* d/p/ikisite-backup-Create-the-bundle-as-the-site-s-user.patch:
diff -Nru ikiwiki-hosting-0.20220716/debian/ikiwiki-hosting-web.init
ikiwiki-hosting-0.20220716/debian/ikiwiki-hosting-web.init
--- ikiwiki-hosting-0.20220716/debian/ikiwiki-hosting-web.init 2023-03-30
11:56:12.000000000 +0200
+++ ikiwiki-hosting-0.20220716/debian/ikiwiki-hosting-web.init 2024-09-07
11:37:47.000000000 +0200
@@ -42,6 +42,10 @@
# 2 if daemon could not be started
start-stop-daemon --start --chuid $gitdaemonuser:$gitdaemonuser --quiet
--pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|| return 1
+
+ export GIT_CONFIG_COUNT=1
+ export GIT_CONFIG_KEY_0=safe.directory
+ export GIT_CONFIG_VALUE_0='*'
start-stop-daemon --start --chuid $gitdaemonuser:$gitdaemonuser --quiet
--make-pidfile --pidfile $PIDFILE --background --exec $DAEMON -- \
$DAEMON_ARGS \
|| return 2
diff -Nru ikiwiki-hosting-0.20220716/debian/ikiwiki-hosting-web.service
ikiwiki-hosting-0.20220716/debian/ikiwiki-hosting-web.service
--- ikiwiki-hosting-0.20220716/debian/ikiwiki-hosting-web.service
2023-03-30 11:56:12.000000000 +0200
+++ ikiwiki-hosting-0.20220716/debian/ikiwiki-hosting-web.service
2024-09-07 11:37:47.000000000 +0200
@@ -9,6 +9,11 @@
User=ikiwiki-anon
Group=ikiwiki-anon
Restart=on-failure
+# ikiwiki-anon needs to be willing to serve the git repositories of
+# websites owned by each site-specific uid
+Environment=GIT_CONFIG_COUNT=1
+Environment=GIT_CONFIG_KEY_0=safe.directory
+Environment=GIT_CONFIG_VALUE_0=*
[Install]
WantedBy=multi-user.target
