Version in base suite: 3.6-4+deb12u1 Version in overlay suite: 3.6-4+deb12u2 Base version: needrestart_3.6-4+deb12u2 Target version: needrestart_3.6-4+deb12u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/needrestart/needrestart_3.6-4+deb12u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/needrestart/needrestart_3.6-4+deb12u3.dsc changelog | 9 + patches/core-fix-regression-of-false-positives-for-processes.patch | 49 ++++++++++ patches/series | 1 3 files changed, 59 insertions(+) Unrecognised file line in .dsc: -----BEGIN PGP SIGNATURE----- diff -Nru needrestart-3.6/debian/changelog needrestart-3.6/debian/changelog --- needrestart-3.6/debian/changelog 2024-11-12 19:51:08.000000000 +0000 +++ needrestart-3.6/debian/changelog 2024-12-02 19:52:03.000000000 +0000 @@ -1,3 +1,12 @@ +needrestart (3.6-4+deb12u3) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * core: fix regression of false positives for processes running in chroot or + mountns (Closes: #1087918, #1088047, #1088012, #1087917, #1087958, + #1087957) + + -- Salvatore Bonaccorso Mon, 02 Dec 2024 20:52:03 +0100 + needrestart (3.6-4+deb12u2) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru needrestart-3.6/debian/patches/core-fix-regression-of-false-positives-for-processes.patch needrestart-3.6/debian/patches/core-fix-regression-of-false-positives-for-processes.patch --- needrestart-3.6/debian/patches/core-fix-regression-of-false-positives-for-processes.patch 1970-01-01 00:00:00.000000000 +0000 +++ needrestart-3.6/debian/patches/core-fix-regression-of-false-positives-for-processes.patch 2024-12-02 19:52:03.000000000 +0000 @@ -0,0 +1,49 @@ +From: Thomas Liske +Date: Wed, 27 Nov 2024 21:54:20 +0100 +Subject: core: fix regression of false positives for processes running in + chroot or mountns (#317) +Origin: https://github.com/liske/needrestart/commit/e17b5644aff0f9eaeb422af7013b9c88ffc44423 +Bug-Debian: https://bugs.debian.org/1087918 +Bug-Debian: https://bugs.debian.org/1088047 +Bug-Debian: https://bugs.debian.org/1088012 +Bug-Debian: https://bugs.debian.org/1087917 +Bug-Debian: https://bugs.debian.org/1087958 +Bug-Debian: https://bugs.debian.org/1087957 +Bug: https://github.com/liske/needrestart/issues/317 + +--- + needrestart | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/needrestart b/needrestart +index 6b4fcf7ae0fe..d38f5456fa94 100755 +--- a/needrestart ++++ b/needrestart +@@ -530,15 +530,21 @@ if(defined($opt_l)) { + # orphaned binary + $restart++ if (defined($exe) && $exe =~ s/ \(deleted\)$//); # Linux + $restart++ if (defined($exe) && $exe =~ s/^\(deleted\)//); # Linux VServer +- $restart++ unless(defined($ptable->{$pid}->{exec})); + print STDERR "$LOGPREF #$pid uses obsolete binary $exe\n" if($restart && $nrconf{verbosity} > 1); + + # ignore blacklisted binaries + next if(grep { $exe =~ /$_/; } @{$nrconf{blacklist}}); + +- # Sync $exe with the initial value from Proc:ProcessTable to prevent race ++ # Sync $exe with the initial value from Proc::ProcessTable to prevent race + # conditions in later checks. +- $exe = $ptable->{$pid}->{exec} if(defined($ptable->{$pid}->{exec})); ++ if(defined($ptable->{$pid}->{exec})) { ++ $exe = $ptable->{$pid}->{exec}; ++ } ++ # Proc::ProcessTable's exec field is undef if the file is not accessible in ++ # the root mountns, so the value of $exe is used instead. ++ else { ++ $ptable->{$pid}->{exec} = $exe; ++ } + + # read file mappings (Linux 2.0+) + unless($restart) { +-- +2.45.2 + diff -Nru needrestart-3.6/debian/patches/series needrestart-3.6/debian/patches/series --- needrestart-3.6/debian/patches/series 2024-11-12 19:44:01.000000000 +0000 +++ needrestart-3.6/debian/patches/series 2024-12-02 19:52:03.000000000 +0000 @@ -10,3 +10,4 @@ interp-do-not-set-RUBYLIB-environment-variable-to-pr.patch interp-chdir-into-empty-directory-to-prevent-python-.patch interp-drop-usage-of-Module-ScanDeps-to-prevent-LPE.patch +core-fix-regression-of-false-positives-for-processes.patch