Bug#780424: Emedded ZendDb component affected by several security issues
Hi François-Régis, On Sat, 11 Jul 2015, François-Régis wrote: > I've tried to make galette use php-zend-db but did'nt achieved yet to > successfully test it (I think my package is good but hosts on wich I've > tested it are no sid ready...). > > I'll be unfortunately get off internet until 16/07, hope there will be > someone available to upload when I'll achieve it. this bug got off you radar apparently... can we have a fixed galette now please? There's also a new upstream release to package. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
Bug#780424: Emedded ZendDb component affected by several security issues
Hi David, Thanks for your update, I was watching php-zend-db on new queue but missed the accepting. Le 09/07/2015 18:31, David Prévot a écrit : On Tue, Mar 17, 2015 at 02:18:40AM +0100, François-Régis wrote: This bug affects only unstable and will be fixed with #780422 fix. php-zend-db has just been accepted, so you can now properly depend on it for galette. I also pushed the latest version (2.5.1) of php-zend-db to experimental. Please test that galette still works fine with this version (there are little changes, so I don’t expect any issues), and report a bug against php-zend-db if there is a problem: I expect to upload the next 2.5 ZendFramework packages to unstable unless there is a good reason not to. I've tried to make galette use php-zend-db but did'nt achieved yet to successfully test it (I think my package is good but hosts on wich I've tested it are no sid ready...). I'll be unfortunately get off internet until 16/07, hope there will be someone available to upload when I'll achieve it. Greetings, -- François-Régis -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#780424: Emedded ZendDb component affected by several security issues
Hi François-Régis, On Tue, Mar 17, 2015 at 02:18:40AM +0100, François-Régis wrote: This bug affects only unstable and will be fixed with #780422 fix. php-zend-db has just been accepted, so you can now properly depend on it for galette. I also pushed the latest version (2.5.1) of php-zend-db to experimental. Please test that galette still works fine with this version (there are little changes, so I don’t expect any issues), and report a bug against php-zend-db if there is a problem: I expect to upload the next 2.5 ZendFramework packages to unstable unless there is a good reason not to. Regards David signature.asc Description: Digital signature
Bug#780424: Emedded ZendDb component affected by several security issues
tag -1 pending thanks This bug affects only unstable and will be fixed with #780422 fix. Cheers signature.asc Description: OpenPGP digital signature
Bug#780424: Emedded ZendDb component affected by several security issues
Hi Raphaël, Le 16/03/2015 10:13, Raphael Hertzog a écrit : On Sat, 14 Mar 2015, François-Régis wrote: But you need to act quickly as we are in deep freeze and galette is a leaf package that can quickly go away... Version of galette in jessie is 0.7.8+dfsg-1 and rely on zendframework (= 1.11) as provided by debian. It should not be concerned by #780424. Do I miss something or do I need to do something to avoid its removal from jessie ? Cheers, -- François-Régis signature.asc Description: OpenPGP digital signature
Bug#780424: Emedded ZendDb component affected by several security issues
Hi David, Hi Raphaël, Le 14/03/2015 14:23, David Prévot a écrit : Do you think, in between, it's worth to make a package which remove the upstream embedded ZendDB and embed a proper (let says 2.3.6) version of it. That would be fine: you may just copy a recent ZendDB in place of the existing one, and keep the diff in debian/patches. As I've no experience on that sort of thing, would you mind to have a look at attached patch and tell me if : - it does the trick ? - it is a good way of doing it ? (upstream corrected the bug in git tree but does not intend to release the fix before a while). Thanks for your help. -- François-Régis diff --git a/debian/changelog b/debian/changelog index 5d6fd03..ddc5f6a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +galette (0.8+dfsg-2) unstable; urgency=medium + + * Upgrading to Zend 2.3.7 (Closes: #780424) + + -- François-Régis Vuillemin frv-deb...@miradou.com Mon, 16 Mar 2015 13:06:57 +0100 + galette (0.8+dfsg-1) unstable; urgency=medium * Generalized Files-Excluded in prevision of upstream/0.8 diff --git a/debian/patches/series b/debian/patches/series index 9e3c0ed..93eb4f6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ # Enable this patch for a Squeeze backport # update-php-minversion dont_rely_on_class.phpmailer.php_to_act_as_an_autoloader +update_ZendDb_version.patch diff --git a/debian/patches/update_ZendDb_version.patch b/debian/patches/update_ZendDb_version.patch new file mode 100644 index 000..4ee0f91 --- /dev/null +++ b/debian/patches/update_ZendDb_version.patch @@ -0,0 +1,11 @@ +--- a/galette/config/versions.inc.php b/galette/config/versions.inc.php +@@ -36,7 +36,7 @@ + * @since Available since 0.7dev - 2009-03-13 + */ + define('SMARTY_VERSION', '3.1.19'); +-define('ZEND_VERSION', '2.3.1'); ++define('ZEND_VERSION', '2.3.7'); + define('ANALOG_VERSION', '1.0.0.git876d8a3bb'); + define('TCPDF_VERSION', '6.0.089'); + define('JQUERY_VERSION', '1.10.2'); diff --git a/debian/rules b/debian/rules index 299f55c..d571daf 100755 --- a/debian/rules +++ b/debian/rules @@ -15,10 +15,14 @@ override_dh_install: # Drop documentation installed in /usr/share/doc rm -rf debian/galette/usr/share/galette/docs # Drop embedded libraries that we don't need + rm -rf debian/galette/usr/share/galette/includes/Zend-2.3.1 rm -rf debian/galette/usr/share/galette/includes/phpMailer-* rm -rf debian/galette/usr/share/galette/includes/Smarty-* rm -rf debian/galette/usr/share/galette/includes/tcpdf_* rm -rf debian/galette/usr/share/galette/includes/Analog-* + # Update to ZendDB 2.3.7 + wget http://download.tuxfamily.org/galette/dev/galette_dev_includes.tar.bz2; -O - | \ + tar -j --directory debian/galette/usr/share/galette/includes/ -x ./Zend-2.3.7/ # Cleanup useless stuff rm -rf debian/galette/usr/share/galette/lang/*.py
Bug#780424: Emedded ZendDb component affected by several security issues
On Mon, 16 Mar 2015, François-Régis wrote: Version of galette in jessie is 0.7.8+dfsg-1 and rely on zendframework (= 1.11) as provided by debian. It should not be concerned by #780424. Do I miss something or do I need to do something to avoid its removal from jessie ? Oh, I missed that. Then it's fine since the bug has been properly reported on 0.8+dfsg-1. On Mon, 16 Mar 2015, François-Régis wrote: As I've no experience on that sort of thing, would you mind to have a look at attached patch and tell me if : - it does the trick ? - it is a good way of doing it ? No, the package build should not rely on the network to download stuff to embed in the generated package. So you need to provide a quilt patch that contains all the changes between Zend DB 2.3.1 and 2.3.7. You can do that by manually doing what you have done in debian/rules after having done this: $ quilt new upgrade-zend-db.diff $ quilt shell ... $ exit Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#780424: Emedded ZendDb component affected by several security issues
Hi, Le 16/03/2015 13:59, Raphael Hertzog a écrit : On Mon, 16 Mar 2015, François-Régis wrote: As I've no experience on that sort of thing, would you mind to have a look at attached patch and tell me if : No, the package build should not rely on the network to download stuff to embed in the generated package. So you need to provide a quilt patch that contains all the changes between Zend DB 2.3.1 and 2.3.7. You can do that by manually doing what you have done in debian/rules after having done this: OK understood, I've pushed a fix on alioth [1] could you have a look end eventually upload it ? [1] http://anonscm.debian.org/cgit/collab-maint/galette.git/commit/?id=5a5bff5834931e76e1fc7a3c77f5ec06bc58401a Thanks, -- François-Régis -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#780424: Emedded ZendDb component affected by several security issues
Hi François, On Sat, 14 Mar 2015, François-Régis wrote: Do you think, in between, it's worth to make a package which remove the upstream embedded ZendDB and embed a proper (let says 2.3.6) version of it. Yes, or alternatively apply only the security relevant patches that David mentioned. But you need to act quickly as we are in deep freeze and galette is a leaf package that can quickly go away... Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#780424: Emedded ZendDb component affected by several security issues
Hi François-Régis, [ I Shouldn’t reply to mail too late: I misunderstood your proposal… ] Do you think, in between, it's worth to make a package which remove the upstream embedded ZendDB and embed a proper (let says 2.3.6) version of it. That would be fine: you may just copy a recent ZendDB in place of the existing one, and keep the diff in debian/patches. Regards David signature.asc Description: OpenPGP digital signature
Bug#780424: Emedded ZendDb component affected by several security issues
Package: galette Version: 0.8+dfsg-1 Severity: serious Tags: security upstream Hi, The galette package ships an embedded copy of ZendDb, but AFAICT, the version shipped (2.3.1) is affected by several security issues: CVE-2014-8089 and CVE-2015-0270 (aka ZF2014-06 and ZF2015-02). Shipping embedded copy instead of packaging it has a cost… https://anonscm.debian.org/cgit/collab-maint/galette.git/commit/?id=2e33ef76c470a0e7a9727ba4c281a7e3525e6720 FWIW, I’m willing to introduce the php-zend-db package (#780422) as soon as upstream fixes its build system. https://github.com/zendframework/zf2/issues/7243 Regards David signature.asc Description: Digital signature
Bug#780424: Emedded ZendDb component affected by several security issues
[Ssorry about the charset mess on my (webmail) side] Believe me, I was not proud of that commit, but still hopping to have galette-8.0 in jessie, I didn't considered to package or ask for packaging ZendDB V2... Way too late for accepting a new package at this late state of the freeze (according to my understanding of the deep freeze), but feel free to call for help if needed to backport security fixes (I didnt plan to handle those in Jessie, but might be convinced otherwise [emphasis on *might*]). I've filled an upstream bug for that issue : Thanks for the quick follow up! Do you think, in between, it's worth to make a package which remove the upstream embedded ZendDB and embed a proper (let says 2.3.6) version of it. Sure, but: 1: Im not thrilled to patch a non existing package before introducing in Debian. 2: Even if Im happy to help introducing php-zend-db in Debian and handle it during (at least) a stable lifetime, it seems way too late for Jessie (if the RT says otherwise, and the FTP team follows, Id be happy to comply right now). -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#780424: Emedded ZendDb component affected by several security issues
Hi David, I've put Raphaël in cc as he is my Grand Master (and sponsor) on galette. Le 13/03/2015 18:13, David Prévot a écrit : Package: galette Version: 0.8+dfsg-1 Severity: serious Tags: security upstream The galette package ships an embedded copy of ZendDb, but AFAICT, the version shipped (2.3.1) is affected by several security issues: CVE-2014-8089 and CVE-2015-0270 (aka ZF2014-06 and ZF2015-02). Shipping embedded copy instead of packaging it has a cost… https://anonscm.debian.org/cgit/collab-maint/galette.git/commit/?id=2e33ef76c470a0e7a9727ba4c281a7e3525e6720 Believe me, I was not proud of that commit, but still hopping to have galette-8.0 in jessie, I didn't considered to package or ask for packaging ZendDB V2... I've filled an upstream bug for that issue : http://bugs.galette.eu/issues/911 Of course if they provide a release with a correct version of ZendDB, I'll package it. FWIW, I’m willing to introduce the php-zend-db package (#780422) as soon as upstream fixes its build system. Great news, I follow the ITP. Do you think, in between, it's worth to make a package which remove the upstream embedded ZendDB and embed a proper (let says 2.3.6) version of it. -- François-Régis signature.asc Description: OpenPGP digital signature