On 6/27/19 8:39 PM, Paul Gevers wrote:
> Hi Thomas,
>
> On 31-05-2019 01:34, Thomas Goirand wrote:
>> Dear package maintainer,
>>
>> We're about to upgrade SQLAlchemy in Buster to address an SQL injection
>> issue. The fixed package is in unstable, under the version 1.2.18+ds1-2.
>>
>> In some rare cases, this update may break reverse depenencies, leading
>> to non-working SQL queries.
>>
>> This is why I'm writing this email to you today: to ask you to please
>> test your application with SQLAlchemy 1.2.18+ds1-2 ASAP, to address any
>> potential unforecast issue before the Buster release.
>>
>> Details about the discussion can be seen here in the Debian bug #929321.
>>
>> Best regards,
>
> Is this explaining the FTBFS of cloudkitty? We're looking at all the RC
> bugs to see what needs to happen and cloudkitty is about to be removed
> due this FTBFS. (I am not promising anything, but if the fix is clear,
> we may leave it in an let you fix it in the first point release).
>
> Paul
>
Hi Paul,
I applied upstream patch, released today:
https://review.opendev.org/#/c/668120/
Debdiff attached. I've opened an unblock bug too: #931220
Cheers,
Thomas Goirand (zigo)
diff -Nru cloudkitty-8.0.0/debian/changelog cloudkitty-8.0.0/debian/changelog
--- cloudkitty-8.0.0/debian/changelog 2019-01-24 14:45:39.0 +0100
+++ cloudkitty-8.0.0/debian/changelog 2019-06-28 15:01:45.0 +0200
@@ -1,3 +1,11 @@
+cloudkitty (8.0.0-5) unstable; urgency=medium
+
+ * Add upstream patch to fix FTBFS after we updated SQLAlchemy to fix
+CVE-2019-7164 CVE-2019-7548 (SQL injection) (see debian bug 922669 and
+929321 for more info) (Closes: #930996).
+
+ -- Thomas Goirand Fri, 28 Jun 2019 15:01:45 +0200
+
cloudkitty (8.0.0-4) unstable; urgency=medium
* Correct default path to metrics.yml in [collect]/metrics_conf.
diff -Nru
cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch
cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch
--- cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch
1970-01-01 01:00:00.0 +0100
+++ cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch
2019-06-28 15:01:45.0 +0200
@@ -0,0 +1,39 @@
+Description: Fix sqlalchemy grouping on v1 storage (Fixes FTBFS in Buster)
+ This fixes "CompileError: Can't resolve label reference for
+ ORDER BY / GROUP BY." error messages raised by sqlalchemy when the groupby
+ expression includes a comma.
+Author: Luka Peschke
+Date: Tue, 4 Jun 2019 15:21:05 +0200
+Change-Id: Ia253175b45b8222aaee415ea535fa4102312be5a
+Bug-Debian: https://bugs.debian.org/930996
+Origin: upstream, https://review.opendev.org/668120
+Last-Update: 2019-06-28
+
+diff --git a/cloudkitty/storage/v1/sqlalchemy/__init__.py
b/cloudkitty/storage/v1/sqlalchemy/__init__.py
+index 77403e3..7b56da6 100644
+--- a/cloudkitty/storage/v1/sqlalchemy/__init__.py
b/cloudkitty/storage/v1/sqlalchemy/__init__.py
+@@ -127,7 +127,7 @@ class SQLAlchemyStorage(storage.BaseStorage):
+ self.frame_model.end <= end,
+ self.frame_model.res_type != '_NO_DATA_')
+ if groupby:
+-q = q.group_by(groupby)
++q = q.group_by(sqlalchemy.sql.text(groupby))
+
+ # Order by sum(rate)
+ q = q.order_by(sqlalchemy.func.sum(self.frame_model.rate))
+diff --git a/releasenotes/notes/fix-v1-storage-groupby-e865d1315bd390cb.yaml
b/releasenotes/notes/fix-v1-storage-groupby-e865d1315bd390cb.yaml
+new file mode 100644
+index 000..02c1e4d
+--- /dev/null
b/releasenotes/notes/fix-v1-storage-groupby-e865d1315bd390cb.yaml
+@@ -0,0 +1,6 @@
++---
++fixes:
++ - |
++``CompileError: Can't resolve label reference for ORDER BY / GROUP BY.``
++errors that were sometimes raised by SQLAlchemy when using the v1 storage
++backend and grouping on ``tenant_id`` and ``res_type`` have been fixed.
+--
+2.7.4
+
diff -Nru cloudkitty-8.0.0/debian/patches/series
cloudkitty-8.0.0/debian/patches/series
--- cloudkitty-8.0.0/debian/patches/series 2019-01-24 14:45:39.0
+0100
+++ cloudkitty-8.0.0/debian/patches/series 2019-06-28 15:01:45.0
+0200
@@ -1,3 +1,4 @@
allow-any-sqla-version.patch
missing-files.patch
remove-mathjax-extention-from-sphinx-doc.patch
+Fix_sqlalchemy_grouping_on_v1_storage.patch