[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#843905: marked as done (jessie-pu: package akonadi/1.13.0-2+deb8u2)

Your message dated Wed, 16 Nov 2016 09:05:53 +0000
with message-id <1479287153.2201.4.camel@adam-barratt.org.uk>
and subject line Re: Bug#843905: jessie-pu: package akonadi/1.13.0-2+deb8u2
has caused the Debian Bug report #843905,
regarding jessie-pu: package akonadi/1.13.0-2+deb8u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
843905: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=843905
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

The latest security upload of mysql-5.5 breaks akonadi-backend-mysql in stable, 
this is due to a change in the compiled-in configuration values that are 
incompatible with the ones shipped in the akonadi backend *.

In the bug #843520 [1] the mysql maintainers requested this to be fixed on 
the akonadi side.

The bug #843534 currently tracks the akonadi side of things, sadly we have 
some contradicting user reports. But according to our tests this upload fixes 
the issue caused by the mysql-5.5 upload, we may need to further investigate 
the problems that aren't fixed with this.

I'm not completely sure if it would be better to upload this change as a 
security upload as a way to retain archive consistency, in any case I would 
wait for a green flag from the release team before uploading this.

I'm attaching the diff of the proposed changes.

Happy hacking.

[1]: https://bugs.debian.org/843520
[2]: https://bugs.debian.org/843534

*:
The compiled-in value of secure_file_priv points to the directory 
"/var/lib/mysql-files" that isn't present in the mysql-server-core-5.5 
package, requiring that this value is correctly set in mysql configuration 
file shipped in the akonadi backend.

Since the use of secure_file_priv has no benefit for the akonadi use cases a 
simple workaround is to set it to the empty value that reverts mysql to the 
previous behaviour.


- -- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'buildd-unstable'), (500, 'testing'), (500, 'stable'), (50, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----

iQItBAEBCgAXBQJYJIxYEBxtYXh5QGRlYmlhbi5vcmcACgkQxxl2mbKbIyqUAQ//
aucTQ4KR7e+1vzAzgV9Km0u9Qz3scYCqYY2+hCfxbtitDi9tX1ZngKcVr5uq2mSz
m+vMWHPz6B3Usej5e0kqUrzUcreC9at8va4XCH5w4YukLAmNycxiDsjbpYjH4STD
VU9m498auQR2gyGT0C8d041FISWCny9ydnGa7rbiRJHHSoNSd4wFqplEee2Xt8WT
QUBgfnviP9Zpi5w0NmoUB8kyOj9pCT+ELwxwjO9vJd3Y/7eZxoY0JVPmKpMUcTrz
hX7cEj40jAa9acvMFc6+HtBwHNJ1DDdGDdXD9Jp3+30Y5DP52YcS3habPK7X3yTi
keogj8ypqHaGxyqfe16uO0YAdDzPDLc/VpsERxkdM8ivUEjS3uwpLyqcVXG4gq2V
LLiTJs2lszC+h/EkGHu4uw9bHlEmyLn5l6rNd19a71dwdvblvE9VXFYC9AroUhNv
Jp2dEL801DCJLgsAFggQKl71ICgrtvvwwQzhfO+xdYzhTBZaRvs8H8A3v/qQzNuO
JE6NdQJsTbjRsff0++tjlRJIzauxrAZf+/yncmCnDBs9Akq6Q7CwJ7+xmNjGEVWu
Nw/c4EX5gzDCy1GmcTdsTqtW1i1Ru4QxMLpZtGHaC6Gjkd2rV0/fJZG7vqCruz6p
KDy2Ey6KGax7dpesiSXPiJRL2nNjC53YeXuB4nY27bI=
=E+r9
-----END PGP SIGNATURE-----

diff --git a/debian/changelog b/debian/changelog
index 43d92d7..7cf44ae 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+akonadi (1.13.0-2+deb8u2) stable-proposed-updates; urgency=medium
+
+  * Add patch from kubuntu: kubuntu_disable_secure_file_priv_check.diff
+    - fix compatibility with stricter defaults in mysql security update.
+      (Closes: 843534) Thanks to fld for the report and Marc Deslauriers
+      for the patch.
+
+ -- Maximiliano Curia <maxy@debian.org>  Thu, 10 Nov 2016 15:17:27 +0100
+
 akonadi (1.13.0-2+deb8u1) stable-proposed-updates; urgency=medium
 
   * Team upload.
diff --git a/debian/not-installed b/debian/not-installed
new file mode 100644
index 0000000..79e4e3e
--- /dev/null
+++ b/debian/not-installed
@@ -0,0 +1 @@
+usr/bin/asapcat
diff --git a/debian/patches/kubuntu_disable_secure_file_priv_check.diff b/debian/patches/kubuntu_disable_secure_file_priv_check.diff
new file mode 100644
index 0000000..5a35b64
--- /dev/null
+++ b/debian/patches/kubuntu_disable_secure_file_priv_check.diff
@@ -0,0 +1,26 @@
+Description: disable the secure_file_priv check
+ MySQL 5.7 introduced a premission check for export and import operations.
+ In Ubuntu, only the full mysql-server package creates the set system wide
+ directory causing mysqld-akonadi to error out on startup if only
+ mysql-server-core-5.7 is installed.
+ To prevent that the key is set to empty, which reverts mysqld to the 5.6
+ behavior.
+ See http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_secure_file_priv
+Author: Philip Muskovac <yofel@gmx.net>
+Last-Update: 2016-04-18
+Forwarded: not-needed
+Origin: vendor
+Index: b/server/src/storage/mysql-global.conf
+===================================================================
+--- a/server/src/storage/mysql-global.conf
++++ b/server/src/storage/mysql-global.conf
+@@ -100,5 +100,9 @@ wait_timeout=31536000
+ # We use InnoDB, so don't let MyISAM eat up memory
+ key_buffer_size=16K
+ 
++# KUBUNTU:
++# Unset the export dir check as only the full mysql-server package creates it
++secure_file_priv=
++
+ [client]
+ default-character-set=utf8
diff --git a/debian/patches/series b/debian/patches/series
index 584311c..aaecbd5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ upstream-fix_buffer_overflow_in_AKTEST_FAKESERVER_MAIN
 upstream-do_not_crash_when_setmntent_returns_NULL
 upstream_dont_call_insert_from_Q_ASSERT
 upstream_dont_leak_old_external_payload_files.patch
+kubuntu_disable_secure_file_priv_check.diff

--- End Message ---
--- Begin Message --- 
On Thu, 2016-11-10 at 16:03 +0100, Maximiliano Curia wrote:
> The latest security upload of mysql-5.5 breaks akonadi-backend-mysql in stable, 
> this is due to a change in the compiled-in configuration values that are 
> incompatible with the ones shipped in the akonadi backend *.
> 
> In the bug #843520 [1] the mysql maintainers requested this to be fixed on 
> the akonadi side.
> 
> The bug #843534 currently tracks the akonadi side of things, sadly we have 
> some contradicting user reports. But according to our tests this upload fixes 
> the issue caused by the mysql-5.5 upload, we may need to further investigate 
> the problems that aren't fixed with this.
> 
> I'm not completely sure if it would be better to upload this change as a 
> security upload as a way to retain archive consistency, in any case I would 
> wait for a green flag from the release team before uploading this.

This became DSA-3714-1.

Regards,

Adam

--- End Message ---
Reply to: