[Pkg-freeipa-devel] dogtag-pki: Changes to 'master'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Thu Oct 27 14:39:16 UTC 2016
debian/changelog | 13 ++++
debian/control | 1
debian/patches/fix-cve-2016-1240.diff | 30 +++++++++++
debian/patches/series | 2
debian/patches/use-bash.diff | 90 ++++++++++++++++++++++++++++++++++
debian/pki-ca.postrm | 11 ++++
debian/pki-kra.postrm | 11 ++++
debian/pki-ocsp.postrm | 11 ++++
debian/pki-server.dirs | 1
debian/pki-server.postrm | 8 +++
debian/pki-tks.postrm | 11 ++++
debian/pki-tps.postrm | 11 ++++
12 files changed, 200 insertions(+)
New commits:
commit d0ef9e18cc9b17c502922c25992d31416da42e22
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Thu Oct 27 17:31:36 2016 +0300
releasing package dogtag-pki version 10.3.5-5
diff --git a/debian/changelog b/debian/changelog
index 650314a..16ffa40 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-dogtag-pki (10.3.5-5) UNRELEASED; urgency=medium
+dogtag-pki (10.3.5-5) unstable; urgency=medium
* server: Add /etc/dogtag to dirs, clean up stuff created by pkispawn
on purge.
@@ -9,7 +9,7 @@ dogtag-pki (10.3.5-5) UNRELEASED; urgency=medium
which has code copied from the tomcat initscript.
* pki-{ca,kra,ocsp,tks,tps}.postrm: Remove logfiles on purge.
- -- Timo Aaltonen <tjaalton at debian.org> Thu, 06 Oct 2016 00:36:37 +0300
+ -- Timo Aaltonen <tjaalton at debian.org> Thu, 27 Oct 2016 17:31:23 +0300
dogtag-pki (10.3.5-4) unstable; urgency=medium
commit 572fd5dea1006763f369bc630257520136981efb
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Thu Oct 27 17:29:16 2016 +0300
pki-{ca,kra,ocsp,tks,tps}.postrm: Remove logfiles on purge.
diff --git a/debian/changelog b/debian/changelog
index 09bd60c..650314a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,7 @@ dogtag-pki (10.3.5-5) UNRELEASED; urgency=medium
some places where checkbashisms reported warnings.
* fix-cve-2016-1240.diff: Fix CVE-2016-1240 in scripts/operations
which has code copied from the tomcat initscript.
+ * pki-{ca,kra,ocsp,tks,tps}.postrm: Remove logfiles on purge.
-- Timo Aaltonen <tjaalton at debian.org> Thu, 06 Oct 2016 00:36:37 +0300
diff --git a/debian/pki-ca.postrm b/debian/pki-ca.postrm
new file mode 100644
index 0000000..d55df23
--- /dev/null
+++ b/debian/pki-ca.postrm
@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+
+if [ "$1" = purge ]; then
+ rm -f /var/log/pki/pki-ca-destroy*.log
+ rm -f /var/log/pki/pki-ca-spawn*.log
+fi
+
+#DEBHELPER#
+
diff --git a/debian/pki-kra.postrm b/debian/pki-kra.postrm
new file mode 100644
index 0000000..f8a7f5c
--- /dev/null
+++ b/debian/pki-kra.postrm
@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+
+if [ "$1" = purge ]; then
+ rm -rf /var/log/pki/pki-kra-destroy*.log
+ rm -rf /var/log/pki/pki-kra-spawn*.log
+fi
+
+#DEBHELPER#
+
diff --git a/debian/pki-ocsp.postrm b/debian/pki-ocsp.postrm
new file mode 100644
index 0000000..8bb64ec
--- /dev/null
+++ b/debian/pki-ocsp.postrm
@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+
+if [ "$1" = purge ]; then
+ rm -f /var/log/pki/pki-ocsp-destroy*.log
+ rm -f /var/log/pki/pki-ocsp-spawn*.log
+fi
+
+#DEBHELPER#
+
diff --git a/debian/pki-tks.postrm b/debian/pki-tks.postrm
new file mode 100644
index 0000000..ea967fe
--- /dev/null
+++ b/debian/pki-tks.postrm
@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+
+if [ "$1" = purge ]; then
+ rm -rf /var/log/pki/pki-tks-destroy*.log
+ rm -rf /var/log/pki/pki-tks-spawn*.log
+fi
+
+#DEBHELPER#
+
diff --git a/debian/pki-tps.postrm b/debian/pki-tps.postrm
new file mode 100644
index 0000000..f80a569
--- /dev/null
+++ b/debian/pki-tps.postrm
@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+
+if [ "$1" = purge ]; then
+ rm -rf /var/log/pki/pki-tps-destroy*.log
+ rm -rf /var/log/pki/pki-tps-spawn*.log
+fi
+
+#DEBHELPER#
+
commit 3ed725cc88494a8acaf7dcedd8e162f839963f44
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Thu Oct 27 17:27:25 2016 +0300
fix-cve-2016-1240.diff: Fix CVE-2016-1240 in scripts/operations which has code copied from the tomcat initscript.
diff --git a/debian/changelog b/debian/changelog
index ffc0f1f..09bd60c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,8 @@ dogtag-pki (10.3.5-5) UNRELEASED; urgency=medium
* control: Add libscannotation-java to server depends.
* use-bash.diff: Revert some of 4708983b8 to use bash instead of sh in
some places where checkbashisms reported warnings.
+ * fix-cve-2016-1240.diff: Fix CVE-2016-1240 in scripts/operations
+ which has code copied from the tomcat initscript.
-- Timo Aaltonen <tjaalton at debian.org> Thu, 06 Oct 2016 00:36:37 +0300
diff --git a/debian/patches/fix-cve-2016-1240.diff b/debian/patches/fix-cve-2016-1240.diff
new file mode 100644
index 0000000..71f2b48
--- /dev/null
+++ b/debian/patches/fix-cve-2016-1240.diff
@@ -0,0 +1,30 @@
+--- a/base/server/scripts/operations
++++ b/base/server/scripts/operations
+@@ -1415,8 +1415,11 @@ catalina_sh() {
+ fi
+
+ # Run the catalina.sh script as a daemon
+- touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
+- chown $TOMCAT_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
++ if [ ! -f "$CATALINA_BASE"/logs/catalina.out ]; then
++ # run install as pkiuser to work around #841371
++ su $TOMCAT_USER -s /bin/bash -c "install -m 644 /dev/null $CATALINA_BASE/logs/catalina.out"
++ fi
++ install -o $TOMCAT_USER -m 644 /dev/null "$CATALINA_PID"
+ start-stop-daemon --start -b -u "$TOMCAT_USER" -g "$TOMCAT_GROUP" \
+ -c "$TOMCAT_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \
+ -x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"
+@@ -1494,11 +1497,11 @@ start_deb_instance()
+
+ # Remove / recreate JVM_TMP directory
+ rm -rf "$JVM_TMP"
+- mkdir -p "$JVM_TMP" || {
++ mkdir "$JVM_TMP" || {
+ log_failure_msg "could not create JVM temporary directory"
+ exit 1
+ }
+- chown $TOMCAT_USER "$JVM_TMP"
++ chown -h $TOMCAT_USER "$JVM_TMP"
+
+ catalina_sh start $SECURITY
+ sleep 5
diff --git a/debian/patches/series b/debian/patches/series
index c7c02f1..ad771fe 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@ use-usr-bin.diff
use-root-homedir.diff
fix-cli-migrate.diff
use-bash.diff
+fix-cve-2016-1240.diff
commit 4de88ba019d030267cbaa7088c1079a87610373d
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Thu Oct 27 16:20:38 2016 +0300
use-bash.diff: Revert some of 4708983b8 to use bash instead of sh in some places where checkbashisms reported warnings.
diff --git a/debian/changelog b/debian/changelog
index c59dde7..ffc0f1f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ dogtag-pki (10.3.5-5) UNRELEASED; urgency=medium
* server: Add /etc/dogtag to dirs, clean up stuff created by pkispawn
on purge.
* control: Add libscannotation-java to server depends.
+ * use-bash.diff: Revert some of 4708983b8 to use bash instead of sh in
+ some places where checkbashisms reported warnings.
-- Timo Aaltonen <tjaalton at debian.org> Thu, 06 Oct 2016 00:36:37 +0300
diff --git a/debian/patches/series b/debian/patches/series
index d1462ee..c7c02f1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ fix-junit-jar.diff
use-usr-bin.diff
use-root-homedir.diff
fix-cli-migrate.diff
+use-bash.diff
diff --git a/debian/patches/use-bash.diff b/debian/patches/use-bash.diff
new file mode 100644
index 0000000..1b6c367
--- /dev/null
+++ b/debian/patches/use-bash.diff
@@ -0,0 +1,90 @@
+--- a/base/scripts/pkiclihelp
++++ b/base/scripts/pkiclihelp
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ ## BEGIN COPYRIGHT BLOCK
+ ## (C) 2014 Red Hat, Inc.
+ ## All rights reserved.
+--- a/base/server/scripts/pkidaemon
++++ b/base/server/scripts/pkidaemon
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ #
+ # --- BEGIN COPYRIGHT BLOCK ---
+ # This program is free software; you can redistribute it and/or modify
+--- a/scripts/compose_pki_core_packages
++++ b/scripts/compose_pki_core_packages
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ # BEGIN COPYRIGHT BLOCK
+ # (C) 2010 Red Hat, Inc.
+ # All rights reserved.
+@@ -202,7 +202,7 @@ fi
+ ##
+
+ rm -rf ${PKI_CORE_PACKAGE_SCRIPT}
+-printf "#!/bin/sh\n\n" > ${PKI_CORE_PACKAGE_SCRIPT}
++printf "#!/bin/bash\n\n" > ${PKI_CORE_PACKAGE_SCRIPT}
+ printf "${PKI_CORE_PACKAGE_COMMAND}\n\n" >> ${PKI_CORE_PACKAGE_SCRIPT}
+ chmod 775 ${PKI_CORE_PACKAGE_SCRIPT}
+
+@@ -212,7 +212,7 @@ chmod 775 ${PKI_CORE_PACKAGE_SCRIPT}
+ ##
+
+ cd ${PKI_PACKAGES} ;
+-sh ./package_${PKI_CORE} | tee package_${PKI_CORE}.log 2>&1
++bash ./package_${PKI_CORE} | tee package_${PKI_CORE}.log 2>&1
+
+ if [ "$CREATEREPO" == "Y" ] ; then
+ echo "Creating a repository of the built rpms"
+--- a/scripts/compose_pki_test_package
++++ b/scripts/compose_pki_test_package
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ # BEGIN COPYRIGHT BLOCK
+ # (C) 2010 Red Hat, Inc.
+ # All rights reserved.
+--- a/scripts/create_beaker_job
++++ b/scripts/create_beaker_job
+@@ -1,4 +1,4 @@
+-#! /bin/sh
++#! /bin/bash
+
+ ### Exit if there not enough parameters specified.
+ if [ $# -lt 2 ];
+--- a/scripts/compose_dogtag_pki_theme_packages
++++ b/scripts/compose_dogtag_pki_theme_packages
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ # BEGIN COPYRIGHT BLOCK
+ # (C) 2010 Red Hat, Inc.
+ # All rights reserved.
+@@ -187,7 +187,7 @@ fi
+ ##
+
+ rm -rf ${DOGTAG_PKI_THEME_PACKAGE_SCRIPT}
+-printf "#!/bin/sh\n\n" > ${DOGTAG_PKI_THEME_PACKAGE_SCRIPT}
++printf "#!/bin/bash\n\n" > ${DOGTAG_PKI_THEME_PACKAGE_SCRIPT}
+ printf "${DOGTAG_PKI_THEME_PACKAGE_COMMAND}\n\n" >> ${DOGTAG_PKI_THEME_PACKAGE_SCRIPT}
+ chmod 775 ${DOGTAG_PKI_THEME_PACKAGE_SCRIPT}
+
+@@ -197,5 +197,5 @@ chmod 775 ${DOGTAG_PKI_THEME_PACKAGE_SCR
+ ##
+
+ cd ${PKI_PACKAGES} ;
+-sh ./package_${DOGTAG_PKI_THEME} | tee package_${DOGTAG_PKI_THEME}.log 2>&1
++bash ./package_${DOGTAG_PKI_THEME} | tee package_${DOGTAG_PKI_THEME}.log 2>&1
+
+--- a/scripts/compose_pki_console_packages
++++ b/scripts/compose_pki_console_packages
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ # BEGIN COPYRIGHT BLOCK
+ # (C) 2010 Red Hat, Inc.
+ # All rights reserved.
commit 0450aa43382b3945b00877a5851ff3723e69680b
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Mon Oct 17 14:29:01 2016 +0300
control: Add libscannotation-java to server depends.
diff --git a/debian/changelog b/debian/changelog
index 2b9cba2..c59dde7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ dogtag-pki (10.3.5-5) UNRELEASED; urgency=medium
* server: Add /etc/dogtag to dirs, clean up stuff created by pkispawn
on purge.
+ * control: Add libscannotation-java to server depends.
-- Timo Aaltonen <tjaalton at debian.org> Thu, 06 Oct 2016 00:36:37 +0300
diff --git a/debian/control b/debian/control
index 7360ccf..046061d 100644
--- a/debian/control
+++ b/debian/control
@@ -168,6 +168,7 @@ Depends:
libjboss-logging-java,
libjs-jquery,
libjs-underscore,
+ libscannotation-java,
libsymkey-java (= ${source:Version}),
libtomcatjss-java (>= 7.1.4-2),
libnuxwdog-java,
commit db04e142c9dce1e9270157b3215d80174632eb3a
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Mon Oct 17 14:26:24 2016 +0300
server: Add /etc/dogtag to dirs, clean up stuff created by pkispawn on purge.
diff --git a/debian/changelog b/debian/changelog
index beb8ca3..2b9cba2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+dogtag-pki (10.3.5-5) UNRELEASED; urgency=medium
+
+ * server: Add /etc/dogtag to dirs, clean up stuff created by pkispawn
+ on purge.
+
+ -- Timo Aaltonen <tjaalton at debian.org> Thu, 06 Oct 2016 00:36:37 +0300
+
dogtag-pki (10.3.5-4) unstable; urgency=medium
* tests: Add simple autopkgtest that runs setup-ds and pkispawn.
diff --git a/debian/pki-server.dirs b/debian/pki-server.dirs
index 9b4f911..18ee6ae 100644
--- a/debian/pki-server.dirs
+++ b/debian/pki-server.dirs
@@ -1,3 +1,4 @@
+etc/dogtag
etc/systemd/system/pki-tomcatd.target.wants
etc/systemd/system/pki-tomcatd-nuxwdog.target.wants
var/lib/pki
diff --git a/debian/pki-server.postrm b/debian/pki-server.postrm
index 48e1102..a1910f1 100644
--- a/debian/pki-server.postrm
+++ b/debian/pki-server.postrm
@@ -6,6 +6,14 @@ if [ "$1" = purge ]; then
rm -f /etc/pki/default.cfg
rm -f /var/log/pki/pki-server*.log
rm -rf /var/log/pki/server
+
+ # these are created by pkispawn
+ rm -rf /etc/dogtag/tomcat/pki-tomcat
+ rm -rf /etc/pki/pki-tomcat
+ rm -f /etc/systemd/system/pki-tomcatd.target.wants/*
+ rm -f /etc/systemd/system/pki-tomcatd-nuxwdog.target.wants/*
+ rm -rf /var/lib/pki/pki-tomcat
+ rm -rf /var/log/pki/pki-tomcat
fi
#DEBHELPER#
More information about the Pkg-freeipa-devel
mailing list