[Buildroot] [git commit] package/logrotate: security bump to version 3.20.1

Arnout Vandecappelle (Essensium/Mind) arnout at mind.be
Tue Jun 14 15:59:02 UTC 2022 

commit: https://git.buildroot.net/buildroot/commit/?id=d6e7d92d822b5e8e7067e33bf69972f884a90355
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master

Fix CVE-2022-1348: A vulnerability was found in logrotate in how the
state file is created. The state file is used to prevent parallel
executions of multiple instances of logrotate by acquiring and releasing
a file lock. When the state file does not exist, it is created with
world-readable permission, allowing an unprivileged user to lock the
state file, stopping any rotation. This flaw affects logrotate versions
before 3.20.

https://github.com/logrotate/logrotate/blob/3.20.1/ChangeLog.md

Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout at mind.be>
---
 package/logrotate/logrotate.hash | 2 +-
 package/logrotate/logrotate.mk   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/logrotate/logrotate.hash b/package/logrotate/logrotate.hash
index 2af46d60b7..9c8e73f738 100644
--- a/package/logrotate/logrotate.hash
+++ b/package/logrotate/logrotate.hash
@@ -1,3 +1,3 @@
 # Locally calculated
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
-sha256  841f81bf09d0014e4a2e11af166bb33fcd8429cc0c2d4a7d3d9ceb3858cfccc5  logrotate-3.18.0.tar.xz
+sha256  742f6d6e18eceffa49a4bacd933686d3e42931cfccfb694d7f6369b704e5d094  logrotate-3.20.1.tar.xz
diff --git a/package/logrotate/logrotate.mk b/package/logrotate/logrotate.mk
index 4d1344c2cd..453dbe477a 100644
--- a/package/logrotate/logrotate.mk
+++ b/package/logrotate/logrotate.mk
@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-LOGROTATE_VERSION = 3.18.0
-LOGROTATE_SOURCE = logrotate-3.18.0.tar.xz
+LOGROTATE_VERSION = 3.20.1
+LOGROTATE_SOURCE = logrotate-$(LOGROTATE_VERSION).tar.xz
 LOGROTATE_SITE = https://github.com/logrotate/logrotate/releases/download/$(LOGROTATE_VERSION)
 LOGROTATE_LICENSE = GPL-2.0+
 LOGROTATE_LICENSE_FILES = COPYING

More information about the buildroot mailing list