Bug#780424: Emedded ZendDb component affected by several security issues

2015-07-11 Thread François-Régis 
Hi David,

Thanks for your update,  I was watching php-zend-db on new queue but
missed the accepting.

Le 09/07/2015 18:31, David Prévot a écrit :
 On Tue, Mar 17, 2015 at 02:18:40AM +0100, François-Régis wrote:
 This bug affects only unstable and will be fixed with #780422 fix.
 
 php-zend-db has just been accepted, so you can now properly depend on it
 for galette. I also pushed the latest version (2.5.1) of php-zend-db to
 experimental. Please test that galette still works fine with this
 version (there are little changes, so I don’t expect any issues), and
 report a bug against php-zend-db if there is a problem: I expect to
 upload the next 2.5 ZendFramework packages to unstable unless there is a
 good reason not to.

I've tried to make galette use php-zend-db but did'nt achieved yet to
successfully test it (I think my package is good but hosts on wich I've
tested it are no sid ready...).

I'll be unfortunately get off internet until 16/07, hope there  will be
someone available to upload  when I'll achieve it.

Greetings,

-- 
François-Régis


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#780424: Emedded ZendDb component affected by several security issues

2015-03-16 Thread François-Régis 
tag -1 pending
thanks

This bug affects only unstable and will be fixed with #780422 fix.

Cheers



signature.asc
Description: OpenPGP digital signature

Bug#780424: Emedded ZendDb component affected by several security issues

2015-03-16 Thread François-Régis 
Hi Raphaël,

Le 16/03/2015 10:13, Raphael Hertzog a écrit :
 On Sat, 14 Mar 2015, François-Régis wrote:
 But you need to act quickly as we are in deep freeze and galette is a leaf
 package that can quickly go away...

Version of galette in jessie is 0.7.8+dfsg-1 and rely on zendframework
(= 1.11) as provided by debian. It should not be concerned by #780424.

Do I miss something or do I need to do something to avoid its removal
from jessie ?

Cheers,

-- 
François-Régis



signature.asc
Description: OpenPGP digital signature

Bug#780424: Emedded ZendDb component affected by several security issues

2015-03-16 Thread François-Régis 
Hi David, Hi Raphaël,


Le 14/03/2015 14:23, David Prévot a écrit :
 Do you think, in between, it's worth to make a package which remove the
 upstream embedded ZendDB and embed a proper (let says 2.3.6) version of
 it.
 
 That would be fine: you may just copy a recent ZendDB in place of the
 existing one, and keep the diff in debian/patches.

As I've no experience on that sort of thing, would you mind to have a
look at attached patch and tell me if :
- it does the trick ?
- it is a good way of doing it ?

(upstream corrected the bug in git tree but does not intend to release
the fix before a while).

Thanks for your help.

-- 
François-Régis
diff --git a/debian/changelog b/debian/changelog
index 5d6fd03..ddc5f6a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+galette (0.8+dfsg-2) unstable; urgency=medium
+
+  * Upgrading to Zend 2.3.7 (Closes: #780424)
+
+ -- François-Régis Vuillemin frv-deb...@miradou.com  Mon, 16 Mar 2015 13:06:57 +0100
+
 galette (0.8+dfsg-1) unstable; urgency=medium
 
   * Generalized Files-Excluded in prevision of upstream/0.8
diff --git a/debian/patches/series b/debian/patches/series
index 9e3c0ed..93eb4f6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 # Enable this patch for a Squeeze backport
 # update-php-minversion
 dont_rely_on_class.phpmailer.php_to_act_as_an_autoloader
+update_ZendDb_version.patch
diff --git a/debian/patches/update_ZendDb_version.patch b/debian/patches/update_ZendDb_version.patch
new file mode 100644
index 000..4ee0f91
--- /dev/null
+++ b/debian/patches/update_ZendDb_version.patch
@@ -0,0 +1,11 @@
+--- a/galette/config/versions.inc.php
 b/galette/config/versions.inc.php
+@@ -36,7 +36,7 @@
+  * @since Available since 0.7dev - 2009-03-13
+  */
+ define('SMARTY_VERSION', '3.1.19');
+-define('ZEND_VERSION', '2.3.1');
++define('ZEND_VERSION', '2.3.7');
+ define('ANALOG_VERSION', '1.0.0.git876d8a3bb');
+ define('TCPDF_VERSION', '6.0.089');
+ define('JQUERY_VERSION', '1.10.2');
diff --git a/debian/rules b/debian/rules
index 299f55c..d571daf 100755
--- a/debian/rules
+++ b/debian/rules
@@ -15,10 +15,14 @@ override_dh_install:
 	# Drop documentation installed in /usr/share/doc
 	rm -rf debian/galette/usr/share/galette/docs
 	# Drop embedded libraries that we don't need
+	rm -rf debian/galette/usr/share/galette/includes/Zend-2.3.1
 	rm -rf debian/galette/usr/share/galette/includes/phpMailer-*
 	rm -rf debian/galette/usr/share/galette/includes/Smarty-*
 	rm -rf debian/galette/usr/share/galette/includes/tcpdf_*
 	rm -rf debian/galette/usr/share/galette/includes/Analog-*
+	# Update to ZendDB 2.3.7
+	wget http://download.tuxfamily.org/galette/dev/galette_dev_includes.tar.bz2; -O - | \
+	tar -j --directory debian/galette/usr/share/galette/includes/ -x ./Zend-2.3.7/
 	# Cleanup useless stuff
 	rm -rf debian/galette/usr/share/galette/lang/*.py

Bug#780424: Emedded ZendDb component affected by several security issues

2015-03-16 Thread François-Régis 
Hi,

Le 16/03/2015 13:59, Raphael Hertzog a écrit :
 On Mon, 16 Mar 2015, François-Régis wrote:
 As I've no experience on that sort of thing, would you mind to have a
 look at attached patch and tell me if :
 No, the package build should not rely on the network to download stuff to
 embed in the generated package.
 
 So you need to provide a quilt patch that contains all the changes between
 Zend DB 2.3.1 and 2.3.7. You can do that by manually doing what you have
 done in debian/rules after having done this:

OK understood, I've pushed a fix on alioth [1] could you have a look end
eventually upload it ?


[1]
http://anonscm.debian.org/cgit/collab-maint/galette.git/commit/?id=5a5bff5834931e76e1fc7a3c77f5ec06bc58401a

Thanks,

-- 
François-Régis


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#780424: Emedded ZendDb component affected by several security issues

2015-03-13 Thread François-Régis 
Hi David,

I've put Raphaël in cc as he is my Grand Master (and sponsor) on galette.

Le 13/03/2015 18:13, David Prévot a écrit :
 Package: galette
 Version: 0.8+dfsg-1
 Severity: serious
 Tags: security upstream
 
 The galette package ships an embedded copy of ZendDb, but AFAICT, the
 version shipped (2.3.1) is affected by several security issues:
 CVE-2014-8089 and CVE-2015-0270 (aka ZF2014-06 and ZF2015-02).
 
 Shipping embedded copy instead of packaging it has a cost…
 
 https://anonscm.debian.org/cgit/collab-maint/galette.git/commit/?id=2e33ef76c470a0e7a9727ba4c281a7e3525e6720

Believe me, I was not proud of that commit, but still hopping to have
galette-8.0 in jessie, I didn't considered to package or ask for
packaging ZendDB V2...

I've filled an upstream bug for that issue :

http://bugs.galette.eu/issues/911

Of course if they provide a release with a correct version of ZendDB,
I'll package it.

 FWIW, I’m willing to introduce the php-zend-db package (#780422) as soon
 as upstream fixes its build system.

Great news, I follow the ITP.

Do you think, in between, it's worth to make a package which remove the
upstream embedded ZendDB and embed a proper (let says 2.3.6) version of it.

-- 
François-Régis



signature.asc
Description: OpenPGP digital signature

Bug#755834: Patch proposal

2015-02-06 Thread François-Régis 
Control: tag -1 patch

-- 

Hello,

In wheezie, the daemon fails to start too but it does not make the install fail.

The culprit is commit 3bda3b9ab952fba89e2b7c96a8fc793d8c0d39a5 [1], hence the 
attached patch.

Perhaps the good behaviour should be not even trying to start the daemon when 
no previous configuration was found...

Cheers,

-- 
François-Régis
Description: Don't fail install when dh_installinit fails
Author: François-Régis Vuillemin (frv) frv-deb...@miradou.com
Bug: 755834
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: isc-dhcp/debian/rules
===
--- isc-dhcp.orig/debian/rules
+++ isc-dhcp/debian/rules
@@ -62,6 +62,9 @@ override_dh_install:
 	cp contrib/dhcp-lease-list.pl \
 	debian/isc-dhcp-server/usr/sbin/dhcp-lease-list
 
+override_dh_installinit:
+	dh_installinit --error-handler=init_script_error_handler
+
 override_dh_strip:
 	dh_strip --dbg-package=isc-dhcp-dbg
 


signature.asc
Description: Digital signature

Bug#755834: Confirm bug

2015-01-30 Thread François-Régis 
Hi,

I confirm isc-dhcp-server fails to start if there in not at least one
valid subnet :




root@niel-3:~# LC_ALL=C apt-get install isc-dhcp-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
isc-dhcp-server is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Setting up isc-dhcp-server (4.3.1-5) ...
root@niel-3:~# apt-get purge isc-dhcp-server
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances
Lecture des informations d'état... Fait
Les paquets suivants seront ENLEVÉS :
  isc-dhcp-server*
0 mis à jour, 0 nouvellement installés, 1 à enlever et 0 non mis à jour.
Après cette opération, 675 ko d'espace disque seront libérés.
Souhaitez-vous continuer ? [O/n]
(Lecture de la base de données... 34710 fichiers et répertoires déjà
installés.)
Suppression de isc-dhcp-server (4.3.1-5) ...
Purge des fichiers de configuration de isc-dhcp-server (4.3.1-5) ...
Traitement des actions différées (« triggers ») pour man-db (2.7.0.2-5) ...
root@niel-3:~# LC_ALL=C apt-get install isc-dhcp-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  isc-dhcp-server-ldap
The following NEW packages will be installed:
  isc-dhcp-server
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 356 kB of archives.
After this operation, 675 kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org/debian/ jessie/main isc-dhcp-server armhf
4.3.1-5 [356 kB]
Fetched 356 kB in 1s (180 kB/s)
Preconfiguring packages ...
Selecting previously unselected package isc-dhcp-server.
(Reading database ... 34697 files and directories currently installed.)
Preparing to unpack .../isc-dhcp-server_4.3.1-5_armhf.deb ...
Unpacking isc-dhcp-server (4.3.1-5) ...
Processing triggers for man-db (2.7.0.2-5) ...
Setting up isc-dhcp-server (4.3.1-5) ...
Generating /etc/default/isc-dhcp-server...
Job for isc-dhcp-server.service failed. See 'systemctl status
isc-dhcp-server.service' and 'journalctl -xn' for details.
invoke-rc.d: initscript isc-dhcp-server, action start failed.
dpkg: error processing package isc-dhcp-server (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 isc-dhcp-server
E: Sub-process /usr/bin/dpkg returned an error code (1)
root@niel-3:~# echo /etc/dhcp/dhcpd.conf  
subnet 192.168.65.0 netmask 255.255.255.0 {

}

root@niel-3:~# LC_ALL=C apt-get install isc-dhcp-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
isc-dhcp-server is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Setting up isc-dhcp-server (4.3.1-5) ...
root@niel-3:~#

-- 
François-Régis


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org