Univention Bugzilla – Bug 51927
bacula: Multiple issues (4.4)
Last modified: 2020-09-02 11:40:05 CEST
New Debian bacula 7.4.4+dfsg-6+deb9u2A~4.4.5.202008301702 fixes: This update addresses the following issue: * 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) * 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) * 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) * 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) * 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) * 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) * 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) * 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) * 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) * 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) * 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) * 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) * 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) * 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) * 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) * 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) * 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) * 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) * 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) * 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let PID files be owned by root. Mitigates a minor security problem similar to CVE 2017-14610. Note that this change disables automatic tracebacks. [Carsten Leonhardt] * Added transitional package bacula-director-common, the old leftover package can't be safely purged otherwise (it deletes /etc/bacula/bacula-dir.conf in postrm which now belongs to the bacula-director package). For the case when the package bacula-director-common is deinstalled but not purged, we neutralize the offending postrm script when upgrading bacula-common. (Closes: #880529) * In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in Bareos versions 19.2.8, 18.2.9 and 17.2.10. (CVE-2020-11061)
--- mirror/ftp/4.3/unmaintained/4.3-0/source/bacula_7.4.4+dfsg-6A~4.3.0.201711271918.dsc +++ apt/ucs_4.4-0-errata4.4-5/source/bacula_7.4.4+dfsg-6+deb9u2A~4.4.5.202008301702.dsc @@ -1,7 +1,29 @@ -7.4.4+dfsg-6A~4.3.0.201711271918 [Mon, 27 Nov 2017 19:25:24 +0100] Univention builddaemon <buildd@univention.de>: +7.4.4+dfsg-6+deb9u2A~4.4.5.202008301702 [Sun, 30 Aug 2020 17:24:44 +0200] Univention builddaemon <buildd@univention.de>: - * UCS auto build. The following patches have been applied to the original source package - 01-check-ucr-autostart + * UCS auto build. No patches were applied to the original source package + +7.4.4+dfsg-6+deb9u2 [Wed, 26 Aug 2020 20:03:02 +0200] Thorsten Alteholz <debian@alteholz.de>: + + * Non-maintainer upload by the LTS Team. + * CVE-2020-11061 + oversized digest strings allow a malicious client to cause + a heap overflow in the director's memory + +7.4.4+dfsg-6+deb9u1 [Sun, 04 Mar 2018 12:49:11 +0100] Carsten Leonhardt <leo@debian.org>: + + [Sven Hartge] + * Let PID files be owned by root. Mitigates a minor security problem + similar to CVE 2017-14610. Note that this change disables automatic + tracebacks. + + [Carsten Leonhardt] + * Added transitional package bacula-director-common, the old leftover + package can't be safely purged otherwise (it deletes + /etc/bacula/bacula-dir.conf in postrm which now belongs to the + bacula-director package). For the case when the package + bacula-director-common is deinstalled but not purged, we neutralize + the offending postrm script when upgrading bacula-common. (Closes: + #880529) 7.4.4+dfsg-6 [Sun, 26 Feb 2017 13:39:25 +0100] Carsten Leonhardt <leo@debian.org>: <http://10.200.17.11/4.4-5/#8240180960809977308>
OK: yaml OK: announce_errata OK: patch ~OK: piuparts 01-check-ucr-autostart was delibarately dorpped as it is no longer needed with the generic UCR module "autostart", which enabled/disables masks/unmasks the systemd.services as needed. It is already removed in UCS-5. univention-bacula: /etc/univention/service.info/services/univention-bacula.cfg contais the right declarations, (but this will not work for Bacula-FileDaemon on clients and/or if Bacula-StorageDaemon is installed on a separate server then Bacula-Director. I manually verified that ucr set bacula/sd/autostart=no bacula/fd/autostart=no bacula/dir/autostart=no ucr unset bacula/sd/autostart bacula/fd/autostart bacula/dir/autostart both work. [4.4-5] fa3bd6dc5b Bug #51927: bacula 7.4.4+dfsg-6+deb9u2A~4.4.5.202008301702 doc/errata/staging/bacula.yaml | 211 +---------------------------------------- 1 file changed, 5 insertions(+), 206 deletions(-) [4.4-5] 8e7a7b66c7 Bug #51927: bacula 7.4.4+dfsg-6+deb9u2A~4.4.5.202008301702 doc/errata/staging/bacula.yaml | 216 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 216 insertions(+)
--- mirror/ftp/4.3/unmaintained/4.3-0/source/bacula_7.4.4+dfsg-6A~4.3.0.201711271918.dsc +++ apt/ucs_4.4-0-errata4.4-5/source/bacula_7.4.4+dfsg-6+deb9u2A~4.4.0.202008310852.dsc @@ -1,7 +1,30 @@ -7.4.4+dfsg-6A~4.3.0.201711271918 [Mon, 27 Nov 2017 19:25:24 +0100] Univention builddaemon <buildd@univention.de>: +7.4.4+dfsg-6+deb9u2A~4.4.0.202008310852 [Mon, 31 Aug 2020 08:52:00 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 01-check-ucr-autostart + +7.4.4+dfsg-6+deb9u2 [Wed, 26 Aug 2020 20:03:02 +0200] Thorsten Alteholz <debian@alteholz.de>: + + * Non-maintainer upload by the LTS Team. + * CVE-2020-11061 + oversized digest strings allow a malicious client to cause + a heap overflow in the director's memory + +7.4.4+dfsg-6+deb9u1 [Sun, 04 Mar 2018 12:49:11 +0100] Carsten Leonhardt <leo@debian.org>: + + [Sven Hartge] + * Let PID files be owned by root. Mitigates a minor security problem + similar to CVE 2017-14610. Note that this change disables automatic + tracebacks. + + [Carsten Leonhardt] + * Added transitional package bacula-director-common, the old leftover + package can't be safely purged otherwise (it deletes + /etc/bacula/bacula-dir.conf in postrm which now belongs to the + bacula-director package). For the case when the package + bacula-director-common is deinstalled but not purged, we neutralize + the offending postrm script when upgrading bacula-common. (Closes: + #880529) 7.4.4+dfsg-6 [Sun, 26 Feb 2017 13:39:25 +0100] Carsten Leonhardt <leo@debian.org>: <http://10.200.17.11/4.4-5/#6458885291489310283>
OK: yaml OK: announce_errata OK: patch ~OK: piuparts only purge errors [4.4-5] 469989e0f4 Bug #51927: bacula 7.4.4+dfsg-6+deb9u2A~4.4.0.202008310852 doc/errata/staging/bacula.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [4.4-5] fa3bd6dc5b Bug #51927: bacula 7.4.4+dfsg-6+deb9u2A~4.4.5.202008301702 doc/errata/staging/bacula.yaml | 211 +---------------------------------------- 1 file changed, 5 insertions(+), 206 deletions(-) [4.4-5] 8e7a7b66c7 Bug #51927: bacula 7.4.4+dfsg-6+deb9u2A~4.4.5.202008301702 doc/errata/staging/bacula.yaml | 216 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 216 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x726>