Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
This is an update for a security issue that is not going to get a DSA: https://security-tracker.debian.org/tracker/CVE-2017-7480 Attached is the debdiff against the version in stable. Francois
diff -Nru rkhunter-1.4.2/debian/changelog rkhunter-1.4.2/debian/changelog --- rkhunter-1.4.2/debian/changelog 2014-11-28 03:27:20.000000000 -0800 +++ rkhunter-1.4.2/debian/changelog 2017-07-11 20:17:19.000000000 -0700 @@ -1,3 +1,10 @@ +rkhunter (1.4.2-0.4+deb8u1) oldstable; urgency=high + + * Disable remote updates to fix CVE-2017-7480 and prevent bugs like + it in the future (closes: #765895, #866677) + + -- Francois Marier <franc...@debian.org> Tue, 11 Jul 2017 20:17:08 -0700 + rkhunter (1.4.2-0.4) unstable; urgency=medium * Non-maintainer upload. diff -Nru rkhunter-1.4.2/debian/patches/06_disable-updates.diff rkhunter-1.4.2/debian/patches/06_disable-updates.diff --- rkhunter-1.4.2/debian/patches/06_disable-updates.diff 1969-12-31 16:00:00.000000000 -0800 +++ rkhunter-1.4.2/debian/patches/06_disable-updates.diff 2017-07-11 20:17:19.000000000 -0700 @@ -0,0 +1,44 @@ +Description: Disable all remote updates +Author: Christoph Anton Mitterer <cales...@scientia.net> +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765895 +Forwarded: not-needed +Last-Update: 2017-07-05 + +--- a/files/rkhunter.conf ++++ b/files/rkhunter.conf +@@ -104,7 +104,7 @@ + # + # The default value is '1'. + # +-#UPDATE_MIRRORS=1 ++UPDATE_MIRRORS=0 + + # + # The MIRRORS_MODE option tells rkhunter which mirrors are to be used when +@@ -119,7 +119,7 @@ + # + # The default value is '0'. + # +-#MIRRORS_MODE=0 ++MIRRORS_MODE=1 + + # + # Email a message to this address if a warning is found when the system is +@@ -221,7 +221,7 @@ SCRIPTDIR=/usr/share/rkhunter/scripts + # The default value is the null string, indicating that all the language files + # will be updated. + # +-#UPDATE_LANG="" ++UPDATE_LANG="en" + + # + # This option specifies the log file pathname. The file will be created if it +@@ -1131,7 +1131,7 @@ SCRIPTWHITELIST=/usr/sbin/adduser + # + # This option has no default value. + # +-#WEB_CMD="" ++WEB_CMD="/bin/false" + + # + # Set the following option to '1' if locking is to be used when rkhunter runs. diff -Nru rkhunter-1.4.2/debian/patches/series rkhunter-1.4.2/debian/patches/series --- rkhunter-1.4.2/debian/patches/series 2014-11-28 03:27:20.000000000 -0800 +++ rkhunter-1.4.2/debian/patches/series 2017-07-11 20:17:19.000000000 -0700 @@ -1,4 +1,5 @@ 05_custom_conffile.diff +06_disable-updates.diff 10_fix-man.diff 15_remove-empty-dir.diff 20_fix-ipcs-language.diff
