First Last Prev Next    This bug is not in your last search results.
Bug 51927 - bacula: Multiple issues (4.4)
bacula: Multiple issues (4.4)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.4
All Linux
: P5 normal (vote)
: UCS 4.4-5-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-08-30 17:24 CEST by Quality Assurance
Modified: 2020-09-02 11:40 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 0.0 () NVD

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2020-08-30 17:24:30 CEST 
New Debian bacula 7.4.4+dfsg-6+deb9u2A~4.4.5.202008301702 fixes:
This update addresses the following issue:

* 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let  PID files be owned by root. Mitigates a minor security problem similar to  CVE 2017-14610. Note that this change disables automatic tracebacks.  [Carsten Leonhardt] * Added transitional package bacula-director-common,  the old leftover package can't be safely purged otherwise (it deletes  /etc/bacula/bacula-dir.conf in postrm which now belongs to the  bacula-director package). For the case when the package  bacula-director-common is deinstalled but not purged, we neutralize the  offending postrm script when upgrading bacula-common. (Closes: #880529)

* 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let  PID files be owned by root. Mitigates a minor security problem similar to  CVE 2017-14610. Note that this change disables automatic tracebacks.  [Carsten Leonhardt] * Added transitional package bacula-director-common,  the old leftover package can't be safely purged otherwise (it deletes  /etc/bacula/bacula-dir.conf in postrm which now belongs to the  bacula-director package). For the case when the package  bacula-director-common is deinstalled but not purged, we neutralize the  offending postrm script when upgrading bacula-common. (Closes: #880529)

* 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let  PID files be owned by root. Mitigates a minor security problem similar to  CVE 2017-14610. Note that this change disables automatic tracebacks.  [Carsten Leonhardt] * Added transitional package bacula-director-common,  the old leftover package can't be safely purged otherwise (it deletes  /etc/bacula/bacula-dir.conf in postrm which now belongs to the  bacula-director package). For the case when the package  bacula-director-common is deinstalled but not purged, we neutralize the  offending postrm script when upgrading bacula-common. (Closes: #880529)

* 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let  PID files be owned by root. Mitigates a minor security problem similar to  CVE 2017-14610. Note that this change disables automatic tracebacks.  [Carsten Leonhardt] * Added transitional package bacula-director-common,  the old leftover package can't be safely purged otherwise (it deletes  /etc/bacula/bacula-dir.conf in postrm which now belongs to the  bacula-director package). For the case when the package  bacula-director-common is deinstalled but not purged, we neutralize the  offending postrm script when upgrading bacula-common. (Closes: #880529)

* 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let  PID files be owned by root. Mitigates a minor security problem similar to  CVE 2017-14610. Note that this change disables automatic tracebacks.  [Carsten Leonhardt] * Added transitional package bacula-director-common,  the old leftover package can't be safely purged otherwise (it deletes  /etc/bacula/bacula-dir.conf in postrm which now belongs to the  bacula-director package). For the case when the package  bacula-director-common is deinstalled but not purged, we neutralize the  offending postrm script when upgrading bacula-common. (Closes: #880529)

* 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let  PID files be owned by root. Mitigates a minor security problem similar to  CVE 2017-14610. Note that this change disables automatic tracebacks.  [Carsten Leonhardt] * Added transitional package bacula-director-common,  the old leftover package can't be safely purged otherwise (it deletes  /etc/bacula/bacula-dir.conf in postrm which now belongs to the  bacula-director package). For the case when the package  bacula-director-common is deinstalled but not purged, we neutralize the  offending postrm script when upgrading bacula-common. (Closes: #880529)

* 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let  PID files be owned by root. Mitigates a minor security problem similar to  CVE 2017-14610. Note that this change disables automatic tracebacks.  [Carsten Leonhardt] * Added transitional package bacula-director-common,  the old leftover package can't be safely purged otherwise (it deletes  /etc/bacula/bacula-dir.conf in postrm which now belongs to the  bacula-director package). For the case when the package  bacula-director-common is deinstalled but not purged, we neutralize the  offending postrm script when upgrading bacula-common. (Closes: #880529)

* 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let  PID files be owned by root. Mitigates a minor security problem similar to  CVE 2017-14610. Note that this change disables automatic tracebacks.  [Carsten Leonhardt] * Added transitional package bacula-director-common,  the old leftover package can't be safely purged otherwise (it deletes  /etc/bacula/bacula-dir.conf in postrm which now belongs to the  bacula-director package). For the case when the package  bacula-director-common is deinstalled but not purged, we neutralize the  offending postrm script when upgrading bacula-common. (Closes: #880529)

* 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let  PID files be owned by root. Mitigates a minor security problem similar to  CVE 2017-14610. Note that this change disables automatic tracebacks.  [Carsten Leonhardt] * Added transitional package bacula-director-common,  the old leftover package can't be safely purged otherwise (it deletes  /etc/bacula/bacula-dir.conf in postrm which now belongs to the  bacula-director package). For the case when the package  bacula-director-common is deinstalled but not purged, we neutralize the  offending postrm script when upgrading bacula-common. (Closes: #880529)

* 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let  PID files be owned by root. Mitigates a minor security problem similar to  CVE 2017-14610. Note that this change disables automatic tracebacks.  [Carsten Leonhardt] * Added transitional package bacula-director-common,  the old leftover package can't be safely purged otherwise (it deletes  /etc/bacula/bacula-dir.conf in postrm which now belongs to the  bacula-director package). For the case when the package  bacula-director-common is deinstalled but not purged, we neutralize the  offending postrm script when upgrading bacula-common. (Closes: #880529)

* 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let  PID files be owned by root. Mitigates a minor security problem similar to  CVE 2017-14610. Note that this change disables automatic tracebacks.  [Carsten Leonhardt] * Added transitional package bacula-director-common,  the old leftover package can't be safely purged otherwise (it deletes  /etc/bacula/bacula-dir.conf in postrm which now belongs to the  bacula-director package). For the case when the package  bacula-director-common is deinstalled but not purged, we neutralize the  offending postrm script when upgrading bacula-common. (Closes: #880529)

* 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let  PID files be owned by root. Mitigates a minor security problem similar to  CVE 2017-14610. Note that this change disables automatic tracebacks.  [Carsten Leonhardt] * Added transitional package bacula-director-common,  the old leftover package can't be safely purged otherwise (it deletes  /etc/bacula/bacula-dir.conf in postrm which now belongs to the  bacula-director package). For the case when the package  bacula-director-common is deinstalled but not purged, we neutralize the  offending postrm script when upgrading bacula-common. (Closes: #880529)

* 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let  PID files be owned by root. Mitigates a minor security problem similar to  CVE 2017-14610. Note that this change disables automatic tracebacks.  [Carsten Leonhardt] * Added transitional package bacula-director-common,  the old leftover package can't be safely purged otherwise (it deletes  /etc/bacula/bacula-dir.conf in postrm which now belongs to the  bacula-director package). For the case when the package  bacula-director-common is deinstalled but not purged, we neutralize the  offending postrm script when upgrading bacula-common. (Closes: #880529)

* 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let  PID files be owned by root. Mitigates a minor security problem similar to  CVE 2017-14610. Note that this change disables automatic tracebacks.  [Carsten Leonhardt] * Added transitional package bacula-director-common,  the old leftover package can't be safely purged otherwise (it deletes  /etc/bacula/bacula-dir.conf in postrm which now belongs to the  bacula-director package). For the case when the package  bacula-director-common is deinstalled but not purged, we neutralize the  offending postrm script when upgrading bacula-common. (Closes: #880529)

* 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let  PID files be owned by root. Mitigates a minor security problem similar to  CVE 2017-14610. Note that this change disables automatic tracebacks.  [Carsten Leonhardt] * Added transitional package bacula-director-common,  the old leftover package can't be safely purged otherwise (it deletes  /etc/bacula/bacula-dir.conf in postrm which now belongs to the  bacula-director package). For the case when the package  bacula-director-common is deinstalled but not purged, we neutralize the  offending postrm script when upgrading bacula-common. (Closes: #880529)

* 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let  PID files be owned by root. Mitigates a minor security problem similar to  CVE 2017-14610. Note that this change disables automatic tracebacks.  [Carsten Leonhardt] * Added transitional package bacula-director-common,  the old leftover package can't be safely purged otherwise (it deletes  /etc/bacula/bacula-dir.conf in postrm which now belongs to the  bacula-director package). For the case when the package  bacula-director-common is deinstalled but not purged, we neutralize the  offending postrm script when upgrading bacula-common. (Closes: #880529)

* 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let  PID files be owned by root. Mitigates a minor security problem similar to  CVE 2017-14610. Note that this change disables automatic tracebacks.  [Carsten Leonhardt] * Added transitional package bacula-director-common,  the old leftover package can't be safely purged otherwise (it deletes  /etc/bacula/bacula-dir.conf in postrm which now belongs to the  bacula-director package). For the case when the package  bacula-director-common is deinstalled but not purged, we neutralize the  offending postrm script when upgrading bacula-common. (Closes: #880529)

* 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let  PID files be owned by root. Mitigates a minor security problem similar to  CVE 2017-14610. Note that this change disables automatic tracebacks.  [Carsten Leonhardt] * Added transitional package bacula-director-common,  the old leftover package can't be safely purged otherwise (it deletes  /etc/bacula/bacula-dir.conf in postrm which now belongs to the  bacula-director package). For the case when the package  bacula-director-common is deinstalled but not purged, we neutralize the  offending postrm script when upgrading bacula-common. (Closes: #880529)

* 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let  PID files be owned by root. Mitigates a minor security problem similar to  CVE 2017-14610. Note that this change disables automatic tracebacks.  [Carsten Leonhardt] * Added transitional package bacula-director-common,  the old leftover package can't be safely purged otherwise (it deletes  /etc/bacula/bacula-dir.conf in postrm which now belongs to the  bacula-director package). For the case when the package  bacula-director-common is deinstalled but not purged, we neutralize the  offending postrm script when upgrading bacula-common. (Closes: #880529)

* 7.4.4+dfsg-6+deb9u1 (Sun, 04 Mar 2018 12:49:11 +0100) [Sven Hartge] * Let  PID files be owned by root. Mitigates a minor security problem similar to  CVE 2017-14610. Note that this change disables automatic tracebacks.  [Carsten Leonhardt] * Added transitional package bacula-director-common,  the old leftover package can't be safely purged otherwise (it deletes  /etc/bacula/bacula-dir.conf in postrm which now belongs to the  bacula-director package). For the case when the package  bacula-director-common is deinstalled but not purged, we neutralize the  offending postrm script when upgrading bacula-common. (Closes: #880529)
* In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and  19.2.7, a heap overflow allows a malicious client to corrupt the director's  memory via oversized digest strings sent during initialization of a verify  job. Disabling verify jobs mitigates the problem. This issue is also  patched in Bareos versions 19.2.8, 18.2.9 and 17.2.10. (CVE-2020-11061)
Comment 1 Quality Assurance univentionstaff 2020-08-30 19:00:27 CEST 
--- mirror/ftp/4.3/unmaintained/4.3-0/source/bacula_7.4.4+dfsg-6A~4.3.0.201711271918.dsc
+++ apt/ucs_4.4-0-errata4.4-5/source/bacula_7.4.4+dfsg-6+deb9u2A~4.4.5.202008301702.dsc
@@ -1,7 +1,29 @@
-7.4.4+dfsg-6A~4.3.0.201711271918 [Mon, 27 Nov 2017 19:25:24 +0100] Univention builddaemon <buildd@univention.de>:
+7.4.4+dfsg-6+deb9u2A~4.4.5.202008301702 [Sun, 30 Aug 2020 17:24:44 +0200] Univention builddaemon <buildd@univention.de>:
 
-  * UCS auto build. The following patches have been applied to the original source package
-    01-check-ucr-autostart
+  * UCS auto build. No patches were applied to the original source package
+
+7.4.4+dfsg-6+deb9u2 [Wed, 26 Aug 2020 20:03:02 +0200] Thorsten Alteholz <debian@alteholz.de>:
+
+  * Non-maintainer upload by the LTS Team. 
+  * CVE-2020-11061
+    oversized digest strings allow a malicious client to cause
+    a heap overflow in the director's memory
+ 
+7.4.4+dfsg-6+deb9u1 [Sun, 04 Mar 2018 12:49:11 +0100] Carsten Leonhardt <leo@debian.org>:
+
+  [Sven Hartge]
+  * Let PID files be owned by root. Mitigates a minor security problem
+    similar to CVE 2017-14610. Note that this change disables automatic
+    tracebacks.
+
+  [Carsten Leonhardt]
+  * Added transitional package bacula-director-common, the old leftover
+    package can't be safely purged otherwise (it deletes
+    /etc/bacula/bacula-dir.conf in postrm which now belongs to the
+    bacula-director package). For the case when the package
+    bacula-director-common is deinstalled but not purged, we neutralize
+    the offending postrm script when upgrading bacula-common. (Closes:
+    #880529)
 
 7.4.4+dfsg-6 [Sun, 26 Feb 2017 13:39:25 +0100] Carsten Leonhardt <leo@debian.org>:
 

<http://10.200.17.11/4.4-5/#8240180960809977308>
Comment 2 Philipp Hahn univentionstaff 2020-08-31 08:21:49 CEST 
OK: yaml
OK: announce_errata
OK: patch
~OK: piuparts
  01-check-ucr-autostart was delibarately dorpped as it is no longer needed
  with the generic UCR module "autostart", which enabled/disables masks/unmasks
  the systemd.services as needed. It is already removed in UCS-5.
  univention-bacula:
  /etc/univention/service.info/services/univention-bacula.cfg contais the right
  declarations, (but this will not work for Bacula-FileDaemon on clients and/or
  if Bacula-StorageDaemon is installed on a separate server then
  Bacula-Director.

