Bug#780424: Emedded ZendDb component affected by several security issues
Hi David, Thanks for your update, I was watching php-zend-db on new queue but missed the accepting. Le 09/07/2015 18:31, David Prévot a écrit : On Tue, Mar 17, 2015 at 02:18:40AM +0100, François-Régis wrote: This bug affects only unstable and will be fixed with #780422 fix. php-zend-db has just been accepted, so you can now properly depend on it for galette. I also pushed the latest version (2.5.1) of php-zend-db to experimental. Please test that galette still works fine with this version (there are little changes, so I don’t expect any issues), and report a bug against php-zend-db if there is a problem: I expect to upload the next 2.5 ZendFramework packages to unstable unless there is a good reason not to. I've tried to make galette use php-zend-db but did'nt achieved yet to successfully test it (I think my package is good but hosts on wich I've tested it are no sid ready...). I'll be unfortunately get off internet until 16/07, hope there will be someone available to upload when I'll achieve it. Greetings, -- François-Régis -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#780424: Emedded ZendDb component affected by several security issues
tag -1 pending thanks This bug affects only unstable and will be fixed with #780422 fix. Cheers signature.asc Description: OpenPGP digital signature
Bug#780424: Emedded ZendDb component affected by several security issues
Hi Raphaël, Le 16/03/2015 10:13, Raphael Hertzog a écrit : On Sat, 14 Mar 2015, François-Régis wrote: But you need to act quickly as we are in deep freeze and galette is a leaf package that can quickly go away... Version of galette in jessie is 0.7.8+dfsg-1 and rely on zendframework (= 1.11) as provided by debian. It should not be concerned by #780424. Do I miss something or do I need to do something to avoid its removal from jessie ? Cheers, -- François-Régis signature.asc Description: OpenPGP digital signature
Bug#780424: Emedded ZendDb component affected by several security issues
Hi David, Hi Raphaël, Le 14/03/2015 14:23, David Prévot a écrit : Do you think, in between, it's worth to make a package which remove the upstream embedded ZendDB and embed a proper (let says 2.3.6) version of it. That would be fine: you may just copy a recent ZendDB in place of the existing one, and keep the diff in debian/patches. As I've no experience on that sort of thing, would you mind to have a look at attached patch and tell me if : - it does the trick ? - it is a good way of doing it ? (upstream corrected the bug in git tree but does not intend to release the fix before a while). Thanks for your help. -- François-Régis diff --git a/debian/changelog b/debian/changelog index 5d6fd03..ddc5f6a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +galette (0.8+dfsg-2) unstable; urgency=medium + + * Upgrading to Zend 2.3.7 (Closes: #780424) + + -- François-Régis Vuillemin frv-deb...@miradou.com Mon, 16 Mar 2015 13:06:57 +0100 + galette (0.8+dfsg-1) unstable; urgency=medium * Generalized Files-Excluded in prevision of upstream/0.8 diff --git a/debian/patches/series b/debian/patches/series index 9e3c0ed..93eb4f6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ # Enable this patch for a Squeeze backport # update-php-minversion dont_rely_on_class.phpmailer.php_to_act_as_an_autoloader +update_ZendDb_version.patch diff --git a/debian/patches/update_ZendDb_version.patch b/debian/patches/update_ZendDb_version.patch new file mode 100644 index 000..4ee0f91 --- /dev/null +++ b/debian/patches/update_ZendDb_version.patch @@ -0,0 +1,11 @@ +--- a/galette/config/versions.inc.php b/galette/config/versions.inc.php +@@ -36,7 +36,7 @@ + * @since Available since 0.7dev - 2009-03-13 + */ + define('SMARTY_VERSION', '3.1.19'); +-define('ZEND_VERSION', '2.3.1'); ++define('ZEND_VERSION', '2.3.7'); + define('ANALOG_VERSION', '1.0.0.git876d8a3bb'); + define('TCPDF_VERSION', '6.0.089'); + define('JQUERY_VERSION', '1.10.2'); diff --git a/debian/rules b/debian/rules index 299f55c..d571daf 100755 --- a/debian/rules +++ b/debian/rules @@ -15,10 +15,14 @@ override_dh_install: # Drop documentation installed in /usr/share/doc rm -rf debian/galette/usr/share/galette/docs # Drop embedded libraries that we don't need + rm -rf debian/galette/usr/share/galette/includes/Zend-2.3.1 rm -rf debian/galette/usr/share/galette/includes/phpMailer-* rm -rf debian/galette/usr/share/galette/includes/Smarty-* rm -rf debian/galette/usr/share/galette/includes/tcpdf_* rm -rf debian/galette/usr/share/galette/includes/Analog-* + # Update to ZendDB 2.3.7 + wget http://download.tuxfamily.org/galette/dev/galette_dev_includes.tar.bz2; -O - | \ + tar -j --directory debian/galette/usr/share/galette/includes/ -x ./Zend-2.3.7/ # Cleanup useless stuff rm -rf debian/galette/usr/share/galette/lang/*.py
Bug#780424: Emedded ZendDb component affected by several security issues
Hi, Le 16/03/2015 13:59, Raphael Hertzog a écrit : On Mon, 16 Mar 2015, François-Régis wrote: As I've no experience on that sort of thing, would you mind to have a look at attached patch and tell me if : No, the package build should not rely on the network to download stuff to embed in the generated package. So you need to provide a quilt patch that contains all the changes between Zend DB 2.3.1 and 2.3.7. You can do that by manually doing what you have done in debian/rules after having done this: OK understood, I've pushed a fix on alioth [1] could you have a look end eventually upload it ? [1] http://anonscm.debian.org/cgit/collab-maint/galette.git/commit/?id=5a5bff5834931e76e1fc7a3c77f5ec06bc58401a Thanks, -- François-Régis -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#780424: Emedded ZendDb component affected by several security issues
Hi David, I've put Raphaël in cc as he is my Grand Master (and sponsor) on galette. Le 13/03/2015 18:13, David Prévot a écrit : Package: galette Version: 0.8+dfsg-1 Severity: serious Tags: security upstream The galette package ships an embedded copy of ZendDb, but AFAICT, the version shipped (2.3.1) is affected by several security issues: CVE-2014-8089 and CVE-2015-0270 (aka ZF2014-06 and ZF2015-02). Shipping embedded copy instead of packaging it has a cost… https://anonscm.debian.org/cgit/collab-maint/galette.git/commit/?id=2e33ef76c470a0e7a9727ba4c281a7e3525e6720 Believe me, I was not proud of that commit, but still hopping to have galette-8.0 in jessie, I didn't considered to package or ask for packaging ZendDB V2... I've filled an upstream bug for that issue : http://bugs.galette.eu/issues/911 Of course if they provide a release with a correct version of ZendDB, I'll package it. FWIW, I’m willing to introduce the php-zend-db package (#780422) as soon as upstream fixes its build system. Great news, I follow the ITP. Do you think, in between, it's worth to make a package which remove the upstream embedded ZendDB and embed a proper (let says 2.3.6) version of it. -- François-Régis signature.asc Description: OpenPGP digital signature
Bug#755834: Patch proposal
Control: tag -1 patch -- Hello, In wheezie, the daemon fails to start too but it does not make the install fail. The culprit is commit 3bda3b9ab952fba89e2b7c96a8fc793d8c0d39a5 [1], hence the attached patch. Perhaps the good behaviour should be not even trying to start the daemon when no previous configuration was found... Cheers, -- François-Régis Description: Don't fail install when dh_installinit fails Author: François-Régis Vuillemin (frv) frv-deb...@miradou.com Bug: 755834 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ Index: isc-dhcp/debian/rules === --- isc-dhcp.orig/debian/rules +++ isc-dhcp/debian/rules @@ -62,6 +62,9 @@ override_dh_install: cp contrib/dhcp-lease-list.pl \ debian/isc-dhcp-server/usr/sbin/dhcp-lease-list +override_dh_installinit: + dh_installinit --error-handler=init_script_error_handler + override_dh_strip: dh_strip --dbg-package=isc-dhcp-dbg signature.asc Description: Digital signature
Bug#755834: Confirm bug
Hi, I confirm isc-dhcp-server fails to start if there in not at least one valid subnet : root@niel-3:~# LC_ALL=C apt-get install isc-dhcp-server Reading package lists... Done Building dependency tree Reading state information... Done isc-dhcp-server is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. 1 not fully installed or removed. After this operation, 0 B of additional disk space will be used. Do you want to continue? [Y/n] y Setting up isc-dhcp-server (4.3.1-5) ... root@niel-3:~# apt-get purge isc-dhcp-server Lecture des listes de paquets... Fait Construction de l'arbre des dépendances Lecture des informations d'état... Fait Les paquets suivants seront ENLEVÉS : isc-dhcp-server* 0 mis à jour, 0 nouvellement installés, 1 à enlever et 0 non mis à jour. Après cette opération, 675 ko d'espace disque seront libérés. Souhaitez-vous continuer ? [O/n] (Lecture de la base de données... 34710 fichiers et répertoires déjà installés.) Suppression de isc-dhcp-server (4.3.1-5) ... Purge des fichiers de configuration de isc-dhcp-server (4.3.1-5) ... Traitement des actions différées (« triggers ») pour man-db (2.7.0.2-5) ... root@niel-3:~# LC_ALL=C apt-get install isc-dhcp-server Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: isc-dhcp-server-ldap The following NEW packages will be installed: isc-dhcp-server 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 356 kB of archives. After this operation, 675 kB of additional disk space will be used. Get:1 http://ftp.us.debian.org/debian/ jessie/main isc-dhcp-server armhf 4.3.1-5 [356 kB] Fetched 356 kB in 1s (180 kB/s) Preconfiguring packages ... Selecting previously unselected package isc-dhcp-server. (Reading database ... 34697 files and directories currently installed.) Preparing to unpack .../isc-dhcp-server_4.3.1-5_armhf.deb ... Unpacking isc-dhcp-server (4.3.1-5) ... Processing triggers for man-db (2.7.0.2-5) ... Setting up isc-dhcp-server (4.3.1-5) ... Generating /etc/default/isc-dhcp-server... Job for isc-dhcp-server.service failed. See 'systemctl status isc-dhcp-server.service' and 'journalctl -xn' for details. invoke-rc.d: initscript isc-dhcp-server, action start failed. dpkg: error processing package isc-dhcp-server (--configure): subprocess installed post-installation script returned error exit status 1 Errors were encountered while processing: isc-dhcp-server E: Sub-process /usr/bin/dpkg returned an error code (1) root@niel-3:~# echo /etc/dhcp/dhcpd.conf subnet 192.168.65.0 netmask 255.255.255.0 { } root@niel-3:~# LC_ALL=C apt-get install isc-dhcp-server Reading package lists... Done Building dependency tree Reading state information... Done isc-dhcp-server is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. 1 not fully installed or removed. After this operation, 0 B of additional disk space will be used. Do you want to continue? [Y/n] y Setting up isc-dhcp-server (4.3.1-5) ... root@niel-3:~# -- François-Régis -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org