Dear Debian release team,
Please note that, even though I was the person who updated SQLAlchemy to
apply the upstream CVE fix, I am not the official maintainer of the
package, and that this is probably up to Piotr to do the work. I'm
happily replying though. :)
I'm CC-ing Piotr and Mike Bayer (upstream for SQLAlchemy).
On 5/28/19 8:59 PM, Paul Gevers wrote:
> Control: tags -1 moreinfo confirmed
>
> Hi Zigo,
>
> On Tue, 21 May 2019 17:50:28 +0200 Thomas Goirand <zigo@debian.org> wrote:
>> Note that it may (or not) break some reverse dependencies, though according
>> to upstream, OpenStack (the biggest SQLAlchemy consumer in Debian) behaves
>> correctly with it. If this happens, then these reverse dependencies will
>> have to be fixed.
>
> Do you already have indications that this may be the case?
For all things OpenStack, I'm pretty sure that everything is ok, because
the upstream author of SQLAlchemy has been hired by Red Hat to make sure
OpenStack uses SQLAlchemy the proper way.
For other dependencies, it's harder to know.
> How you
> already warned the reverse dependencies to check? I would appreciate it
> if you do such that we can also have those fixed reverse dependencies in
> buster.
>
> Paul
Here's the list of reverse dependencies for python3-sqlalchemy:
* buildbot
* changeme
* db2twitter
* dms-core [amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64el s390x]
* mailman3
* openlp
* python3-agatesql
* python3-geoalchemy2
* python3-osmalchemy
* python3-pybel
* python3-sadisplay
* python3-sqlsoup
* retweet
* sqlacodegen
* yokadi
Here are those for python-sqlalchemy:
* archipel-core
* bauble
* blogofile-converters
* childsplay
* epigrass [amd64 arm64 armel armhf i386 kfreebsd-amd64 mips mips64el
mipsel ppc64el s390x]
* gnukhata-core
* gourmet
* griffith
* kamcli
* pegasus-wms
* pycsw-wsgi
* python-elixir
* python-pywps
* python-sprox
* python-sqlkit
* python-sqlsoup
* python-zope.sqlalchemy
* pytrainer
* vistrails
* yhsm-yubikey-ksm
I removed all-things-openstack and libraries who are very unlikely to
have issues, such as sqlalchemy-utils and others.
I don't know any of the above package. It would be hard to tell who's
affected by a related problem, though the miss-use of SQLAlchemy
(because that's really what we're talking about here... a miss-use that
should have been considered a bug to begin with, even without the
applied patch to SQLAlchemy) is quite rare.
I very much think it's safer to just allow SQLAchemy to migrate right
now, to fix the potential SQL insertion vulnerability, rather than
waiting for any (potential, but likely rare) issue in the above reverse
dependencies.
I do think a gentle ping to the maintainers of the above packages would
be nice, but probably mass-filling of bugs isn't needed. How can I
easily gather the list of maintainer? Is there a script somewhere to do
this, or should I write it myself (which shouldn't be hard with some
apt-cache show in a loop...)?
Piotr, Mike, is what I wrote above accurate?
I can confirm Openstack is likely OK, most packages are likely OK, and if a package is not OK, it's a trivial fix for them.