Re: Advice on uncontrolled ABI change in quagga 1.1.0
On 26/01/17 12:58, Scott Leggett wrote:
> Hi,
>
> Quagga 1.1.0 is currently in unstable and testing. I'd like to upload
> quagga 1.1.1 to fix #852454 (CVE-2017-5495). Quagga ships with some
> shared libraries that are intended for internal use (common code between
> the various quagga routing daemons). These internal libraries have
> always had SONAME 0 up until now.
>
> At some point between Quagga 0.99.24 and 1.1.0, the ABI on these dynamic
> libraries changed, and it was recently reported upstream as a bug
> against 1.1.0 [0]. Subsequently, between Quagga 1.1.0 and 1.1.1,
> upstream has bumped the SONAME on one of the libraries [1][2].
>
> I'm looking for advice on what to do in this situation as the ABI change
> has already occurred on the package that is already in testing. Quagga
> has no reverse dependencies in Debian that link to these shared
> libraries. Should I still go through the transition process before
> uploading 1.1.1?
>
> As the quagga binary packages have cross-dependencies on the same
> version as each other, linking Quagga executables against different
> versions of the shared libraries couldn't occur with Debian packages.
> The only way that this ABI change could cause issues is the way that it
> did in [0], where the user was compiling different versions of quagga
> and linking them against the packaged shared libraries.
>
> Any advice would be appreciated.
Since there are no rdeps, this isn't a transition. Just upload the new version
(with the proper renamed libquagga) asap.
Cheers,
Emilio
Reply to: