[Bug 1582340] Re: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main)
This bug was fixed in the package drupal7 - 7.44-1ubuntu1~16.04.0 --- drupal7 (7.44-1ubuntu1~16.04.0) xenial; urgency=medium * Backport a version of drupal7 to Ubuntu 16.04 LTS that is installable with php7 (LP: #1582340) drupal7 (7.44-1ubuntu1) yakkety; urgency=medium * Depend on php-xml (LP: #1595788) drupal7 (7.44-1) unstable; urgency=high * New upstream version * Fixes a security vulnerability (SA-CORE-2016-002): Privilege escalation (within the webapp users realm) drupal7 (7.43-3) unstable; urgency=medium * Moved the farbstatic sources from debian/missing-sources todebian/missing-sources/misc, to keep lintian happy * The right name for one of our conditional dependencies is no longer php-sqlite, but php-sqlite3. Thanks to Nish Aravamudan for pointing this out! drupal7 (7.43-2) unstable; urgency=medium * Update dependencies to use PHP 7 instead of 5 (Closes: #821482) * Updated debian/watch to work reliably * Standards-version 3.9.6.0→3.9.8 (no changes needed) drupal7 (7.43-1) unstable; urgency=high * New upstream version * Fixes several security vulnerabilities (SA-CORE-2016-001): File upload access bypass and DoS, brute force amplification attack via XML-RPC, open redirect via path manipulation, reflected file download, wrong modes set on some user accounts setting saves, information disclosure of email addresses * Several non-security bugfixes from 7.42 included * Fix typo in README.Debian * Add several needed lintian overrides -- Jeremy Bicha Fri, 24 Jun 2016 13:29:56 -0400 ** Changed in: drupal7 (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1582340 Title: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/drupal7/+bug/1582340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1582340] Re: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main)
Ubuntu GNOME 16.04 LTS: = $ sudo apt install drupal7 Reading package lists... Done Building dependency tree Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: drupal7 : Depends: php5 but it is not installable Depends: php5-mysql but it is not installable or php5-pgsql but it is not installable or php5-sqlite but it is not installable Depends: php5-gd but it is not installable Recommends: mysql-server or postgresql but it is not going to be installed or sqlite3 E: Unable to correct problems, you have held broken packages. After enabling -proposed: $ sudo apt install drupal7 libapache2-mod-php $ sudo a2enconf drupal7 $ sudo systemctl reload apache2 Navigate to http://localhost/drupal/install.php and fill in the blanks. (There's a somewhat scary error message at http://localhost/drupal/ if you navigate there before completing the install.php wizard.) The install works fine (but you have to know to follow those steps). Marking as verification-done. ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1582340 Title: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/drupal7/+bug/1582340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1582340] Re: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main)
Hello Nish, or anyone else affected, Accepted drupal7 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/drupal7/7.44-1ubuntu1~16.04.0 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1582340 Title: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/drupal7/+bug/1582340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1582340] Re: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main)
@Jeremy, thanks for taking care of this. I'll sync up with Ondřej and get back to you on the php7.0 solution (for now, installing libapache2 -mod-php with drupal7 is an appropriate workaround). -Nish -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1582340 Title: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/drupal7/+bug/1582340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1582340] Re: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main)
Ok, I'm uploading a new version now with the php-xml dependency. Yeah, the php-fpm situation is complicated because as I found out php- fpm doesn't work out of the box with Ubuntu 16.04 LTS. See also https://bugs.debian.org/820282. But there's complaints about using libapache by default too: https://bugs.debian.org/822774. ** Bug watch added: Debian Bug tracker #820282 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820282 ** Tags removed: verification-failed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1582340 Title: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/drupal7/+bug/1582340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1582340] Re: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main)
On 24.06.2016 [03:24:08 -], Jeremy Bicha wrote: > drupal7 needs to depends on php-xml (bug 1595788) Ack. > In Debian testing and yakkety, php7.0 depends on libapache2-mod-php7.0 > (and with this installed, the installer works). Well, to be clear, it depends on libapache2-mod-php7.0 in Xenial as well, it's just the default choice that has changed (the first alternative). This was actually done on purpose, as libapache2-mod-php is not considered the best option (even if the most common). > More precisely: > 16.04: php7.0 depends on php7.0-fpm | libapache2-mod-php7.0 > 16.10: php7.0 depends on libapache2-mod-php7.0 | php7.0-fpm https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822774 There isn't a perfect solution. Probably you are right, we should toggle the default selection back to apache, but then we'll get the same bugs filed as before about nginx pulling in apache by default... > For the purposes of this SRU, should we have drupal7 depend on > libapache2-mod-php7.0...or, because I believe we should probably do it > anyway, do an SRU for php7 to have that dependency added there? I will add the above bugfix to an already pending PHP7.0 SRU request. > Either way, I propose we replace this SRU with a new backport from > yakkety of 7.44-1 and the php-xml dependency. Given that yakkety is in sync with Debian, and probably there will be more Drupal7 releases before it closes (and autosync is turned on), I'm not sure it matters too much. Yes, there are security fixes that are needed. But there are security issues in all drupal7 packages in Ubuntu, and I don't think we're asserting they can all be fixed (cf. that trusty is shipping 7.26-1 + 1 security release. ** Bug watch added: Debian Bug tracker #822774 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822774 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1582340 Title: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/drupal7/+bug/1582340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1582340] Re: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main)
drupal7 needs to depends on php-xml (bug 1595788) In Debian testing and yakkety, php7.0 depends on libapache2-mod-php7.0 (and with this installed, the installer works). More precisely: 16.04: php7.0 depends on php7.0-fpm | libapache2-mod-php7.0 16.10: php7.0 depends on libapache2-mod-php7.0 | php7.0-fpm For the purposes of this SRU, should we have drupal7 depend on libapache2-mod-php7.0...or, because I believe we should probably do it anyway, do an SRU for php7 to have that dependency added there? Either way, I propose we replace this SRU with a new backport from yakkety of 7.44-1 and the php-xml dependency. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1582340 Title: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/drupal7/+bug/1582340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1582340] Re: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main)
Ubuntu 16.04 LTS: = $ sudo apt install drupal7 Reading package lists... Done Building dependency tree Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: drupal7 : Depends: php5 but it is not installable Depends: php5-mysql but it is not installable or php5-pgsql but it is not installable or php5-sqlite but it is not installable Depends: php5-gd but it is not installable Recommends: mysql-server or postgresql but it is not going to be installed or sqlite3 E: Unable to correct problems, you have held broken packages. After enabling -proposed: Install works. See attached for log. http://localhost/ shows the default Ubuntu apache2 page. I briefly read the docs and follow the instructions: $ less /usr/share/doc/drupal7/README.Debian.gz $ sudo a2enconf drupal7 Enabling conf drupal7. To activate the new configuration, you need to run: service apache2 reload $ sudo service apache2 reload $ sudo systemctl reload apache2 http://localhost/drupal7/ shows nothing http://localhost/drupal7/install.php shows system requirements page for more information.'; exit; } // Start the installer. require_once DRUPAL_ROOT . '/includes/install.core.inc'; install_drupal(); I'm marking this verification failed since although it installs (which is an improvement), it didn't actually run for me. Also, shouldn't we go ahead and backport the security update from yakkety now too? ** Attachment added: "drupal7-install.log" https://bugs.launchpad.net/ubuntu/+source/drupal7/+bug/1582340/+attachment/4689400/+files/drupal7-install.log ** Tags removed: verification-needed ** Tags added: verification-failed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1582340 Title: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/drupal7/+bug/1582340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1582340] Re: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main)
Bumping importance to High. drupal7 is unusable in Ubuntu 16.04 LTS without this fix and it is such a high profile package it was release noted: https://wiki.ubuntu.com/XenialXerus/ReleaseNotes#PHP_7.0 ** Changed in: drupal7 (Ubuntu Xenial) Importance: Low => High ** Changed in: drupal7 (Ubuntu) Importance: Low => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1582340 Title: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/drupal7/+bug/1582340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1582340] Re: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main)
** Changed in: drupal7 (Ubuntu Xenial) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1582340 Title: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/drupal7/+bug/1582340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1582340] Re: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main)
Hello Nish, or anyone else affected, Accepted drupal7 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/drupal7/7.43-3~16.04.0 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: drupal7 (Ubuntu Xenial) Status: New => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1582340 Title: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/drupal7/+bug/1582340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1582340] Re: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main)
Thanks for the pointers! I've uploaded a backported version to xenial. I'll subscribe the SRU team here for the next steps. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1582340 Title: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/drupal7/+bug/1582340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1582340] Re: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main)
** Also affects: drupal7 (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: drupal7 (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1582340 Title: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/drupal7/+bug/1582340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1582340] Re: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main)
** Tags added: upgrade-software-version ** Changed in: drupal7 (Ubuntu) Importance: Wishlist => Low -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1582340 Title: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/drupal7/+bug/1582340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1582340] Re: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main)
** Tags added: xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1582340 Title: [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/drupal7/+bug/1582340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs