[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Advice on uncontrolled ABI change in quagga 1.1.0



Hi,

Quagga 1.1.0 is currently in unstable and testing. I'd like to upload
quagga 1.1.1 to fix #852454 (CVE-2017-5495). Quagga ships with some
shared libraries that are intended for internal use (common code between
the various quagga routing daemons). These internal libraries have
always had SONAME 0 up until now.

At some point between Quagga 0.99.24 and 1.1.0, the ABI on these dynamic
libraries changed, and it was recently reported upstream as a bug
against 1.1.0 [0]. Subsequently, between Quagga 1.1.0 and 1.1.1,
upstream has bumped the SONAME on one of the libraries [1][2].

I'm looking for advice on what to do in this situation as the ABI change
has already occurred on the package that is already in testing. Quagga
has no reverse dependencies in Debian that link to these shared
libraries. Should I still go through the transition process before
uploading 1.1.1?

As the quagga binary packages have cross-dependencies on the same
version as each other, linking Quagga executables against different
versions of the shared libraries couldn't occur with Debian packages.
The only way that this ABI change could cause issues is the way that it
did in [0], where the user was compiling different versions of quagga
and linking them against the packaged shared libraries.

Any advice would be appreciated.

[0]
https://lists.quagga.net/pipermail/quagga-dev/2016-December/033087.html
[1]
https://lists.quagga.net/pipermail/quagga-dev/2017-January/033175.html
[2]
http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=99e00a19bb8afcf081d1551b886c6d85188e6c60

-- 
Regards,
Scott.

Attachment: signature.asc
Description: Digital signature


Reply to: