Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: logwatch

logwatch (7.5.4-1ubuntu1) hirsute; urgency=medium * Merge with Debian unstable. Remaining changes: - Drop libsys-cpu-perl and libsys-meminfo-perl from Recommends to Suggests as they are in universe. - d/p/0011-postfix-Ignore-Resolved-loghost-to-127.0.0.1.patch: postfix: Ignore Resolved loghost to 127.0.0.1. (LP #1583705) - d/p/0012-postfix-Handle-backwards-compatible-mode.patch: postfix: Handle backwards-compatible mode. (LP #1583705) - d/p/0013-secure-Ignore-warnings-about-gnome-keyring-daemon-it.patch: secure: Ignore warnings about gnome-keyring-daemon items already registered. (LP #1890752) - d/p/0014-zz-sys-Suppress-warnings-if-Sys-CPU-or-Sys-MemInfo-a.patch: zz-sys: Suppress warnings if Sys::CPU or Sys::MemInfo are missing. These are not installed by default in Ubuntu's logwatch packaging. (LP #1890749) - d/p/0015-pam_unix-Ignore-issues-about-etc-securetty-being-mis.patch: pam_unix: Ignore issues about /etc/securetty being missing. (LP #1890751) - d/p/0017-audit-Apparmor-DENIED-entries-don-t-always-include-p.patch audit: Don't handle "unconfined" profile changes distinct from ordinary loads - d/p/0018-audit-Handle-apparmor-errors-on-DENIED-messages.patch: audit: Treat Denial Errors same as Denied (LP #1577948) - d/p/0019-exim-Handle-self-signed-certs-warnings.patch: exim: Handle self-signed certs warnings. (LP #1892269) - d/p/0020-dhcpd-Ignore-lease-age-under-threshold-messages.patch: dhcpd: Ignore lease age under threshold messages (LP #1578001) - d/p/0021-audit-use-the-term-ALLOWED-instead-of-Grants.patch: audit: use the term ALLOWED instead of Grants (LP #1577948) * Dropped: - d/control: Update upstream's homepage [Taken in 7.5.4-1] -- Bryce Harrington <bryce@canonical.com> Thu, 05 Nov 2020 04:28:07 +0000

Modifications :
  1. Download patch debian/patches/0019-exim-Handle-self-signed-certs-warnings.patch

    --- 7.5.4-1/debian/patches/0019-exim-Handle-self-signed-certs-warnings.patch 1970-01-01 00:00:00.000000000 +0000 +++ 7.5.4-1ubuntu1/debian/patches/0019-exim-Handle-self-signed-certs-warnings.patch 2020-11-05 04:26:16.000000000 +0000 @@ -0,0 +1,73 @@ +From 684b9ad38e41aab5a44fc2b8c2585015cef01245 Mon Sep 17 00:00:00 2001 +From: Bryce Harrington <bryce@canonical.com> +Date: Thu, 20 Aug 2020 22:34:43 +0000 +Subject: [PATCH 09/10] exim: Handle self-signed certs warnings + +This generates a 2-line warning, so handle the second line as part of +the warning message, not as "BAD FORMAT". + +Fixes: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1892269 +Signed-off-by: Bryce Harrington <bryce@canonical.com> +--- + scripts/services/exim | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +Origin: vendor +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1892269 +Forwarded: https://sourceforge.net/p/logwatch/git/merge-requests/46/ +Last-Updated: 2020-08-20 + +diff --git a/scripts/services/exim b/scripts/services/exim +index d2068a4..af1556a 100644 +--- a/scripts/services/exim ++++ b/scripts/services/exim +@@ -93,6 +93,10 @@ while (defined($ThisLine = <STDIN>)) { + $KeepEnv++ if $MatchedDate; + next; + } ++ if ( $ThisLine =~ /^ Suggested action: either install a certificate or change tls_advertise_hosts option/ ) { ++ push @SelfSignedH, $ThisLine; ++ next; ++ } + $BadFormat{$ThisLine}++; + next; + } unless ($year1,$month1,$day1,$h1,$m1,$s1) = ($ThisLine =~ /^(\d+)\-(\d+)\-(\d+)\s(\d+):(\d+):(\d+)\s.+/); +@@ -266,6 +270,10 @@ while (defined($ThisLine = <STDIN>)) { + $Lookup++; + push @LookupH, $ThisLine; + } ++ elsif ( $ThisLine =~ /No server certificate defined; will use a selfsigned one/ ) { ++ $SelfSigned++; ++ push @SelfSignedH, $ThisLine; ++ } + elsif ( $ThisLine =~ /DKIM: .* \[verification succeeded\]/ ) { + # Ignore successful DKIM verification reports + # http://www.exim.org/exim-html-current/doc/html/spec_html/ch-support_for_dkim_domainkeys_identified_mail.html +@@ -321,6 +329,16 @@ if ($Detail >= $LvlRuns) { + } + } + ++if (@SelfSignedH) { ++ print "\n--- Self-Signed Certificate in use ($SelfSigned Time(s))\n"; ++ ++ if ($Detail >= $LvlMsgs) { ++ foreach $ThisOne (@SelfSignedH) { ++ print "$ThisOne\n"; ++ } ++ } ++} ++ + if ($Detail >= $LvlVerify) { + if ((@SendVerify) and (@RecipVerify)) { + print "\n--- Address Verification ---\n"; +@@ -749,6 +767,7 @@ if ($Detail >= $LvlProtocol) { + } + } + } ++ + } + } + +-- +2.27.0 +
  2. Download patch debian/patches/0018-audit-Treat-Denial-Errors-same-as-Denied.patch

    --- 7.5.4-1/debian/patches/0018-audit-Treat-Denial-Errors-same-as-Denied.patch 1970-01-01 00:00:00.000000000 +0000 +++ 7.5.4-1ubuntu1/debian/patches/0018-audit-Treat-Denial-Errors-same-as-Denied.patch 2020-11-05 04:26:16.000000000 +0000 @@ -0,0 +1,28 @@ +From: Bryce Harrington <bryce@bryceharrington.org> +Date: Tue, 25 Aug 2020 18:02:43 -0300 +Subject: audit: Treat Denial Errors same as Denied + +Ubuntu Security says, "I think this would be more useful as DENIED, as +that's how we discuss these line events elsewhere." +--- + scripts/services/audit | 3 +++ + 1 file changed, 3 insertions(+) + +Origin: vendor, https://sourceforge.net/p/logwatch/git/ci/c827d09423489fcdd840c670528a05573bd90278/ +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948 +Last-Updated: 2020-08-25 + +diff --git a/scripts/services/audit b/scripts/services/audit +index 46e300e..a590c5e 100644 +--- a/scripts/services/audit ++++ b/scripts/services/audit +@@ -136,6 +136,9 @@ while ($ThisLine = <STDIN>) { + # type=1400 audit(1315353795.331:33657): apparmor="DENIED" operation="exec" parent=14952 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/lib/sm.bin/sendmail" pid=14953 comm="sh" requested_mask="x" denied_mask="x" fsuid=33 ouid=0 + # type=1400 audit(1597683992.796:8057): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/lib/uim/uim-helper-server" pid=1687330 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0: 1 Time(s) + $denials{$1.' '.$3.' ('.$2.' via '.$4 . ')'}++; ++ } elsif ( $ThisLine =~ /apparmor="DENIED" operation="([^"]+)" info="([^"]+)" error=-*[0-9]+ profile="([^"]+)" name="([^"]+)" pid=\d+ comm="([^"]+)"/ ) { ++ # type=1400 audit(1597690743.153:8073): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-open-iscsi-review-mp389234-groovy_</var/snap/lxd/common/lxd>" name="/run/" pid=1694826 comm="mount" flags="rw, nosuid, nodev, remount": 1 Time(s) ++ $denials{$1.' '.$4.' ('.$3.' via '.$5 .': '.$2. ')'}++; + } elsif ( $ThisLine =~ /apparmor="ALLOWED" operation="([^"]+)" (info="([^"]+)" )?(error=[+-]?\d+ )?(parent=\d+ )?profile="([^"]+)" (name="([^"]+)" )?pid=\d+ comm="([^"]+)"/ ) { + # type=1400 audit(1369519203.141:259049): apparmor="ALLOWED" operation="exec" parent=3733 profile="/usr/sbin/dovecot//null-1c//null-1d" name="/usr/lib/dovecot/pop3-login" pid=24634 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/dovecot//null-1c//null-1d//null-d12" + # type=1400 audit(1369627891.522:447576): apparmor="ALLOWED" operation="capable" parent=1 profile="/usr/sbin/dovecot//null-1c//null-1d" pid=3733 comm="dovecot" capability=5 capname="kill"
  3. Download patch debian/patches/0017-audit-Apparmor-DENIED-entries-don-t-always-include-p.patch

    --- 7.5.4-1/debian/patches/0017-audit-Apparmor-DENIED-entries-don-t-always-include-p.patch 1970-01-01 00:00:00.000000000 +0000 +++ 7.5.4-1ubuntu1/debian/patches/0017-audit-Apparmor-DENIED-entries-don-t-always-include-p.patch 2020-11-05 04:26:16.000000000 +0000 @@ -0,0 +1,28 @@ +From: Bryce Harrington <bryce@canonical.com> +Date: Thu, 20 Aug 2020 04:56:08 +0000 +Subject: [PATCH 07/10] audit: Apparmor DENIED entries don't always include + parent=N + +Ref: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948 +Signed-off-by: Bryce Harrington <bryce@canonical.com> +--- + scripts/services/audit | 1 + + 1 file changed, 1 insertion(+) + +Origin: vendor +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948 +Forwarded: https://sourceforge.net/p/logwatch/git/merge-requests/46/ +Last-Updated: 2020-08-20 + +diff --git a/scripts/services/audit b/scripts/services/audit +index b12f710..46e300e 100644 +--- a/scripts/services/audit ++++ b/scripts/services/audit +@@ -134,6 +134,7 @@ while ($ThisLine = <STDIN>) { + } elsif ( $ThisLine =~ /apparmor="DENIED" operation="([^"]+)" parent=\d+ profile="([^"]+)" name="([^"]+)" pid=\d+ comm="([^"]+)"/ ) { + # type=1400 audit(1314853822.672:33649): apparmor="DENIED" operation="mknod" parent=27250 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/share/wordpress/1114140474e5f13bea68a4.tmp" pid=27289 comm="apache2" requested_mask="c" denied_mask="c" fsuid=33 ouid=33 + # type=1400 audit(1315353795.331:33657): apparmor="DENIED" operation="exec" parent=14952 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/lib/sm.bin/sendmail" pid=14953 comm="sh" requested_mask="x" denied_mask="x" fsuid=33 ouid=0 ++ # type=1400 audit(1597683992.796:8057): apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/lib/uim/uim-helper-server" pid=1687330 comm="evince" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0: 1 Time(s) + $denials{$1.' '.$3.' ('.$2.' via '.$4 . ')'}++; + } elsif ( $ThisLine =~ /apparmor="ALLOWED" operation="([^"]+)" (info="([^"]+)" )?(error=[+-]?\d+ )?(parent=\d+ )?profile="([^"]+)" (name="([^"]+)" )?pid=\d+ comm="([^"]+)"/ ) { + # type=1400 audit(1369519203.141:259049): apparmor="ALLOWED" operation="exec" parent=3733 profile="/usr/sbin/dovecot//null-1c//null-1d" name="/usr/lib/dovecot/pop3-login" pid=24634 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/dovecot//null-1c//null-1d//null-d12"
  4. Download patch debian/patches/0014-zz-sys-Suppress-warnings-if-Sys-CPU-or-Sys-MemInfo-a.patch

    --- 7.5.4-1/debian/patches/0014-zz-sys-Suppress-warnings-if-Sys-CPU-or-Sys-MemInfo-a.patch 1970-01-01 00:00:00.000000000 +0000 +++ 7.5.4-1ubuntu1/debian/patches/0014-zz-sys-Suppress-warnings-if-Sys-CPU-or-Sys-MemInfo-a.patch 2020-11-05 04:26:15.000000000 +0000 @@ -0,0 +1,52 @@ +From 488a232634c1d383f4ec356d776b4ee292e48b0a Mon Sep 17 00:00:00 2001 +From: Bryce Harrington <bryce@canonical.com> +Date: Wed, 19 Aug 2020 04:39:22 +0000 +Subject: [PATCH 04/10] zz-sys: Suppress warnings if Sys::CPU or Sys::MemInfo + are missing + +Neither of these perl modules are installed by default with a logwatch +installation, by intention, so the missing module warnings are +inappropriate. These modules only provide a minor amount of detail when +installed, and their information is volatile which can trigger false +test failures in some cases. + +Fixes: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1890749 +Signed-off-by: Bryce Harrington <bryce@canonical.com> +--- + scripts/services/zz-sys | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +Origin: vendor +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1890749 +Forwarded: not-needed +Last-Updated: 2020-08-20 + +diff --git a/scripts/services/zz-sys b/scripts/services/zz-sys +index 39f94ce..6bbf3fe 100644 +--- a/scripts/services/zz-sys ++++ b/scripts/services/zz-sys +@@ -35,8 +35,8 @@ + + eval "require Sys::CPU"; + if ($@) { +- print STDERR "No Sys::CPU module installed. To install, execute the command:\n"; +- print STDERR " perl -MCPAN -e 'install Sys::CPU' \n\n"; ++ # Sys::CPU (and Sys::MemInfo) are intentionally not installed on Ubuntu. ++ # Silently skip this if not present. + } else { + import Sys::CPU; + print " CPU: " . Sys::CPU::cpu_count() . " " . Sys::CPU::cpu_type() . " at " . Sys::CPU::cpu_clock() . "MHz\n"; +@@ -52,8 +52,8 @@ print " Release: $OStitle $release\n"; + + eval "require Sys::MemInfo"; + if ($@) { +- print STDERR "No Sys::MemInfo module installed. To install, execute the command:\n"; +- print STDERR " perl -MCPAN -e 'install Sys::MemInfo' \n\n"; ++ # Sys::CPU (and Sys::MemInfo) are intentionally not installed on Ubuntu. ++ # Silently skip this if not present. + } else { + import Sys::MemInfo qw(totalmem freemem totalswap freeswap); + my $swapused = &totalswap - &freeswap; +-- +2.27.0 +
  5. Download patch debian/control

    --- 7.5.4-1/debian/control 2020-10-04 18:37:51.000000000 +0000 +++ 7.5.4-1ubuntu1/debian/control 2020-11-05 04:28:07.000000000 +0000 @@ -1,7 +1,8 @@ Source: logwatch Section: admin Priority: optional -Maintainer: Willi Mann <willi@debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Willi Mann <willi@debian.org> Build-Depends: debhelper (>> 11.0.0~) Standards-Version: 4.5.0 Homepage: https://sourceforge.net/projects/logwatch/ @@ -11,7 +12,8 @@ Vcs-Git: https://salsa.debian.org/debian Package: logwatch Architecture: all Depends: ${perl:Depends}, ${misc:Depends}, default-mta | mail-transport-agent -Recommends: libdate-manip-perl, libsys-cpu-perl, libsys-meminfo-perl +Recommends: libdate-manip-perl +Suggests: libsys-cpu-perl, libsys-meminfo-perl Description: log analyser with nice output written in Perl Logwatch is a modular log analyser that runs every night and mails you the results. It can also be run from command line.
  6. Download patch debian/patches/0020-dhcpd-Ignore-lease-age-under-threshold-messages.patch

    --- 7.5.4-1/debian/patches/0020-dhcpd-Ignore-lease-age-under-threshold-messages.patch 1970-01-01 00:00:00.000000000 +0000 +++ 7.5.4-1ubuntu1/debian/patches/0020-dhcpd-Ignore-lease-age-under-threshold-messages.patch 2020-11-05 04:26:16.000000000 +0000 @@ -0,0 +1,32 @@ +From b5ba9adac18b8b964f1bc8532ef6b9809656777c Mon Sep 17 00:00:00 2001 +From: Bryce Harrington <bryce@canonical.com> +Date: Thu, 20 Aug 2020 22:53:30 +0000 +Subject: [PATCH 10/10] dhcpd: Ignore lease age under threshold messages + +Fixes: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1578001 +Signed-off-by: Bryce Harrington <bryce@canonical.com> +--- + scripts/services/dhcpd | 2 ++ + 1 file changed, 2 insertions(+) + +Origin: vendor +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1578001 +Forwarded: https://sourceforge.net/p/logwatch/git/merge-requests/46/ +Last-Updated: 2020-08-20 + +diff --git a/scripts/services/dhcpd b/scripts/services/dhcpd +index 98e7fa7..87312f7 100644 +--- a/scripts/services/dhcpd ++++ b/scripts/services/dhcpd +@@ -119,6 +119,8 @@ while (my $line = <STDIN>) { + ($line =~ /^of the dhcpd.conf file\./) + ) { + # Do nothing ++ } elsif ($line =~ /lease age \d+ \(secs\) under \d+% threshold, reply with unaltered, existing lease/) { ++ # Do nothing + + } elsif ($line =~ s/^exiting./DHCP server exiting./) { + $data{'Generic error'}{$line}++; +-- +2.27.0 +
  7. Download patch debian/patches/0015-pam_unix-Ignore-issues-about-etc-securetty-being-mis.patch

    --- 7.5.4-1/debian/patches/0015-pam_unix-Ignore-issues-about-etc-securetty-being-mis.patch 1970-01-01 00:00:00.000000000 +0000 +++ 7.5.4-1ubuntu1/debian/patches/0015-pam_unix-Ignore-issues-about-etc-securetty-being-mis.patch 2020-11-05 04:26:16.000000000 +0000 @@ -0,0 +1,51 @@ +From 1b471a45e1a0bb55302d65e3cffb72fa0ea66391 Mon Sep 17 00:00:00 2001 +From: Bryce Harrington <bryce@canonical.com> +Date: Wed, 19 Aug 2020 04:43:25 +0000 +Subject: [PATCH 05/10] pam_unix: Ignore issues about /etc/securetty being + missing + +Fixes: https://bugs.launchpad.net/ubuntu/focal/+source/logwatch/+bug/1890751 +Signed-off-by: Bryce Harrington <bryce@canonical.com> +--- + scripts/services/pam_unix | 5 +++++ + scripts/services/sudo | 3 +++ + 2 files changed, 8 insertions(+) + +Origin: vendor +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/focal/+source/logwatch/+bug/1890751 +Forwarded: https://sourceforge.net/p/logwatch/git/merge-requests/46/ +Last-Updated: 2020-08-20 + +diff --git a/scripts/services/pam_unix b/scripts/services/pam_unix +index dea1d15..80f7b32 100644 +--- a/scripts/services/pam_unix ++++ b/scripts/services/pam_unix +@@ -74,6 +74,11 @@ while ($line = <STDIN>) { + $data{"all"}{'Password Expiring'}{"$1 in $2 days"}++; + next; + } ++ # handle all missing /etc/securetty warnings ++ if ($line =~ /Couldn.t open \/etc\/securetty/) { ++ # Ignore - see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674857#25 ++ next; ++ } + #lowercase the service + $service = lc($service); + if ( grep $_ eq $service, qw/ssh sshd login ftp vsftpd proftpd rsh remote rlogin rexec systemd-user/) { +diff --git a/scripts/services/sudo b/scripts/services/sudo +index 6c0ff52..be3ffb2 100644 +--- a/scripts/services/sudo ++++ b/scripts/services/sudo +@@ -72,6 +72,9 @@ while (defined(my $ThisLine = <STDIN>)) { + or $ThisLine =~ /pam_systemd\(sudo:session\): Cannot create session: Already (running in|occupied by) a session/ + ) { + # Ignore ++ # handle all missing /etc/securetty warnings ++ } elsif ($ThisLine =~ /pam_unix\(sudo:auth\): Couldn.t open \/etc\/securetty/) { ++ # Ignore - see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674857#25 + } elsif ($ThisLine =~ /(.+): conversation failed/) { + $ConFailed{$1}++; + } elsif ( ($user, $error, $tty, $dir, $euser, $egroup, $cmd, $args) = $ThisLine =~ m/^\s*(\S+) : (.*; )?TTY=(\S+) ; PWD=(.*?) ; USER=(\S+) ;(?: GROUP=(\S+) ;)? COMMAND=(\S+)( ?.*)/) { +-- +2.27.0 +
  8. Download patch debian/patches/series

    --- 7.5.4-1/debian/patches/series 2020-09-28 06:27:04.000000000 +0000 +++ 7.5.4-1ubuntu1/debian/patches/series 2020-11-05 04:27:44.000000000 +0000 @@ -2,3 +2,15 @@ 0002-logfiles-vsftpd.conf-Use-custom-pattern-for-applystd.patch 0003-Ignore-ecryptfs-automounting-messages-in-cron.patch 0004-scripts-mdadm-Fix-parsing-of-mdadm.conf-handle-ignor.patch + +# Ubuntu patches +0011-postfix-Ignore-Resolved-loghost-to-127.0.0.1.patch +0012-postfix-Handle-backwards-compatible-mode.patch +0013-secure-Ignore-warnings-about-gnome-keyring-daemon-it.patch +0014-zz-sys-Suppress-warnings-if-Sys-CPU-or-Sys-MemInfo-a.patch +0015-pam_unix-Ignore-issues-about-etc-securetty-being-mis.patch +0017-audit-Apparmor-DENIED-entries-don-t-always-include-p.patch +0018-audit-Treat-Denial-Errors-same-as-Denied.patch +0019-exim-Handle-self-signed-certs-warnings.patch +0020-dhcpd-Ignore-lease-age-under-threshold-messages.patch +0021-audit-use-the-term-ALLOWED-instead-of-Grants.patch
  9. Download patch debian/patches/0011-postfix-Ignore-Resolved-loghost-to-127.0.0.1.patch

    --- 7.5.4-1/debian/patches/0011-postfix-Ignore-Resolved-loghost-to-127.0.0.1.patch 1970-01-01 00:00:00.000000000 +0000 +++ 7.5.4-1ubuntu1/debian/patches/0011-postfix-Ignore-Resolved-loghost-to-127.0.0.1.patch 2020-11-05 04:08:21.000000000 +0000 @@ -0,0 +1,42 @@ +From 6373191438fb8f4699aaeb8c53aaf7abcd4d8999 Mon Sep 17 00:00:00 2001 +From: Bryce Harrington <bryce@canonical.com> +Date: Wed, 19 Aug 2020 03:29:42 +0000 +Subject: [PATCH 01/10] postfix: Ignore Resolved loghost to 127.0.0.1 + +Ref: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1583705 +Signed-off-by: Bryce Harrington <bryce@canonical.com> +--- + scripts/services/postfix | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +Origin: vendor +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1583705 +Forwarded: https://sourceforge.net/p/logwatch/git/merge-requests/46/ +Last-Updated: 2020-08-20 + +diff --git a/scripts/services/postfix b/scripts/services/postfix +index b5cb2ec..6550e3d 100644 +--- a/scripts/services/postfix ++++ b/scripts/services/postfix +@@ -2286,7 +2286,7 @@ sub postfix_postgrey($) { + #TDpg unrecognized request type: '' + #TDpg rm /var/spool/postfix/postgrey/log.0000000002 + #TDpg 2007/01/25-14:48:00 Pid_file already exists for running process (4775)... aborting at line 232 in file /usr/lib/perl5/vendor_perl/5.8.7/Net/Server.pm +- ++ #TDpg Resolved [localhost]:10023 to [127.0.0.1]:10023, IPv4 + + $line =~ /^cleaning / or + $line =~ /^delayed / or +@@ -2301,7 +2301,8 @@ sub postfix_postgrey($) { + # unanchored last + $line =~ /Pid_file already exists/ or + $line =~ /postgrey .* starting!/ or +- $line =~ /Server closing!/ ++ $line =~ /Server closing!/ or ++ $line =~ /Resolved .*localhost.*IPv4/ + ); + + my ($action,$reason,$delay,$host,$ip,$sender,$recip); +-- +2.27.0 +
  10. Download patch debian/patches/0012-postfix-Handle-backwards-compatible-mode.patch

    --- 7.5.4-1/debian/patches/0012-postfix-Handle-backwards-compatible-mode.patch 1970-01-01 00:00:00.000000000 +0000 +++ 7.5.4-1ubuntu1/debian/patches/0012-postfix-Handle-backwards-compatible-mode.patch 2020-11-05 04:12:55.000000000 +0000 @@ -0,0 +1,74 @@ +From 44848e3237ddbdc593a938b543f897117049bb36 Mon Sep 17 00:00:00 2001 +From: Bryce Harrington <bryce@canonical.com> +Date: Wed, 19 Aug 2020 04:01:24 +0000 +Subject: [PATCH 02/10] postfix: Handle backwards-compatible mode + +Fixes: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1583705 +Signed-off-by: Bryce Harrington <bryce@canonical.com> +--- + scripts/services/postfix | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +Origin: vendor +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1583705 +Forwarded: https://sourceforge.net/p/logwatch/git/merge-requests/46/ +Last-Updated: 2020-08-20 + +diff --git a/scripts/services/postfix b/scripts/services/postfix +index 6550e3d..253401c 100644 +--- a/scripts/services/postfix ++++ b/scripts/services/postfix +@@ -2609,6 +2609,7 @@ sub postfix_fatal; + sub postfix_error; + sub postfix_warning; + sub postfix_script; ++sub backwards_compatible; + sub postfix_postsuper; + sub process_delivery_attempt; + sub cleanhostreply; +@@ -2815,6 +2816,9 @@ sys 0m3.005s + if ($p1 =~ /^panic: +(.*)$/) { postfix_panic($1); next; } + if ($p1 =~ /^error: +(.*)$/) { postfix_error($1); next; } + ++ # Backwards compatibility mode ++ if ($p1 =~ /compati/i) { backwards_compatible($p1); next; } # backwards-compatible default settings ++ + # output by all services that use table lookups - process before specific messages + if ($p1 =~ /(?:lookup )?table (?:[^ ]+ )?has changed -- (?:restarting|exiting)$/) { + #TD table hash:/var/mailman/data/virtual-mailman(0,lock|fold_fix) has changed -- restarting +@@ -4806,6 +4810,22 @@ sub postfix_script($) { + } + } + ++# Handles postfix backwards compatibility mode lines ++# ++sub backwards_compatible($) { ++ my $line = shift; ++ ++ if ($line =~ /^Postfix is running with backwards-compatible default settings/o) { ++ $Totals{'backwardscompatible'}++; ++ } ++ elsif ($line =~ /^See http.*COMPATIBILITY_README.html for details/o) { ++ $Totals{'backwardscompatible'}++; ++ } ++ elsif ($line =~ /^To disable backwards compatibility use.*/o) { ++ $Totals{'backwardscompatible'}++; ++ } ++} ++ + # Clean up a server's reply, to give some uniformity to reports + # + sub cleanhostreply($ $ $ $) { +@@ -5213,6 +5233,9 @@ sub build_sect_table() { + add_section ($S, 'postfixwaiting', 0, 'd', 'Postfix waiting to terminate'); + end_section_group ($S, 'postfixstate'); + ++ begin_section_group ($S, 'backwardscompatible', "\n"); ++ add_section ($S, 'backwardscompatible', 1, 'd', 'Running in backwards compatibile mode'); ++ end_section_group ($S, 'backwardscompatible'); + + if ($Opts{'debug'} & Logreporters::D_SECT) { + print "\tSection table\n"; +-- +2.27.0 +
  11. Download patch debian/patches/0013-secure-Ignore-warnings-about-gnome-keyring-daemon-it.patch

    --- 7.5.4-1/debian/patches/0013-secure-Ignore-warnings-about-gnome-keyring-daemon-it.patch 1970-01-01 00:00:00.000000000 +0000 +++ 7.5.4-1ubuntu1/debian/patches/0013-secure-Ignore-warnings-about-gnome-keyring-daemon-it.patch 2020-11-05 04:26:12.000000000 +0000 @@ -0,0 +1,32 @@ +From f07ae467270712186b66ab7b670f0740c3b3bc0f Mon Sep 17 00:00:00 2001 +From: Bryce Harrington <bryce@canonical.com> +Date: Wed, 19 Aug 2020 04:19:41 +0000 +Subject: [PATCH 03/10] secure: Ignore warnings about gnome-keyring-daemon + items already registered + +Fixes: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1890752 +Signed-off-by: Bryce Harrington <bryce@canonical.com> +--- + scripts/services/secure | 1 + + 1 file changed, 1 insertion(+) + +Origin: vendor +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1890752 +Forwarded: https://sourceforge.net/p/logwatch/git/merge-requests/46/ +Last-Updated: 2020-08-20 + +diff --git a/scripts/services/secure b/scripts/services/secure +index 769356a..25feace 100644 +--- a/scripts/services/secure ++++ b/scripts/services/secure +@@ -156,6 +156,7 @@ while (defined($ThisLine = <STDIN>)) { + ( $ThisLine =~ /sshguard\[\d+\]: (?:message repeated \d+ times: \[ )?\S+: not blocking /) or + ( $ThisLine =~ /sshguard\[\d+\]: Received EOF from stdin/) or + ( $ThisLine =~ /sshguard\[\d+\]: .*has already been blocked/) or ++ ( $ThisLine =~ /gnome-keyring-daemon\[\d+\]: asked to register item.*already registered/) or + 0 # This line prevents blame shifting as lines are added above + ) { + # Ignore these entries +-- +2.27.0 +
  12. Download patch debian/patches/0021-audit-use-the-term-ALLOWED-instead-of-Grants.patch

    --- 7.5.4-1/debian/patches/0021-audit-use-the-term-ALLOWED-instead-of-Grants.patch 1970-01-01 00:00:00.000000000 +0000 +++ 7.5.4-1ubuntu1/debian/patches/0021-audit-use-the-term-ALLOWED-instead-of-Grants.patch 2020-11-05 04:27:44.000000000 +0000 @@ -0,0 +1,69 @@ +From 0f725a6b489860edb9d92a2254eb994d8606ea47 Mon Sep 17 00:00:00 2001 +From: Lucas Kanashiro <lucas.kanashiro@canonical.com> +Date: Tue, 25 Aug 2020 17:48:56 -0300 +Subject: [PATCH] audit: use the term ALLOWED instead of Grants + +Grants as a term does not exist in the apparmor world, ALLOWED would be +more meaningful in this case. +--- + scripts/services/audit | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +Origin: vendor +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948 +Forwarded: https://sourceforge.net/p/logwatch/git/merge-requests/48/ +Last-Updated: 2020-09-03 + +--- a/scripts/services/audit ++++ b/scripts/services/audit +@@ -36,7 +36,7 @@ + use strict; + use Logwatch ':all'; + +-my (%denials, %grants, %loads); ++my (%denials, %allowed, %loads); + my %OtherList; + my $othercount = 0; + my $Debug = ($ENV{'LOGWATCH_DEBUG'} || 0); +@@ -153,7 +153,7 @@ + if ( $ThisLine =~ /avc:\s*denied\s*{\s*([^}]+).*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) { + $denials{$2.' '.$3.' ('.$1.$4 . ')'}++; + } elsif ( $ThisLine =~ /avc:\s*granted\s*{\s*([^}]+).*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) { +- $grants{$2.' '.$3.' ('.$1.$4 . ')'}++; ++ $allowed{$2.' '.$3.' ('.$1.$4 . ')'}++; + } elsif ($ThisLine =~ /security_compute_sid:\s*invalid context\s*(\S+)\s*for\s*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) { + $InvalidContext{$4." running as ".$2." acting on ".$3." \nshould transit to invalid ".$1}++; + } elsif ($ThisLine =~ /security_sid_mls_copy:\s*invalid context\s*(\S+)/) { +@@ -166,7 +166,7 @@ + if ( $ThisLine =~ /avc:\s*denied\s*{\s*[^}]+.*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) { + $denials{$1.' '.$2.' ('.$3 . ')'}++; + } elsif ( $ThisLine =~ /avc:\s*granted\s*{\s*[^}]+}.*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) { +- $grants{$1.' '.$2.' ('.$3 . ')'}++; ++ $allowed{$1.' '.$2.' ('.$3 . ')'}++; + } elsif ($ThisLine =~ /security_compute_sid:\s*invalid context\s*(\S+)\s*for\s*scontext=(\S+)\s*tcontext=\S+\s*tclass=(\S+)/ ) { + $InvalidContext{$3." running as ".$2." should transit to invalid ".$1}++; + } elsif ($ThisLine =~ /security_sid_mls_copy:\s*invalid context\s*(\S+)/) { +@@ -179,7 +179,7 @@ + if ( $ThisLine =~ /avc:\s*denied\s*{\s*[^}]+.*scontext=([^:]+):[^:]+:\S+\s*tcontext=([^:]+):[^:]+:\S+\s*tclass=(\S+)/ ) { + $denials{$1.' '.$2.' ('.$3 . ')'}++; + } elsif ( $ThisLine =~ /avc:\s*granted\s*{\s*[^}]+.*scontext=([^:]+):[^:]+:\S+\s*tcontext=([^:]+):[^:]+:\S+\s*tclass=(\S+)/ ) { +- $grants{$1.' '.$2.' ('.$3 . ')'}++; ++ $allowed{$1.' '.$2.' ('.$3 . ')'}++; + } elsif ($ThisLine =~ /security_compute_sid:\s*invalid context\s*(\S+)\s*for\s*scontext=(\S+)\s*tcontext=\S+\s*tclass=(\S+)/ ) { + $InvalidContext{$3." running as ".$2." should transit to invalid ".$1}++; + } elsif ($ThisLine =~ /security_sid_mls_copy:\s*invalid context\s*(\S+)/) { +@@ -204,10 +204,10 @@ + } + } + +-if ( keys %grants ) { +- print "\n\n*** Grants ***\n"; +- foreach my $key (sort keys %grants) { +- print " $key: ". $grants{$key} . " times\n"; ++if ( keys %allowed ) { ++ print "\n\n*** Allowed ***\n"; ++ foreach my $key (sort keys %allowed) { ++ print " $key: ". $allowed{$key} . " times\n"; + } + } +
  1. logwatch