Bug#1007222: transition: onetbb
On 13.03.22 21:59, M. Zhou wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi release team, This involves an upstream source name change (from tbb to onetbb), as well as SOVERSION bump (from 2 to 12), along with a major API change including some changes in the core API. I should have submitted this after my local build test for the reverse dependencies of libtbb-dev, but fellow developers from debian-science are eager to see this in unstable to unblock their works. I have not tested by myself, but I heard from an archlinux developer that this API bump breaks a lot packages. And some upstreams decided to disable or drop tbb support as a result. I guess we can take similar measures for short term workaround. "I heard from archlinux" is not good enough. I sent you email about this without getting a reply, then filed #1006920, without getting a reply, now this incomplete proposal. you may want to look at all the build rdeps for libtbb2-dev in Ubuntu to get an overview what at least breaks: $ reverse-depends -b libtbb2-dev Reverse-Testsuite-Triggers * intel-mkl Reverse-Build-Depends * casparcg-server * flexbar * gazebo * opencascade * opensubdiv * r-cran-rcppparallel (plus implicit dependencies) Ben file: title = "tbb"; is_affected = .depends ~ "libtbb2" | .depends ~ "libtbb12"; is_good = .depends ~ "libtbb12"; is_bad = .depends ~ "libtbb2"; this breaks everything immediately because of the conflicting libtbb2 and libtbb12. Please fix this first. Matthias
Processed: Re: Bug#1007222: transition: onetbb
Processing control commands: > forwarded -1 https://release.debian.org/transitions/html/onetbb.html Bug #1007222 [release.debian.org] transition: onetbb Set Bug forwarded-to-address to 'https://release.debian.org/transitions/html/onetbb.html'. > tags -1 moreinfo Bug #1007222 [release.debian.org] transition: onetbb Added tag(s) moreinfo. -- 1007222: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007222 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1007222: transition: onetbb
Control: forwarded -1 https://release.debian.org/transitions/html/onetbb.html Control: tags -1 moreinfo On 2022-03-13 16:59:48 -0400, M. Zhou wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: transition > > Hi release team, > > This involves an upstream source name change (from tbb to onetbb), > as well as SOVERSION bump (from 2 to 12), along with a major API > change including some changes in the core API. > > I should have submitted this after my local build test for the > reverse dependencies of libtbb-dev, but fellow developers from > debian-science are eager to see this in unstable to unblock > their works. > > I have not tested by myself, but I heard from an archlinux > developer that this API bump breaks a lot packages. And > some upstreams decided to disable or drop tbb support as > a result. I guess we can take similar measures for short > term workaround. Please remove the moreinfo tag once these issues have been investigated and bugs have been filed. Cheers > > Ben file: > > title = "tbb"; > is_affected = .depends ~ "libtbb2" | .depends ~ "libtbb12"; > is_good = .depends ~ "libtbb12"; > is_bad = .depends ~ "libtbb2"; > Thank you for using reportbug > -- Sebastian Ramacher signature.asc Description: PGP signature
Bug#1007222: transition: onetbb
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hi release team, This involves an upstream source name change (from tbb to onetbb), as well as SOVERSION bump (from 2 to 12), along with a major API change including some changes in the core API. I should have submitted this after my local build test for the reverse dependencies of libtbb-dev, but fellow developers from debian-science are eager to see this in unstable to unblock their works. I have not tested by myself, but I heard from an archlinux developer that this API bump breaks a lot packages. And some upstreams decided to disable or drop tbb support as a result. I guess we can take similar measures for short term workaround. Ben file: title = "tbb"; is_affected = .depends ~ "libtbb2" | .depends ~ "libtbb12"; is_good = .depends ~ "libtbb12"; is_bad = .depends ~ "libtbb2"; Thank you for using reportbug
Bug#1006456: transition: openldap
On Sun, Mar 13, 2022 at 02:26:20PM +0100, Sebastian Ramacher wrote: Please take a look at golang-openldap. It's an arch: all package and hardcodes a dependency on libldap-2.4-2 Thanks. I hadn't noticed it was hard-coded. Filed #1006456. Also examining some of the "unknown" rows in the tracker, looks like several might legitimately be unused/unneeded build-depends. Will probably file some sev:minor bugs for those later. Otherwise looks like things are going smoothly so far?
Processed: golang-openldap: openldap 2.5 transition
Processing control commands: > block 1006456 by -1 Bug #1006456 [release.debian.org] transition: openldap 1006456 was blocked by: 989409 990335 1006016 1005996 1006456 was not blocking any bugs. Added blocking bug(s) of 1006456: 1007217 -- 1006456: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006456 1007217: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007217 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#1006456: transition: openldap
Processing control commands: > forwarded -1 https://release.debian.org/transitions/html/openldap-2.5.html Bug #1006456 [release.debian.org] transition: openldap Set Bug forwarded-to-address to 'https://release.debian.org/transitions/html/openldap-2.5.html'. -- 1006456: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006456 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1006456: transition: openldap
Control: forwarded -1 https://release.debian.org/transitions/html/openldap-2.5.html On 2022-03-12 11:26:19 -0800, Ryan Tandy wrote: > On Fri, Mar 11, 2022 at 10:15:31PM +0100, Sebastian Ramacher wrote: > > Please go ahead > > Thank you. openldap/2.5.11+dfsg-1 has just been accepted into unstable. > > Should I bump the remaining autopkgtest issues to RC severity at this time? > > Could you please update the ben file for the transition? The auto-generated > one is not ideal. I think it should look something like: > > is_affected = .build-depends ~ /\b(libldap(2)?\-dev|libslapi\-dev)\b/; > is_bad = .depends ~ /\b(libldap\-2\.4\-2|libslapi\-2\.4\-2)\b/; > is_good = .depends ~ /\b(libldap\-2\.5\-0|libslapi\-2\.5\-0)\b/; The tracker is now available at https://release.debian.org/transitions/html/openldap-2.5.html Please take a look at golang-openldap. It's an arch: all package and hardcodes a dependency on libldap-2.4-2 Cheers -- Sebastian Ramacher signature.asc Description: PGP signature
Bug#1007183: marked as done (buster-pu: package libphp-adodb/5.20.14-1)
Your message dated Sun, 13 Mar 2022 11:08:43 +0100
with message-id <5023343.8jc8pb4lGu@giga>
and subject line Re: buster-pu, bullseye-pu: package libphp-adodb
has caused the Debian Bug report #1007183,
regarding buster-pu: package libphp-adodb/5.20.14-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1007183: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007183
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal
Hello
I'd like to patch CVE-2021-3850
The one-line patch is already released in sid, and in old-old-security
as version 5.20.9-1+deb9u1 thanks to the ELTS team.
The patch, from upstream, removes the detection of a string being
already quoted. This results in the proper escaping always taking place.
Note that this function is only called for escaping pg_connect arguments.
Is that ok?
Tell me if you think it's better to upload in buster-security.diff -Nru libphp-adodb-5.20.14/debian/changelog libphp-adodb-5.20.14/debian/changelog
--- libphp-adodb-5.20.14/debian/changelog 2019-01-07 07:18:32.0 +0100
+++ libphp-adodb-5.20.14/debian/changelog 2022-03-12 21:40:01.0 +0100
@@ -1,3 +1,10 @@
+libphp-adodb (5.20.14-1+deb10u1) buster; urgency=high
+
+ * Add patch to prevent auth bypass with PostgreSQL
+connections. (Fixes: CVE-2021-3850) (Closes: #1004376)
+
+ -- Jean-Michel Vourgère Sat, 12 Mar 2022 21:40:01 +0100
+
libphp-adodb (5.20.14-1) unstable; urgency=medium
* New upstream version.
diff -Nru libphp-adodb-5.20.14/debian/patches/CVE-2021-3850.patch libphp-adodb-5.20.14/debian/patches/CVE-2021-3850.patch
--- libphp-adodb-5.20.14/debian/patches/CVE-2021-3850.patch 1970-01-01 01:00:00.0 +0100
+++ libphp-adodb-5.20.14/debian/patches/CVE-2021-3850.patch 2022-02-06 09:56:10.0 +0100
@@ -0,0 +1,26 @@
+From 952de6c4273d9b1e91c2b838044f8c250c29 Mon Sep 17 00:00:00 2001
+From: Damien Regad
+Date: Mon, 10 Jan 2022 09:41:32 +0100
+Subject: [PATCH] Prevent auth bypass with PostgreSQL connections
+
+Thanks to Emmet Leahy of Sorcery Ltd for reporting this vulnerability
+(CVE-2021-3850).
+
+This is a minimalistic approach to patch the issue, to reduce the risk
+of causing regressions in the legacy stable branch.
+
+Fixes #793
+---
+ drivers/adodb-postgres64.inc.php | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/adodb-postgres64.inc.php
b/drivers/adodb-postgres64.inc.php
+@@ -51,7 +51,6 @@
+ {
+ $len = strlen($s);
+ if ($len == 0) return "''";
+- if (strncmp($s,"'",1) === 0 && substr($s,$len-1) == "'") return $s; // already quoted
+
+ return "'".addslashes($s)."'";
+ }
diff -Nru libphp-adodb-5.20.14/debian/patches/series libphp-adodb-5.20.14/debian/patches/series
--- libphp-adodb-5.20.14/debian/patches/series 1970-01-01 01:00:00.0 +0100
+++ libphp-adodb-5.20.14/debian/patches/series 2022-02-06 09:55:43.0 +0100
@@ -0,0 +1 @@
+CVE-2021-3850.patch
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Hi
Similar fixes were uploaded yesterday by carnil in buster-security and in
bullseye-security (thanks!)
As a result, #1007181 and #100783 are no longer relevant.
Closing--- End Message ---
Bug#1007181: marked as done (bullseye-pu: package libphp-adodb/5.20.19-1)
Your message dated Sun, 13 Mar 2022 11:08:43 +0100
with message-id <5023343.8jc8pb4lGu@giga>
and subject line Re: buster-pu, bullseye-pu: package libphp-adodb
has caused the Debian Bug report #1007181,
regarding bullseye-pu: package libphp-adodb/5.20.19-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1007181: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007181
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bullseye
Severity: normal
Hello
I'd like to patch CVE-2021-3850
The one-line patch is already released in sid, and in old-old-security
as version 5.20.9-1+deb9u1 thanks to the ELTS team.
The patch, from upstream, removes the detection of a string being
already quoted. This results in the proper escaping always taking place.
Note that this function is only called for escaping pg_connect arguments.
Is that ok?
Tell me if you think it's better to upload in bullseye-security.diff -Nru libphp-adodb-5.20.19/debian/changelog libphp-adodb-5.20.19/debian/changelog
--- libphp-adodb-5.20.19/debian/changelog 2020-12-19 08:08:01.0 +0100
+++ libphp-adodb-5.20.19/debian/changelog 2022-03-12 18:50:26.0 +0100
@@ -1,3 +1,10 @@
+libphp-adodb (5.20.19-1+deb11u1) bullseye; urgency=high
+
+ * Add patch to prevent auth bypass with PostgreSQL
+connections. (Fixes: CVE-2021-3850) (Closes: #1004376)
+
+ -- Jean-Michel Vourgère Sat, 12 Mar 2022 18:50:26 +0100
+
libphp-adodb (5.20.19-1) unstable; urgency=medium
* New upstream version.
diff -Nru libphp-adodb-5.20.19/debian/patches/CVE-2021-3850.patch libphp-adodb-5.20.19/debian/patches/CVE-2021-3850.patch
--- libphp-adodb-5.20.19/debian/patches/CVE-2021-3850.patch 1970-01-01 01:00:00.0 +0100
+++ libphp-adodb-5.20.19/debian/patches/CVE-2021-3850.patch 2022-02-06 09:56:10.0 +0100
@@ -0,0 +1,26 @@
+From 952de6c4273d9b1e91c2b838044f8c250c29 Mon Sep 17 00:00:00 2001
+From: Damien Regad
+Date: Mon, 10 Jan 2022 09:41:32 +0100
+Subject: [PATCH] Prevent auth bypass with PostgreSQL connections
+
+Thanks to Emmet Leahy of Sorcery Ltd for reporting this vulnerability
+(CVE-2021-3850).
+
+This is a minimalistic approach to patch the issue, to reduce the risk
+of causing regressions in the legacy stable branch.
+
+Fixes #793
+---
+ drivers/adodb-postgres64.inc.php | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/adodb-postgres64.inc.php
b/drivers/adodb-postgres64.inc.php
+@@ -51,7 +51,6 @@
+ {
+ $len = strlen($s);
+ if ($len == 0) return "''";
+- if (strncmp($s,"'",1) === 0 && substr($s,$len-1) == "'") return $s; // already quoted
+
+ return "'".addslashes($s)."'";
+ }
diff -Nru libphp-adodb-5.20.19/debian/patches/series libphp-adodb-5.20.19/debian/patches/series
--- libphp-adodb-5.20.19/debian/patches/series 1970-01-01 01:00:00.0 +0100
+++ libphp-adodb-5.20.19/debian/patches/series 2022-02-06 09:55:43.0 +0100
@@ -0,0 +1 @@
+CVE-2021-3850.patch
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Hi
Similar fixes were uploaded yesterday by carnil in buster-security and in
bullseye-security (thanks!)
As a result, #1007181 and #100783 are no longer relevant.
Closing--- End Message ---
