Hi! On Thu, 2016-11-03 at 13:51:40 -0400, Sandro Tosi wrote: > On Wed, 8 Jun 2016 14:21:14 +0200 Guillem Jover <gjo...@sipwise.com> wrote: > > This package contains many scripts which call back home to check for > > a new upstream versions. In addition they also report back things such > > as hostname and port and similar. It seems this was previously disabled > > or removed due to CVE-2014-2029 (#740846), but the patch got lost > > somewhere?
> can you clarify what you see and/or in which scripts you saw the > callback happening automatically? Yeah, sorry I see the initial report is pretty much lacking any kind of detail. I had to do some digging myself because I didn't even remember what was going on. :/ > i had a quick look and it appears this feature is not enabled by > default (as also clarified at https://www.percona.com/version-check); > for example in pt-duplicate-key-checker i can see: > > # ######################################################################## > # Do the version-check > # ######################################################################## > if ( $o->get('version-check') && (!$o->has('quiet') || !$o->get('quiet')) > ) { > VersionCheck::version_check( > force => $o->got('version-check'), > instances => [ {dbh => $dbh, dsn => $dsn} ], > ); > } > > which only triggers the version check if the `version-check` cli > switch/config parameters are set. While this might appear so, it does not match reality. On a jessie system: ,--- $ ls /etc/percona-toolkit/percona-version-check ls: cannot access /etc/percona-toolkit/percona-version-check: No such file or directory $ pt-diskstats # A software update is available: # * The current version for Percona::Toolkit is 2.2.14. […normal command output…] $ ls -la /etc/percona-toolkit/percona-version-check -rw-r--r-- 1 root root 13 Nov 4 14:26 /etc/percona-toolkit/percona-version-check $ pt-diskstats […normal command output…] `--- As you can see the commands check at least once on first invocation, and then might check more often based on the timestamps in that file. We are currently running some of the percona commands with an explicit --no-version-check option to avoid this. If you do the same check on a sid system, after removing the /etc/percona-toolkit/percona-version-check file, it will still connect but might be silent due to the version being newer than what it can find. An strace will reveal that it's still connecting to percona.com: This is the relevant strace part for percona-toolkit 2.2.18-1: ,--- connect(3, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("74.121.199.234")}, 16) = 0 `--- Where 74.121.199.234 is www.percona.com. Thanks, Guillem
