Bug#931608: buster-pu: package cloudkitty/8.0.0-4
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
The attached debdiff fixes the FTBS. Details are in the relevant bugs
(as per the debian/changelog). Please allow me to upload the fix to
Buster.
Cheers,
Thomas Goirand (zigo)
diff -Nru cloudkitty-8.0.0/debian/changelog cloudkitty-8.0.0/debian/changelog
--- cloudkitty-8.0.0/debian/changelog	2019-01-24 14:45:39.000000000 +0100
+++ cloudkitty-8.0.0/debian/changelog	2019-06-28 15:01:45.000000000 +0200
@@ -1,3 +1,11 @@
+cloudkitty (8.0.0-4+deb10u1) buster; urgency=medium
+
+  * Add upstream patch to fix FTBFS after we updated SQLAlchemy to fix
+    CVE-2019-7164 CVE-2019-7548 (SQL injection) (see debian bug 922669 and
+    929321 for more info) (Closes: #930996).
+
+ -- Thomas Goirand <zigo@debian.org>  Fri, 28 Jun 2019 15:01:45 +0200
+
 cloudkitty (8.0.0-4) unstable; urgency=medium
 
   * Correct default path to metrics.yml in [collect]/metrics_conf.
diff -Nru cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch
--- cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch	1970-01-01 01:00:00.000000000 +0100
+++ cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch	2019-06-28 15:01:45.000000000 +0200
@@ -0,0 +1,39 @@
+Description: Fix sqlalchemy grouping on v1 storage (Fixes FTBFS in Buster)
+ This fixes "CompileError: Can't resolve label reference for
+ ORDER BY / GROUP BY." error messages raised by sqlalchemy when the groupby
+ expression includes a comma.
+Author: Luka Peschke <luka.peschke@objectif-libre.com>
+Date: Tue, 4 Jun 2019 15:21:05 +0200
+Change-Id: Ia253175b45b8222aaee415ea535fa4102312be5a
+Bug-Debian: https://bugs.debian.org/930996
+Origin: upstream, https://review.opendev.org/668120
+Last-Update: 2019-06-28
+
+diff --git a/cloudkitty/storage/v1/sqlalchemy/__init__.py b/cloudkitty/storage/v1/sqlalchemy/__init__.py
+index 77403e3..7b56da6 100644
+--- a/cloudkitty/storage/v1/sqlalchemy/__init__.py
++++ b/cloudkitty/storage/v1/sqlalchemy/__init__.py
+@@ -127,7 +127,7 @@ class SQLAlchemyStorage(storage.BaseStorage):
+             self.frame_model.end <= end,
+             self.frame_model.res_type != '_NO_DATA_')
+         if groupby:
+-            q = q.group_by(groupby)
++            q = q.group_by(sqlalchemy.sql.text(groupby))
+ 
+         # Order by sum(rate)
+         q = q.order_by(sqlalchemy.func.sum(self.frame_model.rate))
+diff --git a/releasenotes/notes/fix-v1-storage-groupby-e865d1315bd390cb.yaml b/releasenotes/notes/fix-v1-storage-groupby-e865d1315bd390cb.yaml
+new file mode 100644
+index 0000000..02c1e4d
+--- /dev/null
++++ b/releasenotes/notes/fix-v1-storage-groupby-e865d1315bd390cb.yaml
+@@ -0,0 +1,6 @@
++---
++fixes:
++  - |
++    ``CompileError: Can't resolve label reference for ORDER BY / GROUP BY.``
++    errors that were sometimes raised by SQLAlchemy when using the v1 storage
++    backend and grouping on ``tenant_id`` and ``res_type`` have been fixed.
+-- 
+2.7.4
+
diff -Nru cloudkitty-8.0.0/debian/patches/series cloudkitty-8.0.0/debian/patches/series
--- cloudkitty-8.0.0/debian/patches/series	2019-01-24 14:45:39.000000000 +0100
+++ cloudkitty-8.0.0/debian/patches/series	2019-06-28 15:01:45.000000000 +0200
@@ -1,3 +1,4 @@
 allow-any-sqla-version.patch
 missing-files.patch
 remove-mathjax-extention-from-sphinx-doc.patch
+Fix_sqlalchemy_grouping_on_v1_storage.patch
Reply to: