[Forensics-changes] [rkhunter] 01/01: Backport security fix from unstable

[Francois Marier]

This is an automated email from the git hooks/post-receive script.

francois pushed a commit to branch wheezy
in repository rkhunter.

commit de661564dfb64c11515126eefe824d754091a81f
Author: Francois Marier <francois at debian.org>
Date:   Wed Jul 5 10:41:44 2017 -0700

    Backport security fix from unstable
---
 debian/changelog                       |  7 ++++++
 debian/patches/06_disable-updates.diff | 44 ++++++++++++++++++++++++++++++++++
 debian/patches/series                  |  1 +
 3 files changed, 52 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 6152cc3..8ca7b4c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+rkhunter (1.4.0-1+deb7u1) wheezy-security; urgency=high
+
+  * Disable remote updates to fix CVE-2017-7480 and prevent bugs like
+    it in the future (closes: #765895, #866677)
+
+ -- Francois Marier <francois at debian.org>  Tue, 11 Jul 2017 20:17:08 -0700
+
 rkhunter (1.4.0-1) unstable; urgency=low
 
   * New upstream release
diff --git a/debian/patches/06_disable-updates.diff b/debian/patches/06_disable-updates.diff
new file mode 100644
index 0000000..e3ca0ef
--- /dev/null
+++ b/debian/patches/06_disable-updates.diff
@@ -0,0 +1,44 @@
+Description: Disable all remote updates
+Author: Christoph Anton Mitterer <calestyo at scientia.net>
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765895
+Forwarded: not-needed
+Last-Update: 2017-07-05
+
+--- a/files/rkhunter.conf
++++ b/files/rkhunter.conf
+@@ -58,7 +58,7 @@ ROTATE_MIRRORS=1
+ # If this option is set to 0, the mirrors file can only be updated
+ # manually. This may be useful if only using local mirrors.
+ #
+-UPDATE_MIRRORS=1
++UPDATE_MIRRORS=0
+ 
+ #
+ # The MIRRORS_MODE option tells rkhunter which mirrors are to be
+@@ -71,7 +71,7 @@ UPDATE_MIRRORS=1
+ # Local and remote mirrors can be defined in the mirrors file
+ # by using the 'local=' and 'remote=' keywords respectively.
+ #
+-MIRRORS_MODE=0
++MIRRORS_MODE=1
+ 
+ #
+ # Email a message to this address if a warning is found when the
+@@ -149,7 +149,7 @@ MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
+ # language, specified above, and the English (en) language file will
+ # always be updated regardless of this option.
+ #
+-UPDATE_LANG=""
++UPDATE_LANG="en"
+ 
+ #
+ # Specify the log file pathname.
+@@ -891,7 +891,7 @@ SUSPSCAN_THRESH=200
+ #
+ #     WEB_CMD="ftp -o -"
+ #
+-#WEB_CMD=""
++WEB_CMD="/bin/false"
+ 
+ #
+ # Set the following option to 0 if you do not want to receive a warning if
diff --git a/debian/patches/series b/debian/patches/series
index 59d35fd..7fdf4ad 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 05_custom_conffile.diff
+06_disable-updates.diff
 10_fix-man.diff
 15_remove-empty-dir.diff

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/rkhunter.git