Hello, I think this commit [1] (3.17.0) introduced a security problem to which it was assigned CVE-2022-1348 [2]. They fixed it in [3] (3.20.0) and [4] (3.20.1). Although I see you've pulled from debian/sid the patched version, I don't think you have ever pushed those patches to jammy/devel.
May I request to release a package with the fix? Thanks [1]: https://github.com/logrotate/logrotate/commit/f46d0bdfc9c53515c13880c501f4d2e1e7dd8b25 [2]: https://github.com/advisories/GHSA-4c4j-w8hm-rjgv [3]: https://github.com/logrotate/logrotate/commit/1f76a381e2caa0603ae3dbc51ed0f1aa0d6658b9 [4]: https://github.com/logrotate/logrotate/commit/addbd293242b0b78aa54f054e6c1d249451f137d ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1348 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to logrotate in Ubuntu. https://bugs.launchpad.net/bugs/1977689 Title: Wrong error msg: "state file /var/lib/logrotate/status is world- readable" although it is not Status in logrotate package in Ubuntu: Confirmed Bug description: Ubuntu 22.04 logrotate 3.19.0-1ubuntu1.1 Every hour, I receive this wrong message: Subject: Cron <root@<hostname>> cd / && run-parts --report /etc/cron.hourly /etc/cron.hourly/logrotate: error: state file /var/lib/logrotate/status is world-readable and thus can be locked from other unprivileged users. Skipping lock acquisition... despite: # ls -al /var/lib/logrotate total 40 drwxr-x--- 2 root root 4096 Jun 5 17:17 . drwxr-xr-x 66 root root 4096 Jun 3 20:02 .. -rw-r----- 1 root root 31974 Jun 5 17:17 status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logrotate/+bug/1977689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
