Bug#1050335: bookworm-pu: package sitesummary/0.1.55~deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: sitesummary@packages.debian.org
Control: affects -1 + src:sitesummary
While working on the initial Debian Edu release, Guido Berhöster has
worked on the sitesummary package. All changes target Debian Edu 12, so
we want to release the current version (0.1.55) to Debian bookworm (as
0.1.55~deb12u1).
[ Reason ]
Various slightly security relevant issues have been discovered in
sitesummary that have been resolved (between 0.1.54 and 0.1.55).
Also, a workaround is included for an issue with certain PC hardware
implementations when collecting system data via lspci (screen blackouts
during lspci run).
Furthermore, more SysV -> systemd work was needed.
[ Impact ]
The sitesummary in Debian Edu 12 will be broken if this bookworm-pu gets rejected.
[ Tests ]
Manual tests on two test systems running a pre-version of Debian Edu 12.
[ Risks ]
As sitesummary is probably not used by anyone except from Debian Edu, the
risk will probably be very minimal to Debian users.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
+sitesummary (0.1.55~deb12u1) bookworm; urgency=medium
+
+ * Release to bookworm as 0.1.55~deb12u1.
+
+ -- Mike Gabriel <sunweaver@debian.org> Wed, 23 Aug 2023 13:02:51 +0200
+
+sitesummary (0.1.55) unstable; urgency=medium
+
+ [ Guido Berhoerster ]
+ * Fix insecure temporary file and directory creation, error checking.
+ Seurely create a temporary directory using mktemp and check for errors both
+ when creating the directory and wehn changing the current working directory.
+ Place the tarball inside the temporary directory instead of using a predictable
+ file name in /tmp which may lead to a symlink attack. Ensure the temporary
+ directory is always removed. (Closes: #1050289).
+ * Use quoting for fragments.
+
+ -- Mike Gabriel <sunweaver@debian.org> Wed, 23 Aug 2023 10:43:16 +0200
+
+sitesummary (0.1.54) unstable; urgency=medium
+
+ [ Guido Berhoerster ]
+ * Disable usage of lspci on clients by default
+ This works around a bug that turns off the screen on certain Intel NUC
+ models. It can be re-enabled by setting the environment variable
+ ENABLE_LSPCI to an arbitrary value.
+
+ -- Mike Gabriel <sunweaver@debian.org> Tue, 22 Aug 2023 15:31:03 +0200
+
+sitesummary (0.1.53) unstable; urgency=medium
+
+ [ Dominik George ]
+ * Remove myself from Uploaders.
+
+ [ Guido Berhoerster ]
+ * Place munin configuration in include file. (Closes: #762652).
+ * Add systemd timer unit for sitesummary-client. (Closes: #1039369).
+ * Add systemd timer for sitesummary maintenance.
+
+ [ Debian Janitor ]
+ * Apply multi-arch hints. + libsitesummary-perl: Add Multi-Arch: foreign.
+
+ -- Mike Gabriel <sunweaver@debian.org> Thu, 10 Aug 2023 18:00:37 +0200
+
+sitesummary (0.1.52) unstable; urgency=medium
+
+ * debian/control:
+ + Update R: (sitesummary-client): 'cron' -> 'cron | cron-daemon'. (Closes:
+ #1038956).
+
+ -- Mike Gabriel <sunweaver@debian.org> Thu, 29 Jun 2023 20:55:33 +0200
[ Other info ]
None. Feel free to ask for more details, if needed.
diff -Nru sitesummary-0.1.51/collect.d/system sitesummary-0.1.55~deb12u1/collect.d/system
--- sitesummary-0.1.51/collect.d/system 2019-04-06 15:59:51.000000000 +0200
+++ sitesummary-0.1.55~deb12u1/collect.d/system 2023-08-23 13:01:58.000000000 +0200
@@ -13,7 +13,7 @@
dmidecode > dmidecode 2> /dev/null
fi
-if [ -d /proc/bus/pci ] && type lspci >/dev/null 2>&1; then
+if [ -d /proc/bus/pci ] && [ -n "${ENABLE_LSPCI}" ] && type lspci >/dev/null 2>&1; then
lspci > lspci
lspci -n > lspci-n
fi
diff -Nru sitesummary-0.1.51/debian/changelog sitesummary-0.1.55~deb12u1/debian/changelog
--- sitesummary-0.1.51/debian/changelog 2022-02-13 09:41:47.000000000 +0100
+++ sitesummary-0.1.55~deb12u1/debian/changelog 2023-08-23 13:02:51.000000000 +0200
@@ -1,3 +1,55 @@
+sitesummary (0.1.55~deb12u1) bookworm; urgency=medium
+
+ * Release to bookworm as 0.1.55~deb12u1.
+
+ -- Mike Gabriel <sunweaver@debian.org> Wed, 23 Aug 2023 13:02:51 +0200
+
+sitesummary (0.1.55) unstable; urgency=medium
+
+ [ Guido Berhoerster ]
+ * Fix insecure temporary file and directory creation, error checking.
+ Seurely create a temporary directory using mktemp and check for errors both
+ when creating the directory and wehn changing the current working directory.
+ Place the tarball inside the temporary directory instead of using a predictable
+ file name in /tmp which may lead to a symlink attack. Ensure the temporary
+ directory is always removed. (Closes: #1050289).
+ * Use quoting for fragments.
+
+ -- Mike Gabriel <sunweaver@debian.org> Wed, 23 Aug 2023 10:43:16 +0200
+
+sitesummary (0.1.54) unstable; urgency=medium
+
+ [ Guido Berhoerster ]
+ * Disable usage of lspci on clients by default
+ This works around a bug that turns off the screen on certain Intel NUC
+ models. It can be re-enabled by setting the environment variable
+ ENABLE_LSPCI to an arbitrary value.
+
+ -- Mike Gabriel <sunweaver@debian.org> Tue, 22 Aug 2023 15:31:03 +0200
+
+sitesummary (0.1.53) unstable; urgency=medium
+
+ [ Dominik George ]
+ * Remove myself from Uploaders.
+
+ [ Guido Berhoerster ]
+ * Place munin configuration in include file. (Closes: #762652).
+ * Add systemd timer unit for sitesummary-client. (Closes: #1039369).
+ * Add systemd timer for sitesummary maintenance.
+
+ [ Debian Janitor ]
+ * Apply multi-arch hints. + libsitesummary-perl: Add Multi-Arch: foreign.
+
+ -- Mike Gabriel <sunweaver@debian.org> Thu, 10 Aug 2023 18:00:37 +0200
+
+sitesummary (0.1.52) unstable; urgency=medium
+
+ * debian/control:
+ + Update R: (sitesummary-client): 'cron' -> 'cron | cron-daemon'. (Closes:
+ #1038956).
+
+ -- Mike Gabriel <sunweaver@debian.org> Thu, 29 Jun 2023 20:55:33 +0200
+
sitesummary (0.1.51) unstable; urgency=medium
* Source only upload for migration to testing.
