Bug#843905: jessie-pu: package akonadi/1.13.0-2+deb8u2
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
The latest security upload of mysql-5.5 breaks akonadi-backend-mysql in stable,
this is due to a change in the compiled-in configuration values that are
incompatible with the ones shipped in the akonadi backend *.
In the bug #843520 [1] the mysql maintainers requested this to be fixed on
the akonadi side.
The bug #843534 currently tracks the akonadi side of things, sadly we have
some contradicting user reports. But according to our tests this upload fixes
the issue caused by the mysql-5.5 upload, we may need to further investigate
the problems that aren't fixed with this.
I'm not completely sure if it would be better to upload this change as a
security upload as a way to retain archive consistency, in any case I would
wait for a green flag from the release team before uploading this.
I'm attaching the diff of the proposed changes.
Happy hacking.
[1]: https://bugs.debian.org/843520
[2]: https://bugs.debian.org/843534
*:
The compiled-in value of secure_file_priv points to the directory
"/var/lib/mysql-files" that isn't present in the mysql-server-core-5.5
package, requiring that this value is correctly set in mysql configuration
file shipped in the akonadi backend.
Since the use of secure_file_priv has no benefit for the akonadi use cases a
simple workaround is to set it to the empty value that reverts mysql to the
previous behaviour.
- -- System Information:
Debian Release: stretch/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'buildd-unstable'), (500, 'testing'), (500, 'stable'), (50, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf
Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
iQItBAEBCgAXBQJYJIxYEBxtYXh5QGRlYmlhbi5vcmcACgkQxxl2mbKbIyqUAQ//
aucTQ4KR7e+1vzAzgV9Km0u9Qz3scYCqYY2+hCfxbtitDi9tX1ZngKcVr5uq2mSz
m+vMWHPz6B3Usej5e0kqUrzUcreC9at8va4XCH5w4YukLAmNycxiDsjbpYjH4STD
VU9m498auQR2gyGT0C8d041FISWCny9ydnGa7rbiRJHHSoNSd4wFqplEee2Xt8WT
QUBgfnviP9Zpi5w0NmoUB8kyOj9pCT+ELwxwjO9vJd3Y/7eZxoY0JVPmKpMUcTrz
hX7cEj40jAa9acvMFc6+HtBwHNJ1DDdGDdXD9Jp3+30Y5DP52YcS3habPK7X3yTi
keogj8ypqHaGxyqfe16uO0YAdDzPDLc/VpsERxkdM8ivUEjS3uwpLyqcVXG4gq2V
LLiTJs2lszC+h/EkGHu4uw9bHlEmyLn5l6rNd19a71dwdvblvE9VXFYC9AroUhNv
Jp2dEL801DCJLgsAFggQKl71ICgrtvvwwQzhfO+xdYzhTBZaRvs8H8A3v/qQzNuO
JE6NdQJsTbjRsff0++tjlRJIzauxrAZf+/yncmCnDBs9Akq6Q7CwJ7+xmNjGEVWu
Nw/c4EX5gzDCy1GmcTdsTqtW1i1Ru4QxMLpZtGHaC6Gjkd2rV0/fJZG7vqCruz6p
KDy2Ey6KGax7dpesiSXPiJRL2nNjC53YeXuB4nY27bI=
=E+r9
-----END PGP SIGNATURE-----
diff --git a/debian/changelog b/debian/changelog
index 43d92d7..7cf44ae 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+akonadi (1.13.0-2+deb8u2) stable-proposed-updates; urgency=medium
+
+ * Add patch from kubuntu: kubuntu_disable_secure_file_priv_check.diff
+ - fix compatibility with stricter defaults in mysql security update.
+ (Closes: 843534) Thanks to fld for the report and Marc Deslauriers
+ for the patch.
+
+ -- Maximiliano Curia <maxy@debian.org> Thu, 10 Nov 2016 15:17:27 +0100
+
akonadi (1.13.0-2+deb8u1) stable-proposed-updates; urgency=medium
* Team upload.
diff --git a/debian/not-installed b/debian/not-installed
new file mode 100644
index 0000000..79e4e3e
--- /dev/null
+++ b/debian/not-installed
@@ -0,0 +1 @@
+usr/bin/asapcat
diff --git a/debian/patches/kubuntu_disable_secure_file_priv_check.diff b/debian/patches/kubuntu_disable_secure_file_priv_check.diff
new file mode 100644
index 0000000..5a35b64
--- /dev/null
+++ b/debian/patches/kubuntu_disable_secure_file_priv_check.diff
@@ -0,0 +1,26 @@
+Description: disable the secure_file_priv check
+ MySQL 5.7 introduced a premission check for export and import operations.
+ In Ubuntu, only the full mysql-server package creates the set system wide
+ directory causing mysqld-akonadi to error out on startup if only
+ mysql-server-core-5.7 is installed.
+ To prevent that the key is set to empty, which reverts mysqld to the 5.6
+ behavior.
+ See http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_secure_file_priv
+Author: Philip Muskovac <yofel@gmx.net>
+Last-Update: 2016-04-18
+Forwarded: not-needed
+Origin: vendor
+Index: b/server/src/storage/mysql-global.conf
+===================================================================
+--- a/server/src/storage/mysql-global.conf
++++ b/server/src/storage/mysql-global.conf
+@@ -100,5 +100,9 @@ wait_timeout=31536000
+ # We use InnoDB, so don't let MyISAM eat up memory
+ key_buffer_size=16K
+
++# KUBUNTU:
++# Unset the export dir check as only the full mysql-server package creates it
++secure_file_priv=
++
+ [client]
+ default-character-set=utf8
diff --git a/debian/patches/series b/debian/patches/series
index 584311c..aaecbd5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ upstream-fix_buffer_overflow_in_AKTEST_FAKESERVER_MAIN
upstream-do_not_crash_when_setmntent_returns_NULL
upstream_dont_call_insert_from_Q_ASSERT
upstream_dont_leak_old_external_payload_files.patch
+kubuntu_disable_secure_file_priv_check.diff
Reply to: