[ubuntu/yakkety-proposed] amanda 1:3.3.9-1 (Accepted)

Jeremy Bicha jbicha at linux.com
Fri Sep 2 20:23:15 UTC 2016 

amanda (1:3.3.9-1) unstable; urgency=low

  * Imported Upstream version 3.3.9
    * Changes for 3.3.9
        * new --with-security-file configure option
          - It set the default security file
          - default to /etc/amanda-security.conf
      * security-fix
          - All previous release of amanda allow the 'amanda' user to execute
            any code as root, and to execute an interactive shell as root.
          - This is a security vulnerability if you do not trust the 'amanda'
            user.
          - There is no need to upgrade if you trust the 'amanda' user and the
            account is secure.
              - good password
              - secure xinetd.conf setting
              - securae .amandahosts setting
          - The 'amanda' user can read all files in the machine, it is what a
            backup program do.
          - The set of fix disable the abilities to run unwanted code as root
            or to write file anywhere in the filesystem.
      * /etc/amanda-security.conf
          - A file that contains security setting.
          - It list all binaries amanda can execute as root
          - restore_by_amanda_user
              - It tell if the 'amanda' user can do restore as root.
              - It allow the 'amanda' user to write files anywhere in the
                filesystem
          - see: man amanda-security.conf
      * amgtar/amstar/ambsdtar/runtar
          - Disable arguments that can fork program.
          - Verify the realpath (with symbolic link resolved) is in the
            amanda-security.conf file.
          - Verify the tar/star/bsdtar realpath program is secure
              - owned by root and modifiable only by root.
          - On restore, check the restore_by_amanda_user setting if not run
            by root.

  * Fix to configure and build with future openssl v1.1, but fail to link.
  * Bump Standards-Version to 3.9.8, no changes needed.
  * New configuration file /etc/amanda-security.conf.
  * Update translations pt_BR (Closes: #816961) and tr (Closes: #759871).
  * Fix uri on Vcs-* fields.
  * Add missing description and author to patches.
  * Use set command to setup options of scripts.
  * Change to new style of rules.
  * Make amanda build reproducible (Closes: #830725).  Thank you Chris Lamb.

Date: 2016-08-28 22:10:49.753304+00:00
Signed-By: Jeremy Bicha <jbicha at linux.com>
https://launchpad.net/ubuntu/+source/amanda/1:3.3.9-1
-------------- next part --------------
Sorry, changesfile not available.

More information about the Yakkety-changes mailing list