  I manually verified that
    ucr set bacula/sd/autostart=no bacula/fd/autostart=no bacula/dir/autostart=no
    ucr unset bacula/sd/autostart bacula/fd/autostart bacula/dir/autostart
  both work.

[4.4-5] fa3bd6dc5b Bug #51927: bacula 7.4.4+dfsg-6+deb9u2A~4.4.5.202008301702
 doc/errata/staging/bacula.yaml | 211 +----------------------------------------
 1 file changed, 5 insertions(+), 206 deletions(-)

[4.4-5] 8e7a7b66c7 Bug #51927: bacula 7.4.4+dfsg-6+deb9u2A~4.4.5.202008301702
 doc/errata/staging/bacula.yaml | 216 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 216 insertions(+)
Comment 3 Quality Assurance univentionstaff 2020-08-31 10:00:28 CEST 
--- mirror/ftp/4.3/unmaintained/4.3-0/source/bacula_7.4.4+dfsg-6A~4.3.0.201711271918.dsc
+++ apt/ucs_4.4-0-errata4.4-5/source/bacula_7.4.4+dfsg-6+deb9u2A~4.4.0.202008310852.dsc
@@ -1,7 +1,30 @@
-7.4.4+dfsg-6A~4.3.0.201711271918 [Mon, 27 Nov 2017 19:25:24 +0100] Univention builddaemon <buildd@univention.de>:
+7.4.4+dfsg-6+deb9u2A~4.4.0.202008310852 [Mon, 31 Aug 2020 08:52:00 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     01-check-ucr-autostart
+
+7.4.4+dfsg-6+deb9u2 [Wed, 26 Aug 2020 20:03:02 +0200] Thorsten Alteholz <debian@alteholz.de>:
+
+  * Non-maintainer upload by the LTS Team. 
+  * CVE-2020-11061
+    oversized digest strings allow a malicious client to cause
+    a heap overflow in the director's memory
+ 
+7.4.4+dfsg-6+deb9u1 [Sun, 04 Mar 2018 12:49:11 +0100] Carsten Leonhardt <leo@debian.org>:
+
+  [Sven Hartge]
+  * Let PID files be owned by root. Mitigates a minor security problem
+    similar to CVE 2017-14610. Note that this change disables automatic
+    tracebacks.
+
+  [Carsten Leonhardt]
+  * Added transitional package bacula-director-common, the old leftover
+    package can't be safely purged otherwise (it deletes
+    /etc/bacula/bacula-dir.conf in postrm which now belongs to the
+    bacula-director package). For the case when the package
+    bacula-director-common is deinstalled but not purged, we neutralize
+    the offending postrm script when upgrading bacula-common. (Closes:
+    #880529)
 
 7.4.4+dfsg-6 [Sun, 26 Feb 2017 13:39:25 +0100] Carsten Leonhardt <leo@debian.org>:
 

<http://10.200.17.11/4.4-5/#6458885291489310283>
Comment 4 Philipp Hahn univentionstaff 2020-08-31 11:13:04 CEST 
OK: yaml
OK: announce_errata
OK: patch
~OK: piuparts
  only purge errors

[4.4-5] 469989e0f4 Bug #51927: bacula 7.4.4+dfsg-6+deb9u2A~4.4.0.202008310852
 doc/errata/staging/bacula.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

[4.4-5] fa3bd6dc5b Bug #51927: bacula 7.4.4+dfsg-6+deb9u2A~4.4.5.202008301702
 doc/errata/staging/bacula.yaml | 211 +----------------------------------------
 1 file changed, 5 insertions(+), 206 deletions(-)

[4.4-5] 8e7a7b66c7 Bug #51927: bacula 7.4.4+dfsg-6+deb9u2A~4.4.5.202008301702
 doc/errata/staging/bacula.yaml | 216 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 216 insertions(+)
First Last Prev Next    This bug is not in your last search results.