google-compute-image-packages - Debian Package Tracker

general

source: google-compute-image-packages (main)
version: 20190916-1
maintainer: Debian Cloud Team (archive) (DMD)
uploaders: Lucas Kanashiro [DMD] – Helen Koike [DMD]
arch: all any
std-ver: 4.4.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-bpo: 20181206-2~bpo9+1
oldstable: 20190124-3
unstable: 20190916-1

versioned links

20181206-2~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
20190124-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
20190916-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

google-compute-engine (1 bugs: 0, 0, 1, 0)
google-compute-engine-oslogin
python3-google-compute-engine (1 bugs: 0, 1, 0, 0)

action needed

A new upstream version is available: 20191210 high

A new upstream version 20191210 is available, you should consider packaging it.

Created: 2020-06-29 Last update: 2021-09-25 08:36

lintian reports 6 errors and 9 warnings high

Lintian reports 6 errors and 9 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-07-29 Last update: 2021-09-06 18:32

3 security issues in sid high

There are 3 open security issues in sid.

3 important issues:

CVE-2020-8903: A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using their membership to the "adm" group, users with this role are able to read the DHCP XID from the systemd journal. Using the DHCP XID, it is then possible to set the IP address and hostname of the instance to any value, which is then stored in /etc/hosts. An attacker can then point metadata.google.internal to an arbitrary IP address and impersonate the GCE metadata server which make it is possible to instruct the OS Login PAM module to grant administrative privileges. All images created after 2020-May-07 (20200507) are fixed, and if you cannot update, we recommend you edit /etc/group/security.conf and remove the "adm" user from the OS Login entry.
CVE-2020-8907: A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using their membership to the "docker" group, an attacker with this role is able to run docker and mount the host OS. Within docker, it is possible to modify the host OS filesystem and modify /etc/groups to gain administrative privileges. All images created after 2020-May-07 (20200507) are fixed, and if you cannot update, we recommend you edit /etc/group/security.conf and remove the "docker" user from the OS Login entry.
CVE-2020-8933: A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using the membership to the "lxd" group, an attacker can attach host devices and filesystems. Within an lxc container, it is possible to attach the host OS filesystem and modify /etc/sudoers to then gain administrative privileges. All images created after 2020-May-07 (20200507) are fixed, and if you cannot update, we recommend you edit /etc/group/security.conf and remove the "lxd" user from the OS Login entry.

Created: 2021-02-19 Last update: 2021-08-14 14:00

3 security issues in bullseye high

There are 3 open security issues in bullseye.

3 important issues:

CVE-2020-8903: A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using their membership to the "adm" group, users with this role are able to read the DHCP XID from the systemd journal. Using the DHCP XID, it is then possible to set the IP address and hostname of the instance to any value, which is then stored in /etc/hosts. An attacker can then point metadata.google.internal to an arbitrary IP address and impersonate the GCE metadata server which make it is possible to instruct the OS Login PAM module to grant administrative privileges. All images created after 2020-May-07 (20200507) are fixed, and if you cannot update, we recommend you edit /etc/group/security.conf and remove the "adm" user from the OS Login entry.
CVE-2020-8907: A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using their membership to the "docker" group, an attacker with this role is able to run docker and mount the host OS. Within docker, it is possible to modify the host OS filesystem and modify /etc/groups to gain administrative privileges. All images created after 2020-May-07 (20200507) are fixed, and if you cannot update, we recommend you edit /etc/group/security.conf and remove the "docker" user from the OS Login entry.
CVE-2020-8933: A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using the membership to the "lxd" group, an attacker can attach host devices and filesystems. Within an lxc container, it is possible to attach the host OS filesystem and modify /etc/sudoers to then gain administrative privileges. All images created after 2020-May-07 (20200507) are fixed, and if you cannot update, we recommend you edit /etc/group/security.conf and remove the "lxd" user from the OS Login entry.

Created: 2021-02-19 Last update: 2021-04-22 09:31

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2021-04-25 Last update: 2021-09-25 13:05

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 20191210-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 2310cd2417aa284ec35134b8b1b0b90739894eea
Merge: 7dcb6c2 d5da559
Author: Ross Vandegrift <rvandegrift@debian.org>
Date:   Wed Jul 15 05:10:17 2020 +0000

    Merge branch 'master' into 'master'
    
    Update to 20191210-1
    
    See merge request cloud-team/google-compute-image-packages!11

commit d5da5596fe19717bd09fb9480eed602213264ed5
Author: Helen Koike <helen.koike@collabora.com>
Date:   Fri Jan 3 17:47:50 2020 -0300

    Prepare debian/changelog to release

commit 427398298fba1c8dc9c584e7371b0b5520960e56
Author: Helen Koike <helen.koike@collabora.com>
Date:   Fri Jan 3 17:35:07 2020 -0300

    d/control: fix dependencies
    
    Tests requires dhclient to run, so add isc-dhcp-client in Build-Depends.
    Also add it in the Depends list of python3 package as it is used by the
    lib.

commit c72670a066339293f3fc7fcfd638f86955039984
Author: Helen Koike <helen.koike@collabora.com>
Date:   Fri Jan 3 17:23:45 2020 -0300

    Drop oslogin package
    
    OsLogin upstream source was migrated to another repository.
    Remove this and make a different source package for OsLogin as well.

commit 634bac009b26a8896572ff535fed28e782574f11
Author: Helen Koike <helen.koike@collabora.com>
Date:   Fri Jan 3 17:18:06 2020 -0300

    Refresh patches

commit fe76f48e5dbed3aacf48761941dc2e22a38e6386
Merge: 7dcb6c2 93d0d5c
Author: Helen Koike <helen.koike@collabora.com>
Date:   Fri Jan 3 17:08:18 2020 -0300

    Update upstream source from tag 'upstream/20191210'
    
    Update to upstream version '20191210'
    with Debian dir 600259c2b16bf877881d360b62686c05e73de984

commit 93d0d5cf17b0690e1d1d0aea3d56d4471e9228b2
Author: Helen Koike <helen.koike@collabora.com>
Date:   Fri Jan 3 17:08:14 2020 -0300

    New upstream version 20191210

commit 9f385d3917d46587a5360ca764486f8994380358
Merge: a5f295b e404ac0
Author: Lucas Kanashiro <kanashiro@debian.org>
Date:   Thu Oct 3 20:31:58 2019 +0000

    Merge branch 'upstream' into 'upstream'
    
    Update Upstream branch to version 20190916
    
    See merge request cloud-team/google-compute-image-packages!7

https://salsa.debian.org/api/v4/projects/debian%2Fgoogle-compute-image-packages API request failed: 404 Not Found at /srv/qa.debian.org/data/vcswatch/vcswatch line 388.

Created: 2020-07-18 Last update: 2021-09-20 13:38

3 low-priority security issues in buster low

There are 3 open security issues in buster.

3 issues left for the package maintainer to handle:

CVE-2020-8903: (needs triaging) A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using their membership to the "adm" group, users with this role are able to read the DHCP XID from the systemd journal. Using the DHCP XID, it is then possible to set the IP address and hostname of the instance to any value, which is then stored in /etc/hosts. An attacker can then point metadata.google.internal to an arbitrary IP address and impersonate the GCE metadata server which make it is possible to instruct the OS Login PAM module to grant administrative privileges. All images created after 2020-May-07 (20200507) are fixed, and if you cannot update, we recommend you edit /etc/group/security.conf and remove the "adm" user from the OS Login entry.
CVE-2020-8907: (needs triaging) A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using their membership to the "docker" group, an attacker with this role is able to run docker and mount the host OS. Within docker, it is possible to modify the host OS filesystem and modify /etc/groups to gain administrative privileges. All images created after 2020-May-07 (20200507) are fixed, and if you cannot update, we recommend you edit /etc/group/security.conf and remove the "docker" user from the OS Login entry.
CVE-2020-8933: (needs triaging) A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using the membership to the "lxd" group, an attacker can attach host devices and filesystems. Within an lxc container, it is possible to attach the host OS filesystem and modify /etc/sudoers to then gain administrative privileges. All images created after 2020-May-07 (20200507) are fixed, and if you cannot update, we recommend you edit /etc/group/security.conf and remove the "lxd" user from the OS Login entry.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2021-08-14 14:00

Build log checks report 2 warnings low

Build log checks report 2 warnings

Created: 2019-08-10 Last update: 2019-08-10 23:35

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.0 instead of 4.4.0).

Created: 2019-07-08 Last update: 2021-08-18 14:03

testing migrations

excuses:
- Migration status for google-compute-image-packages (- to 20190916-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- Updating google-compute-image-packages introduces new bugs: #987353
- Additional info:
- Piuparts tested OK - https://piuparts.debian.org/sid/source/g/google-compute-image-packages.html
- autopkgtest for google-compute-image-packages/20190916-1: amd64: No test results, arm64: No test results, armhf: No test results, i386: No test results, ppc64el: No test results
- 722 days old (needed 5 days)
- Not considered

news

[rss feed]

[2021-04-26] google-compute-image-packages REMOVED from testing (Debian testing watch)
[2019-10-09] google-compute-image-packages 20190916-1 MIGRATED to testing (Debian testing watch)
[2019-10-03] Accepted google-compute-image-packages 20190916-1 (source) into unstable (Helen Koike) (signed by: Lucas Kanashiro)
[2019-03-25] google-compute-image-packages 20190124-3 MIGRATED to testing (Debian testing watch)
[2019-03-14] Accepted google-compute-image-packages 20190124-3 (source) into unstable (Lucas Kanashiro)
[2019-03-06] Accepted google-compute-image-packages 20190124-2 (source) into unstable (Lucas Kanashiro)
[2019-02-22] google-compute-image-packages 20190124-1 MIGRATED to testing (Debian testing watch)
[2019-02-12] Accepted google-compute-image-packages 20190124-1 (source) into unstable (Lucas Kanashiro)
[2019-02-08] Accepted google-compute-image-packages 20181206-4 (source) into unstable (Bastian Blank)
[2019-01-29] google-compute-image-packages 20181206-3 MIGRATED to testing (Debian testing watch)
[2019-01-24] Accepted google-compute-image-packages 20181206-3 (source) into unstable (Lucas Kanashiro)
[2019-01-16] Accepted google-compute-image-packages 20181206-2~bpo9+1 (source amd64 all) into stretch-backports (Lucas Kanashiro)
[2019-01-16] Accepted google-compute-image-packages 20181206-1~bpo9+1 (source amd64 all) into stretch-backports, stretch-backports (Bastian Blank)
[2019-01-08] google-compute-image-packages 20181206-2 MIGRATED to testing (Debian testing watch)
[2019-01-03] Accepted google-compute-image-packages 20181206-2 (source amd64 all) into unstable (Lucas Kanashiro)
[2019-01-01] google-compute-image-packages 20181206-1 MIGRATED to testing (Debian testing watch)
[2018-12-27] google-compute-image-packages 20180905-2 MIGRATED to testing (Debian testing watch)
[2018-12-26] Accepted google-compute-image-packages 20181206-1 (source amd64 all) into unstable (Lucas Kanashiro)
[2018-12-22] Accepted google-compute-image-packages 20180905-2 (source amd64 all) into unstable, unstable (Lucas Kanashiro)

bugs [bug history graph]

all: 3
RC: 1
I&N: 1
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (6, 9)
buildd: logs, checks, clang, cross
popcon
browse source code
edit tags
other distros
security tracker
debci