This bug was fixed in the package logrotate - 3.7.8-4ubuntu1
---------------
logrotate (3.7.8-4ubuntu1) karmic; urgency=low
* Merge from debian unstable, remaining changes: LP: #414347
- debian/control: Drop mailx to Suggests for Ubuntu; it's only used
on request, and we don'c configure an MTA by default.
logrotate (3.7.8-4) unstable; urgency=high
* New patch:
+ security-388608.patch: A race condition in the creation of
compressed and copied log files makes it possible to overwrite
arbitrary files by generating a link or symlink during a window
of opportunity between logrotate renaming a log file and creating
the copy of the next. (Closes: #388608) Once again, many thanks to
Florian Zumbiehl for forcing me to think.
* Uploading to unstable.
logrotate (3.7.8-3) experimental; urgency=low
* New patch:
+ nofollow.patch: If a logfile is a symlink, it may be read when
being compressed, being copied (copy, copytruncate) or mailed.
Secure data (eg. password files) may be exposed. Thanks to
Florian Zumbiehl for getting me thinking about this one.
logrotate (3.7.8-2) experimental; urgency=low
* New patch:
+ create-388608.patch: Really squash the race condition for the
creation of compressed log files and the creation of new ones.
(Closes: 388608)
logrotate (3.7.8-1) experimental; urgency=low
* New upstream release:
- do not exit on status file errors
- limit config file inclusion nesting
- use hashes for status file handling (patch by Petr Tesarik
<ptesa...@suse.cz> and Leonardo Chiquitto)
- dateformat to allow unixtime (patch by Sami Kerola <kerol...@iki.fi>)
* Upstream has taken some of our patches:
- manpage.patch: partial uptake, updated
- man-189243.patch: fully applied upstream
- man-sizetypo.patch: fully applied upstream
- man-overriden.patch: fully applied upstream
* Added a watch file (but upstream has a redirect to https).
* Upstream has also fixed createOutputFile to be more secure
(Closes: #388608)
* New Debian patch:
+ sharedscripts-519432.patch: Prerotate and postrotate scripts get the
list of rotated files passed to them as arguments. (Closes: #519432)
+ chown-484762.patch: If running as non-root, warn but don't abort if
we can't chown the compressed log file. (Closes: #484762)
* Update Standards-Version to 3.8.2. (No changes)
-- Bhavani Shankar <right2bh...@gmail.com> Sun, 16 Aug 2009 12:40:24
+0530
** Changed in: logrotate (Ubuntu)
Status: Confirmed => Fix Released
--
Please merge logrotate 3.7.8-4(main) from debian unstable(main)
https://bugs.launchpad.net/bugs/414347
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