diff -Nru sitesummary-0.1.51/debian/control sitesummary-0.1.55~deb12u1/debian/control
--- sitesummary-0.1.51/debian/control 2022-02-13 09:39:22.000000000 +0100
+++ sitesummary-0.1.55~deb12u1/debian/control 2023-08-23 13:01:58.000000000 +0200
@@ -5,8 +5,6 @@
Uploaders: Petter Reinholdtsen <pere@debian.org>
, Holger Levsen <holger@debian.org>
, Mike Gabriel <sunweaver@debian.org>
- , Dominik George <nik@naturalnet.de>
- , Wolfgang Schweer <wschweer@arcor.de>
Build-Depends: debhelper-compat (= 13)
Standards-Version: 4.6.0
Rules-Requires-Root: binary-targets
@@ -38,6 +36,7 @@
sitesummary (<< 0.1.50~),
Replaces:
sitesummary (<< 0.1.50~),
+Multi-Arch: foreign
Description: Generate site summary of submitting hosts (Perl module)
The sitesummary system makes it easier to keep track of a lot of
machines, by allowing each machine to report their existence once a
@@ -49,7 +48,7 @@
Package: sitesummary-client
Architecture: all
Depends: ${misc:Depends}, ${perl:Depends}, lsb-base, gnupg, net-tools
-Recommends: cron, dmidecode, pciutils, usbutils, lsscsi, iproute2, hdparm
+Recommends: cron | cron-daemon, dmidecode, pciutils, usbutils, lsscsi, iproute2, hdparm
Suggests: sitesummary, munin-node, nagios-nrpe-server, monitoring-plugins-standard, cdpr, ipmitool, zfsutils-linux
Description: Generate site summary of submitting hosts (client part)
The sitesummary system makes it easier to keep track of a lot of
diff -Nru sitesummary-0.1.51/debian/rules sitesummary-0.1.55~deb12u1/debian/rules
--- sitesummary-0.1.51/debian/rules 2021-10-31 14:56:20.000000000 +0100
+++ sitesummary-0.1.55~deb12u1/debian/rules 2023-08-23 13:01:58.000000000 +0200
@@ -7,3 +7,7 @@
# No need to submit information when the package is installed
override_dh_installinit:
dh_installinit --no-start
+
+override_dh_installsystemd:
+ dh_installsystemd --no-start --name sitesummary
+ dh_installsystemd --no-start --name sitesummary-client
diff -Nru sitesummary-0.1.51/debian/sitesummary-client.sitesummary-client.service sitesummary-0.1.55~deb12u1/debian/sitesummary-client.sitesummary-client.service
--- sitesummary-0.1.51/debian/sitesummary-client.sitesummary-client.service 1970-01-01 01:00:00.000000000 +0100
+++ sitesummary-0.1.55~deb12u1/debian/sitesummary-client.sitesummary-client.service 2023-08-23 13:01:58.000000000 +0200
@@ -0,0 +1,10 @@
+[Unit]
+Description=Report status to sitesummary server after boot
+After=network-online.target
+
+[Service]
+Type=oneshot
+EnvironmentFile=-/etc/environment
+EnvironmentFile=-/etc/default/sitesummary-client
+Nice=10
+ExecStart=/usr/sbin/sitesummary-client
diff -Nru sitesummary-0.1.51/debian/sitesummary-client.sitesummary-client.timer sitesummary-0.1.55~deb12u1/debian/sitesummary-client.sitesummary-client.timer
--- sitesummary-0.1.51/debian/sitesummary-client.sitesummary-client.timer 1970-01-01 01:00:00.000000000 +0100
+++ sitesummary-0.1.55~deb12u1/debian/sitesummary-client.sitesummary-client.timer 2023-08-23 13:01:58.000000000 +0200
@@ -0,0 +1,8 @@
+[Unit]
+Description=Timer for sitesummary reporting after boot
+
+[Timer]
+OnBootSec=5min
+
+[Install]
+WantedBy=timers.target
diff -Nru sitesummary-0.1.51/debian/sitesummary.cron.daily sitesummary-0.1.55~deb12u1/debian/sitesummary.cron.daily
--- sitesummary-0.1.51/debian/sitesummary.cron.daily 2015-05-13 16:43:09.000000000 +0200
+++ sitesummary-0.1.55~deb12u1/debian/sitesummary.cron.daily 2023-08-23 13:01:58.000000000 +0200
@@ -1,39 +1,8 @@
#!/bin/sh
-#
-# Author: Petter Reinholdtsen
-set -e
-
