* Re: [devel] [#300834] DONE (try 2) logrotate.git=3.20.1-alt1
@ 2022-05-28 15:34 ` Dmitry V. Levin
2022-05-28 15:49 ` Alexey Gladkov
0 siblings, 1 reply; 3+ messages in thread
From: Dmitry V. Levin @ 2022-05-28 15:34 UTC (permalink / raw)
To: ALT Devel discussion list
On Sat, May 28, 2022 at 03:16:52PM +0000, Girar pender (legion) wrote:
> https://git.altlinux.org/tasks/archive/done/_293/300834/logs/events.2.1.log
>
> 2022-May-28 15:12:50 :: task #300834 for sisyphus resumed by legion:
> #100 build 3.20.1-alt1 from /people/legion/packages/logrotate.git fetched at 2022-May-28 15:05:28
[...]
> #100 logrotate 3.16.0-alt1.git35_6e8dfb8 -> 3.20.1-alt1
> Sat May 28 2022 Alexey Gladkov <legion@altlinux.ru> 3.20.1-alt1
> - New version (3.20.1).
> - Security fixes:
> - CVE-2022-1348: potential DoS from unprivileged users via the state file.
> 2022-May-28 15:13:29 :: logrotate: mentions vulnerabilities: CVE-2022-1348
Прикольно, что в нашем пакете эта уязвимость была устранена ещё в 2000 году:
* Tue Sep 19 2000 Dmitry V. Levin <ldv@> 3.3-ipl10mdk
- Moved %_localstatedir/logrotate.status --> %_localstatedir/logrotate/status
(and fixed perms).
--
ldv
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [devel] [#300834] DONE (try 2) logrotate.git=3.20.1-alt1
2022-05-28 15:34 ` [devel] [#300834] DONE (try 2) logrotate.git=3.20.1-alt1 Dmitry V. Levin
@ 2022-05-28 15:49 ` Alexey Gladkov
2022-05-28 16:07 ` Dmitry V. Levin
0 siblings, 1 reply; 3+ messages in thread
From: Alexey Gladkov @ 2022-05-28 15:49 UTC (permalink / raw)
To: ALT Linux Team development discussions
On Sat, May 28, 2022 at 06:34:00PM +0300, Dmitry V. Levin wrote:
> On Sat, May 28, 2022 at 03:16:52PM +0000, Girar pender (legion) wrote:
> > https://git.altlinux.org/tasks/archive/done/_293/300834/logs/events.2.1.log
> >
> > 2022-May-28 15:12:50 :: task #300834 for sisyphus resumed by legion:
> > #100 build 3.20.1-alt1 from /people/legion/packages/logrotate.git fetched at 2022-May-28 15:05:28
> [...]
> > #100 logrotate 3.16.0-alt1.git35_6e8dfb8 -> 3.20.1-alt1
> > Sat May 28 2022 Alexey Gladkov <legion@altlinux.ru> 3.20.1-alt1
> > - New version (3.20.1).
> > - Security fixes:
> > - CVE-2022-1348: potential DoS from unprivileged users via the state file.
> > 2022-May-28 15:13:29 :: logrotate: mentions vulnerabilities: CVE-2022-1348
>
> Прикольно, что в нашем пакете эта уязвимость была устранена ещё в 2000 году:
>
> * Tue Sep 19 2000 Dmitry V. Levin <ldv@> 3.3-ipl10mdk
> - Moved %_localstatedir/logrotate.status --> %_localstatedir/logrotate/status
> (and fixed perms).
Ну это был скорее объезд. Если использовать c другим state файлом, то
проблема оставалась.
--
Rgrds, legion
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [devel] [#300834] DONE (try 2) logrotate.git=3.20.1-alt1
2022-05-28 15:49 ` Alexey Gladkov
@ 2022-05-28 16:07 ` Dmitry V. Levin
0 siblings, 0 replies; 3+ messages in thread
From: Dmitry V. Levin @ 2022-05-28 16:07 UTC (permalink / raw)
To: devel
On Sat, May 28, 2022 at 05:49:43PM +0200, Alexey Gladkov wrote:
> On Sat, May 28, 2022 at 06:34:00PM +0300, Dmitry V. Levin wrote:
> > On Sat, May 28, 2022 at 03:16:52PM +0000, Girar pender (legion) wrote:
> > > https://git.altlinux.org/tasks/archive/done/_293/300834/logs/events.2.1.log
> > >
> > > 2022-May-28 15:12:50 :: task #300834 for sisyphus resumed by legion:
> > > #100 build 3.20.1-alt1 from /people/legion/packages/logrotate.git fetched at 2022-May-28 15:05:28
> > [...]
> > > #100 logrotate 3.16.0-alt1.git35_6e8dfb8 -> 3.20.1-alt1
> > > Sat May 28 2022 Alexey Gladkov <legion@altlinux.ru> 3.20.1-alt1
> > > - New version (3.20.1).
> > > - Security fixes:
> > > - CVE-2022-1348: potential DoS from unprivileged users via the state file.
> > > 2022-May-28 15:13:29 :: logrotate: mentions vulnerabilities: CVE-2022-1348
> >
> > Прикольно, что в нашем пакете эта уязвимость была устранена ещё в 2000 году:
> >
> > * Tue Sep 19 2000 Dmitry V. Levin <ldv@> 3.3-ipl10mdk
> > - Moved %_localstatedir/logrotate.status --> %_localstatedir/logrotate/status
> > (and fixed perms).
>
> Ну это был скорее объезд. Если использовать c другим state файлом, то
> проблема оставалась.
Это скорее другой подход к решению проблемы, чем просто объезд:
вместо того, чтобы следить за тем, как приложение работает с этим файлом,
просто убрать этот файл в недоступное для потенциального атакующего место.
Так всегда проще и надёжнее.
--
ldv
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-05-28 16:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-28 15:34 ` [devel] [#300834] DONE (try 2) logrotate.git=3.20.1-alt1 Dmitry V. Levin
2022-05-28 15:49 ` Alexey Gladkov
2022-05-28 16:07 ` Dmitry V. Levin
ALT Linux Team development discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel/0 devel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel devel/ http://lore.altlinux.org/devel \
devel@altlinux.org devel@altlinux.ru devel@lists.altlinux.org devel@lists.altlinux.ru devel@linux.iplabs.ru mandrake-russian@linuxteam.iplabs.ru sisyphus@linuxteam.iplabs.ru
public-inbox-index devel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git