Version in base suite: 11+2023.05.04 Base version: debian-security-support_11+2023.05.04 Target version: debian-security-support_11+2023.12.11 Base file: /srv/ftp-master.debian.org/ftp/pool/main/d/debian-security-support/debian-security-support_11+2023.05.04.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/d/debian-security-support/debian-security-support_11+2023.12.11.dsc check-support-status.in | 60 ++++++++++++++++++++----------------------- debian/changelog | 19 +++++++++++++ security-support-ended.deb11 | 4 ++ security-support-limited | 3 +- t/check-support-status.t | 37 +++++++++++++++++++------- 5 files changed, 80 insertions(+), 43 deletions(-) diff -Nru debian-security-support-11+2023.05.04/check-support-status.in debian-security-support-11+2023.12.11/check-support-status.in --- debian-security-support-11+2023.05.04/check-support-status.in 2023-05-04 17:27:19.000000000 +0000 +++ debian-security-support-11+2023.12.11/check-support-status.in 2023-12-22 15:47:38.000000000 +0000 @@ -175,12 +175,11 @@ # Create intersection LEFT="$TEMPDIR/left" -RIGHT="$TEMPDIR/right" INTERSECTION_LIST="$TEMPDIR/intersection" [% AWK %] -F'\t' '{print $3}' "$INSTALLED_LIST" | LC_ALL=C sort -u >"$LEFT" -grep -v '^#' "$LIST" | LC_ALL=C sort | [% AWK %] '{print $1}' >"$RIGHT" +PATTERNS=$(grep -vP '^(#|$)' "$LIST" | [% AWK %] '{print $1}' | paste -sd'|') -LC_ALL=C comm -12 "$LEFT" "$RIGHT" >"$INTERSECTION_LIST" +LC_ALL=C grep -P -x -e "$PATTERNS" "$LEFT" >"$INTERSECTION_LIST" || true if [ ! -s "$INTERSECTION_LIST" ] ; then # nothing to do exit 0 @@ -190,9 +189,14 @@ mkdir -p "$TD" cat "$INTERSECTION_LIST" | while read SRC_NAME ; do + LINE=$(grep -vP '^(#|$)' "$LIST" | while read pattern rest ; do + if echo $SRC_NAME | grep -q -P -x -e "$pattern" ; then + echo "$pattern $rest" + break + fi + done) IFS="$(printf '\nx')" IFS="${IFS%x}" - LINE="$([% AWK %] '($1=="'"$SRC_NAME"'"){print}' "$LIST" | head -1)" case "$TYPE" in earlyend) TMP_WHEN="$(echo "$LINE" | [% AWK %] '{print $3}')" @@ -256,34 +260,28 @@ esac # for earlyend and ended, check packages actually affected (if TMP_WHEN not null) if [ -n "$TMP_WHEN" ] || [ "$TYPE" = limited ] ; then - if \ - [ -z "$ALERT_VERSION" ] || - [ "$BIN_VERSION" = "$ALERT_VERSION" ] || - dpkg --compare-versions "$BIN_VERSION" '<=' "$ALERT_VERSION" - then - # need to alert, but check status db first - TOKEN="$BIN_NAME/$BIN_VERSION" - if [ "$STATUSDB_FILE" ] && [ -f "$STATUSDB_FILE" ]; then - if grep -qFx "$TOKEN" "$STATUSDB_FILE" ; then - continue - fi + # need to alert, but check status db first + TOKEN="$BIN_NAME/$BIN_VERSION" + if [ "$STATUSDB_FILE" ] && [ -f "$STATUSDB_FILE" ]; then + if grep -qFx "$TOKEN" "$STATUSDB_FILE" ; then + continue + fi + fi + echo "$BIN_NAME $BIN_VERSION" >>"$TD/$SRC_NAME.bin" + echo "$ALERT_VERSION" >"$TD/$SRC_NAME.version" + echo "$ALERT_WHEN" >"$TD/$SRC_NAME.when" + echo "$ALERT_WHY" >"$TD/$SRC_NAME.why" + if [ "$STATUSDB_FILE" ] ; then + # add to status db, remove any older entries + if [ -f "$STATUSDB_FILE" ]; then + TEMPFILE="$(mktemp --tmpdir="$(dirname "$STATUSDB_FILE")")" + [% AWK %] -F/ '($1!="'"$BIN_NAME"'"){print}' \ + <"$STATUSDB_FILE" >"$TEMPFILE" + mv "$TEMPFILE" "$STATUSDB_FILE" fi - echo "$BIN_NAME $BIN_VERSION" >>"$TD/$SRC_NAME.bin" - echo "$ALERT_VERSION" >"$TD/$SRC_NAME.version" - echo "$ALERT_WHEN" >"$TD/$SRC_NAME.when" - echo "$ALERT_WHY" >"$TD/$SRC_NAME.why" - if [ "$STATUSDB_FILE" ] ; then - # add to status db, remove any older entries - if [ -f "$STATUSDB_FILE" ]; then - TEMPFILE="$(mktemp --tmpdir="$(dirname "$STATUSDB_FILE")")" - [% AWK %] -F/ '($1!="'"$BIN_NAME"'"){print}' \ - <"$STATUSDB_FILE" >"$TEMPFILE" - mv "$TEMPFILE" "$STATUSDB_FILE" - fi - echo "$TOKEN" >>"$STATUSDB_FILE" - fi # maintain status db - fi # package BIN_NAME's version is not supported - fi + echo "$TOKEN" >>"$STATUSDB_FILE" + fi # maintain status db + fi # package BIN_NAME's version is not supported done # read binary name and version for matching source name done # each source package from intersection diff -Nru debian-security-support-11+2023.05.04/debian/changelog debian-security-support-11+2023.12.11/debian/changelog --- debian-security-support-11+2023.05.04/debian/changelog 2023-05-04 17:27:19.000000000 +0000 +++ debian-security-support-11+2023.12.11/debian/changelog 2023-12-22 15:48:41.000000000 +0000 @@ -1,3 +1,22 @@ +debian-security-support (1:11+2023.12.11) bullseye; urgency=medium + + [ Santiago Ruano Rincón ] + * Mark samba support limited to non-AD DC uses cases (Closes: #1053109) + * Drop version-based check (Closes: #986581) and update test suite + accordingly. Backport changes made by Sylvain Beucler. + * Match ecosystems with limited support, test case updated. (Closes: #986333) + Backport changes by Sylvain Beucler. + * Use golang.* (as regex) instead of golang* in security-support-limited + + [ Salvatore Bonaccorso ] + * Add tor to security-support-ended.deb11 Closes: #1056606. + + [ Moritz Muehlenhoff ] + * Mark Consul as EOLed in Bullseye. Closes: #1057418. + * Mark Xen as EOLed in Bullseye. Closes: #1053246. + + -- Holger Levsen Fri, 22 Dec 2023 16:48:41 +0100 + debian-security-support (1:11+2023.05.04) bullseye-updates; urgency=medium [ Holger Levsen ] diff -Nru debian-security-support-11+2023.05.04/security-support-ended.deb11 debian-security-support-11+2023.12.11/security-support-ended.deb11 --- debian-security-support-11+2023.05.04/security-support-ended.deb11 2021-01-23 15:39:12.000000000 +0000 +++ debian-security-support-11+2023.12.11/security-support-ended.deb11 2023-12-22 15:47:38.000000000 +0000 @@ -10,4 +10,6 @@ # 4. Descriptive text or URL with more details (optional) # In the program's output, this is prefixed with "Details:" -# none yet (please remove this line once this is not true anymore) +tor 0.4.5.16-1 2023-11-22 https://lists.debian.org/debian-security-announce/2023/msg00258.html +consul 1.8.7+dfsg1-2 2023-12-04 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057418 +xen 4.14.5+94-ge49571868d-1 2023-09-30 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053246 diff -Nru debian-security-support-11+2023.05.04/security-support-limited debian-security-support-11+2023.12.11/security-support-limited --- debian-security-support-11+2023.05.04/security-support-limited 2023-05-04 17:27:19.000000000 +0000 +++ debian-security-support-11+2023.12.11/security-support-limited 2023-12-22 15:47:38.000000000 +0000 @@ -11,7 +11,7 @@ cython Only included for building packages, not running them, #975058 ganglia See README.Debian.security, only supported behind an authenticated HTTP zone, #702775 ganglia-web See README.Debian.security, only supported behind an authenticated HTTP zone, #702776 -golang* See https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#golang-static-linking +golang.* See https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#golang-static-linking gnupg1 See #982258 and https://www.debian.org/releases/stretch/amd64/release-notes/ch-whats-new.en.html#modern-gnupg kde4libs khtml has no security support upstream, only for use on trusted content khtml khtml has no security support upstream, only for use on trusted content, see #1004293 @@ -24,5 +24,6 @@ qtwebengine-opensource-src No security support upstream and backports not feasible, only for use on trusted content qtwebkit No security support upstream and backports not feasible, only for use on trusted content qtwebkit-opensource-src No security support upstream and backports not feasible, only for use on trusted content +samba Only non-AD Domain Controller use cases are supported. See https://lists.debian.org/debian-security-announce/2023/msg00169.html sql-ledger Only supported behind an authenticated HTTP zone zoneminder See README.Debian.security, only supported behind an authenticated HTTP zone, #922724 diff -Nru debian-security-support-11+2023.05.04/t/check-support-status.t debian-security-support-11+2023.12.11/t/check-support-status.t --- debian-security-support-11+2023.05.04/t/check-support-status.t 2023-05-04 17:27:19.000000000 +0000 +++ debian-security-support-11+2023.12.11/t/check-support-status.t 2023-12-22 15:47:38.000000000 +0000 @@ -208,6 +208,7 @@ iceweasel 3.5.16-20 2013-05-01 base-files 6.0squeeze9 2014-05-01 Some spaced explanation debconf 1.5.36.0 2014-05-02 +node-.* 0 2020-02-20 https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#libv8 openjdk-6 6b35-1.13.7-1~deb7u1 2031-05-23 No perpetual term support __EOS__ write_file ($list_limited, <<__EOS__); @@ -221,6 +222,9 @@ [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ], [ 'ioi', 'php5', '5.3.3-7+squeeze19' ], [ 'ioi', 'openjdk-6-jre', '6b35-1.13.7-1~deb7u1', 'openjdk-6' ], + [ 'ioi', 'supported-package', '1.0-1' ], + [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ], + [ 'ioi', 'libjs-marked', '0.3.2+dfsg-1', 'node-marked' ], ], ); @@ -238,6 +242,16 @@ Affected binary package: - base-files (installed version: 6.0squeeze9) +* Source:debconf, ended on 2014-05-02 at version 1.5.36.0 + Affected binary packages: + - debconf (installed version: 1.5.36.1) + - debconf-i18n (installed version: 1.5.36.1) + +* Source:node-marked, ended on 2020-02-20 at version 0 + Details: https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#libv8 + Affected binary package: + - libjs-marked (installed version: 0.3.2+dfsg-1) + * Source:php5 Details: See README.Debian.security for the PHP security policy @@ -260,6 +274,9 @@ my $got = read_file ($statusdb_file); my $expect = <<__EOS__; base-files/6.0squeeze9 +debconf/1.5.36.1 +debconf-i18n/1.5.36.1 +libjs-marked/0.3.2+dfsg-1 php5/5.3.3-7+squeeze19 openjdk-6-jre/6b35-1.13.7-1~deb7u1 __EOS__ @@ -299,8 +316,8 @@ $query_list, [ [ 'ioi', 'base-files', '6.0squeeze9' ], - [ 'ioi', 'debconf', '1.5.36.1' ], - [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ], + [ 'ioi', 'supported-package', '1.0-1' ], + [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ], ], ); @@ -543,8 +560,8 @@ $query_list, [ [ 'doc', 'base-files', '6.0squeeze9' ], - [ 'ioi', 'debconf', '1.5.36.1' ], - [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ], + [ 'ioi', 'supported-package', '1.0-1' ], + [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ], ], ); @@ -586,8 +603,8 @@ $query_list, [ [ 'ioi', 'base-files', '6.0squeeze9' ], - [ 'ioi', 'debconf', '1.5.36.1' ], - [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ], + [ 'ioi', 'supported-package', '1.0-1' ], + [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ], ], ); @@ -772,9 +789,9 @@ $query_list, [ [ 'ioi', 'base-files', '6.0squeeze9' ], - [ 'ioi', 'debconf', '1.5.36.1' ], - [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ], [ 'ioi', 'openjdk-6-jre', '6b35-1.13.7-1~deb7u1', 'openjdk-6' ], + [ 'ioi', 'supported-package', '1.0-1' ], + [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ], ], ); @@ -834,8 +851,8 @@ mock_query_list ( $query_list, [ - [ 'ioi', 'debconf', '1.5.36.1' ], - [ 'ioi', 'debconf-i18n', '1.5.36.1', 'debconf' ], + [ 'ioi', 'supported-package', '1.0-1' ], + [ 'ioi', 'supported-package-bin2', '1.0-1', 'supported-package' ], ], );