-daylimit=120
-makewebreport=/usr/sbin/sitesummary-makewebreport
-nodes=/usr/sbin/sitesummary-nodes
-
-[ -f /etc/sitesummary/collector.cfg ] && . /etc/sitesummary/collector.cfg
-
-# Exit imediately if the package is removed but nor purged
-if [ ! -x $nodes ] ; then
- exit 0
+# Do not run on systemd-based installations or if the package is removed but
+# not purged
+if [ -x /usr/lib/sitesummary/sitesummary-maintenance ] && \
+ [ ! -d /run/systemd/system ]; then
+ /usr/lib/sitesummary/sitesummary-maintenance
fi
-
-# The storage area is not configurable, because too many scripts have
-# it hardcoded
-entriesdir=/var/lib/sitesummary/entries
-
-remove_old_entries() {
- find $entriesdir/. -mindepth 1 -maxdepth 1 -type d \
- -daystart -mtime +$daylimit \
- -exec /usr/lib/sitesummary/expire-entry '{}' \;
-}
-
-[ -d $entriesdir ] && remove_old_entries
-
-if [ -x /usr/sbin/sitesummary-update-nagios ] ; then
- /usr/sbin/sitesummary-update-nagios
-fi
-
-if [ -x /usr/sbin/sitesummary-update-munin ] ; then
- /usr/sbin/sitesummary-update-munin
-fi
-
-# Update the web report once a day
-[ -x $makewebreport ] && nice $makewebreport
diff -Nru sitesummary-0.1.51/debian/sitesummary.install sitesummary-0.1.55~deb12u1/debian/sitesummary.install
--- sitesummary-0.1.51/debian/sitesummary.install 2022-02-13 09:39:22.000000000 +0100
+++ sitesummary-0.1.55~deb12u1/debian/sitesummary.install 2023-08-23 13:01:58.000000000 +0200
@@ -8,3 +8,4 @@
usr/sbin/sitesummary-update-munin
usr/sbin/sitesummary-update-nagios
usr/share/munin/plugins
+debian/sitesummary-maintenance usr/lib/sitesummary/sitesummary-maintenance
diff -Nru sitesummary-0.1.51/debian/sitesummary-maintenance sitesummary-0.1.55~deb12u1/debian/sitesummary-maintenance
--- sitesummary-0.1.51/debian/sitesummary-maintenance 1970-01-01 01:00:00.000000000 +0100
+++ sitesummary-0.1.55~deb12u1/debian/sitesummary-maintenance 2023-08-23 13:01:58.000000000 +0200
@@ -0,0 +1,39 @@
+#!/bin/sh
+#
+# Author: Petter Reinholdtsen
+
+set -e
+
+daylimit=120
+makewebreport=/usr/sbin/sitesummary-makewebreport
+nodes=/usr/sbin/sitesummary-nodes
+
+[ -f /etc/sitesummary/collector.cfg ] && . /etc/sitesummary/collector.cfg
+
+# Exit imediately if the package is removed but nor purged
+if [ ! -x $nodes ] ; then
+ exit 0
+fi
+
+# The storage area is not configurable, because too many scripts have
+# it hardcoded
+entriesdir=/var/lib/sitesummary/entries
+
+remove_old_entries() {
+ find $entriesdir/. -mindepth 1 -maxdepth 1 -type d \
+ -daystart -mtime +$daylimit \
+ -exec /usr/lib/sitesummary/expire-entry '{}' \;
+}
+
+[ -d $entriesdir ] && remove_old_entries
+
+if [ -x /usr/sbin/sitesummary-update-nagios ] ; then
+ /usr/sbin/sitesummary-update-nagios
+fi
+
+if [ -x /usr/sbin/sitesummary-update-munin ] ; then
+ /usr/sbin/sitesummary-update-munin
+fi
+
+# Update the web report once a day
+[ -x $makewebreport ] && nice $makewebreport
diff -Nru sitesummary-0.1.51/debian/sitesummary.postrm sitesummary-0.1.55~deb12u1/debian/sitesummary.postrm
--- sitesummary-0.1.51/debian/sitesummary.postrm 2015-05-13 16:43:09.000000000 +0200
+++ sitesummary-0.1.55~deb12u1/debian/sitesummary.postrm 2023-08-23 13:01:58.000000000 +0200
@@ -4,8 +4,8 @@
if [ "$1" = "purge" ] ; then
cd /var/lib/sitesummary
- rm -rf entries tmpstorage www
- rm -f munin.conf munin.conf.pre munin.conf.post
+ rm -rf entries tmpstorage www munin-conf.d
+ rm -f munin.conf
rm -f nagios-generated.cfg
fi
diff -Nru sitesummary-0.1.51/debian/sitesummary.sitesummary.service sitesummary-0.1.55~deb12u1/debian/sitesummary.sitesummary.service
--- sitesummary-0.1.51/debian/sitesummary.sitesummary.service 1970-01-01 01:00:00.000000000 +0100
+++ sitesummary-0.1.55~deb12u1/debian/sitesummary.sitesummary.service 2023-08-23 13:01:58.000000000 +0200
@@ -0,0 +1,6 @@
+[Unit]
+Description=Regular sitesummary maintenance
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/sitesummary/sitesummary-maintenance
diff -Nru sitesummary-0.1.51/debian/sitesummary.sitesummary.timer sitesummary-0.1.55~deb12u1/debian/sitesummary.sitesummary.timer
--- sitesummary-0.1.51/debian/sitesummary.sitesummary.timer 1970-01-01 01:00:00.000000000 +0100
+++ sitesummary-0.1.55~deb12u1/debian/sitesummary.sitesummary.timer 2023-08-23 13:01:58.000000000 +0200
@@ -0,0 +1,9 @@
+[Unit]
+Description=Timer for regular sitesummary maintenance
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+
+[Install]
+WantedBy=timers.target
diff -Nru sitesummary-0.1.51/README sitesummary-0.1.55~deb12u1/README
--- sitesummary-0.1.51/README 2017-04-28 13:07:25.000000000 +0200
+++ sitesummary-0.1.55~deb12u1/README 2023-08-23 13:01:58.000000000 +0200
@@ -11,9 +11,8 @@
statistics from all sitesummary clients with the Munin packages
installed. To enable it, install the munin package and make sure
/etc/sitesummary/collector.cfg include 'MUNINDIR=/etc/munin' to get
-sitesummary to replace the default munin configuration with the
-generated one. Running these commands as root normally does the
-trick.
+sitesummary to add an include file to the default munin configuration.
+Running these commands as root normally does the trick:
aptitude install munin munin-node
echo MUNINDIR=/etc/munin >> /etc/sitesummary/collector.cfg
diff -Nru sitesummary-0.1.51/sitesummary-client sitesummary-0.1.55~deb12u1/sitesummary-client
--- sitesummary-0.1.51/sitesummary-client 2015-05-13 16:43:09.000000000 +0200
+++ sitesummary-0.1.55~deb12u1/sitesummary-client 2023-08-23 13:01:58.000000000 +0200
@@ -14,9 +14,12 @@
LC_ALL=C
export LC_ALL
+umask 0077
+
# Make sure to store files in a ramfs backed
# storage area on diskless clients, so use /tmp/.
-tmpdir=/tmp/sitesummary-$$
+tmpdir="$(mktemp -d -p /tmp)"
+trap 'rm -rf "${tmpdir}"' EXIT
log() {
msg="$@"
@@ -54,22 +57,23 @@
do
[ -d $confdir ] || continue
for config in $confdir/* ; do
- [ -f $config ] && . $config
+ [ -f "$config" ] && . "$config"
done
done
-mkdir $tmpdir && cd $tmpdir
+mkdir "${tmpdir}/output"
+cd "${tmpdir}/output"
for fragdir in $fragdirs ; do
- [ -d $fragdir ] || continue
- for frag in $fragdir/*; do
- [ -x $frag ] && $frag || true
+ [ -d "$fragdir" ] || continue
+ for frag in "$fragdir/"*; do
+ [ -x "$frag" ] && "$frag" || true
done
done
# Wrap up the package
-hostsummaryfile=$tmpdir.tar.gz
-tar zcf $hostsummaryfile .
+hostsummaryfile="${tmpdir}/output.tar.gz"
+tar zcf "${hostsummaryfile}" .
for url in $serverurls ; do
if [ "$gpgencrypt" != false ] ; then
@@ -88,6 +92,3 @@
error "unable to submit to '$url'"
fi
done
-
-rm $hostsummaryfile
-rm -r $tmpdir
diff -Nru sitesummary-0.1.51/sitesummary-update-munin sitesummary-0.1.55~deb12u1/sitesummary-update-munin
--- sitesummary-0.1.51/sitesummary-update-munin 2015-05-13 16:43:09.000000000 +0200
+++ sitesummary-0.1.55~deb12u1/sitesummary-update-munin 2023-08-23 13:01:58.000000000 +0200
@@ -4,76 +4,49 @@
set -e
+umask 022
+
nodes=/usr/sbin/sitesummary-nodes
muninopts=""
-# Modify this in collector.cfg to /etc/munin/ to automatically replace
-# the default munin configuration.
