Bug#928304: groonga-httpd: Privilege escalation due to insecure use of logrotate

2019-05-09 Thread Kentaro Hayashi
Hi, On Wed, 8 May 2019 20:32:53 +0200 Salvatore Bonaccorso wrote: > Hi, > > [please always include team@security.d.o as so any team member can > reply] > I've got it, thanks. > On Wed, May 08, 2019 at 12:03:49PM +0900, Hideki Yamane wrote: > > Hi Salvatore, > > > > Can you follow his ques

Bug#928304: groonga-httpd: Privilege escalation due to insecure use of logrotate

2019-05-08 Thread Salvatore Bonaccorso
Hi, [please always include team@security.d.o as so any team member can reply] On Wed, May 08, 2019 at 12:03:49PM +0900, Hideki Yamane wrote: > Hi Salvatore, > > Can you follow his question? I guess debian revision should be > 6.1.5-1+deb9u1, but others are okay. I think updating groonga via

Bug#928304: groonga-httpd: Privilege escalation due to insecure use of logrotate

2019-05-07 Thread Hideki Yamane
Hi Salvatore, Can you follow his question? I guess debian revision should be 6.1.5-1+deb9u1, but others are okay. On Tue, 7 May 2019 23:15:58 +0900 Kentaro Hayashi wrote: > I maintain Groonga package as a DM, so I want to fix #928304. > But I've never uploaded package to stable before, so I n

Bug#928304: groonga-httpd: Privilege escalation due to insecure use of logrotate

2019-05-07 Thread Kentaro Hayashi
Hi, I maintain Groonga package as a DM, so I want to fix #928304. But I've never uploaded package to stable before, so I need help to do it in a good manner. I've attached debdiff against current version. Is it ok to upload stretch-security? diff -Nru groonga-6.1.5/debian/changelog groonga-6.1.

Processed: Re: Bug#928304: groonga-httpd: Privilege escalation due to insecure use of logrotate

2019-05-01 Thread Debian Bug Tracking System
Processing control commands: > retitle -1 groonga-httpd: Privilege escalation due to insecure use of > logrotate (CVE-2019-11675) Bug #928304 [groonga-httpd] groonga-httpd: Privilege escalation due to insecure use of logrotate Changed Bug title to 'groonga-httpd: Privilege escalation due to inse

Bug#928304: groonga-httpd: Privilege escalation due to insecure use of logrotate

2019-05-01 Thread Salvatore Bonaccorso
Control: retitle -1 groonga-httpd: Privilege escalation due to insecure use of logrotate (CVE-2019-11675) On Wed, May 01, 2019 at 05:29:58PM +0200, Wolfgang Hotwagner wrote: > Package: groonga-httpd > Version: 6.1.5-1 > Severity: critical > Tags: security > Justification: root security hole > >

Bug#928304: groonga-httpd: Privilege escalation due to insecure use of logrotate

2019-05-01 Thread Wolfgang Hotwagner
Package: groonga-httpd Version: 6.1.5-1 Severity: critical Tags: security Justification: root security hole Dear Maintainer, The path of the logdirectory of groonga-httpd can be manipulated by user groonga: ls -l /var/log/groonga total 8 -rw-r--r-- 1 rootroot1296 Apr 25 18:44 groonga.log