-MUNINDIR=/var/lib/sitesummary
-
-if [ -d /var/cache/munin/www ] ; then
- # Used since munin version 1.4.0-1
- muninhtmldir="/var/cache/munin/www"
-else
- muninhtmldir="/var/www/munin"
-fi
-# Based on of active config from munin version 1.2.5-1
-munindbdir=/var/lib/munin
-muninlogdir=/var/log/munin
-muninrundir=/var/run/munin
-munintmpldir=/etc/munin/templates
-
+# Set MUNINDIR in collector.cfg to /etc/munin/ to automatically add hosts to
+# the default munin configuration via include files.
[ -f /etc/sitesummary/collector.cfg ] && . /etc/sitesummary/collector.cfg
+# Default to /var/lib/sitesummary and canonicalize path.
+MUNINDIR="$(realpath -mqs "${MUNINDIR:-/var/lib/sitesummary}")"
+
# The storage area is not configurable, because too many scripts have
# it hardcoded
entriesdir=/var/lib/sitesummary/entries
generate_munin_config() {
# Generate munin config. Edit /etc/cron.d/munin to enable it.
- # Add -c /var/lib/sitesummary/sitesummary-munin.conf to the calls
- # to the munin scripts, or change MUNINDIR above.
- (
- if [ -f $MUNINDIR/munin.conf.pre ] ; then
- cat $MUNINDIR/munin.conf.pre
- else
- cat <<EOF
-# Munin server configuration generated from cron using sitesummary
-# data by $0
-# Do not edit, it will be overwritten.
-# Edit $MUNINDIR/munin.conf.pre and
-# $MUNINDIR/munin.conf.post instead.
-
-dbdir $munindbdir
-htmldir $muninhtmldir
-logdir $muninlogdir
-rundir $muninrundir
-tmpldir $munintmpldir
+ # Add -c /var/lib/sitesummary/munin.conf to the calls to the munin scripts,
+ # or change MUNINDIR as described above.
-EOF
+ mkdir -p "${MUNINDIR}/munin-conf.d"
+ chmod a+rx "${MUNINDIR}/munin-conf.d"
- # Munin supports the includedir statement since Squeeze
- muninver=$(dpkg -l munin|grep munin|awk '{print $3}')
- if dpkg --compare-versions "1.4.5" le "$muninver" ; then
- cat <<EOF
+ if [ ! -f "${MUNINDIR}/munin.conf" ]; then
+ cat > "${MUNINDIR}/munin.conf" <<EOF
# (Exactly one) directory to include all files from.
#
-includedir /etc/munin/munin-conf.d
-
+includedir "${MUNINDIR}/munin-conf.d"
EOF
- fi
- fi
-
- $nodes -m $muninopts
+ chown root:root "${MUNINDIR}/munin.conf"
+ fi
- [ -f $MUNINDIR/munin.conf.post ] && cat $MUNINDIR/munin.conf.post
+ (
+ cat <<EOF
+# Munin server configuration generated from cron using sitesummary
+# data by $0
+# Do not edit, it will be overwritten.
+EOF
- # Make sure the subshell return true to trigger the mv below.
- true
- ) > $MUNINDIR/munin.conf.new && \
- chown root:root $MUNINDIR/munin.conf.new && \
- chmod a+r $MUNINDIR/munin.conf.new && \
- mv $MUNINDIR/munin.conf.new $MUNINDIR/munin.conf
+ $nodes -m $muninopts
+ ) >"${MUNINDIR}/munin-conf.d/sitesummary.conf" &&
+ chown root:root "${MUNINDIR}/munin-conf.d/sitesummary.conf"
}
# Only enable if munin and sitesummary is installed.
Reply to: