Debian Bug report logs - #599255
unblock: zabbix/1.8.3-2

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Jordi Mallach <jordi@debian.org>

Date: Wed, 6 Oct 2010 09:12:07 UTC

Severity: normal

Tags: moreinfo

Done: Mehdi Dogguy <mehdi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, zabbix@packages.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#599255; Package release.debian.org. (Wed, 06 Oct 2010 09:12:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jordi Mallach <jordi@debian.org>:
New Bug report received and forwarded. Copy sent to zabbix@packages.debian.org, Debian Release Team <debian-release@lists.debian.org>. (Wed, 06 Oct 2010 09:12:10 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jordi Mallach <jordi@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: zabbix/1.8.3-2
Date: Wed, 06 Oct 2010 09:57:38 +0200
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: freeze-exception

Please unblock package zabbix

Zabbix 1.8.3 includes a security fix (CVE-2010-2790) plus a series of
important packaging fixes.

zabbix  (1:1.8.3-2) unstable; urgency=low

   * Added versioned build depdency on autotools-dev (closes: #598578)

 -- Christoph Haas <haas@debian.org>  Thu, 30 Sep 2010 21:59:34 +0200

zabbix (1:1.8.3-1) unstable; urgency=low

   * New upstream release fixes security issue CVE-2010-2790 (closes: #594304)
   * Removed flash clock applet that upstream ships without source
     (closes: #591967)
   * Removed bashism from zabbix agent init.d file (closes: #581148)
   * Removed bashism from zabbix proxy mysql init.d file (closes: #581149)
   * Removed bashism from zabbix proxy pgsql init.d file (closes: #581150)
   * Removed bashism from zabbix server mysql init.d file (closes: #581151)
   * Removed bashism from zabbix server pgsql init.d file (closes: #581152)
   * Added weak dependency on mysql/postgresql in the LSB section of the
     init.d scripts for zabbix-server-mysql and zabbix-server-pgsql
     (closes: #578879)

 -- Christoph Haas <haas@debian.org>  Sat, 21 Aug 2010 15:41:19 +0200 

unblock zabbix/1.8.3-2

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=ca_ES.UTF-8@valencia, LC_CTYPE=ca_ES.UTF-8@valencia (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#599255; Package release.debian.org. (Thu, 07 Oct 2010 17:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mehdi Dogguy <mehdi@dogguy.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Thu, 07 Oct 2010 17:33:03 GMT) Full text and rfc822 format available.

Message #10 received at 599255@bugs.debian.org (full text, mbox):

From: Mehdi Dogguy <mehdi@dogguy.org>
To: Jordi Mallach <jordi@debian.org>, 599255@bugs.debian.org, Christoph Haas <haas@debian.org>
Subject: Re: Bug#599255: unblock: zabbix/1.8.3-2
Date: Thu, 07 Oct 2010 19:28:09 +0200
[Message part 1 (text/plain, inline)]
[ CC'ing Christoph Haas since he's the uploader ]

On 06/10/2010 09:57, Jordi Mallach wrote:
> Package: release.debian.org Severity: normal User: 
> release.debian.org@packages.debian.org Usertags: freeze-exception
> 
> Please unblock package zabbix
> 
> Zabbix 1.8.3 includes a security fix (CVE-2010-2790) plus a series of 
> important packaging fixes.
> 

The diff is quite large. I don't think it's reasonable to unblocking it at
this stage of the freeze.

	 643 files changed, 57774 insertions(+), 93146 deletions(-)

Most of the changes are packaging related. Concerning the security bug, it
seems possible to extract a fix. Looking at the diff (file attached) for
frontends/php/include/classes/class.curl.php, it seems pretty easy to
provide a simple fix. Why didn't you try to do that instead of introducing
this new upstream release?

Regards,

-- 
Mehdi Dogguy مهدي الدڤي
http://dogguy.org/
[class_url.inc.php.diff (text/x-diff, attachment)]

Added tag(s) moreinfo. Request was from Mehdi Dogguy <mehdi@debian.org> to control@bugs.debian.org. (Thu, 07 Oct 2010 18:45:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#599255; Package release.debian.org. (Sun, 10 Oct 2010 12:00:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Haas <haas@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 10 Oct 2010 12:00:08 GMT) Full text and rfc822 format available.

Message #17 received at 599255@bugs.debian.org (full text, mbox):

From: Christoph Haas <haas@debian.org>
To: Jordi Mallach <jordi@debian.org>, 599255@bugs.debian.org
Subject: Re: Bug#599255: unblock: zabbix/1.8.3-2
Date: Sun, 10 Oct 2010 13:50:53 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 07.10.2010 20:22, schrieb Mehdi Dogguy:
> [ CC'ing Christoph Haas since he's the uploader ]
> 
> On 06/10/2010 09:57, Jordi Mallach wrote:
>> Package: release.debian.org Severity: normal User: 
>> release.debian.org@packages.debian.org Usertags: freeze-exception
>>
>> Please unblock package zabbix
>>
>> Zabbix 1.8.3 includes a security fix (CVE-2010-2790) plus a series of 
>> important packaging fixes.
>>
> 
> The diff is quite large. I don't think it's reasonable to unblocking it at
> this stage of the freeze.
> 
> 	 643 files changed, 57774 insertions(+), 93146 deletions(-)
> 
> Most of the changes are packaging related. Concerning the security bug, it
> seems possible to extract a fix. Looking at the diff (file attached) for
> frontends/php/include/classes/class.curl.php, it seems pretty easy to
> provide a simple fix. Why didn't you try to do that instead of introducing
> this new upstream release?

Bad timing. I really had hoped to have 1.8.3 ready before Squeeze got
frozen because refactoring the Debian packages was desperately
necessary. Okay, I'm talking to the upstream about a minimal patch to
fix this very issue.

 Christoph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyxqJkACgkQCV53xXnMZYbIugCfS9sLp2W0hNabH1StAAi381Ce
YrMAoLIwbg4xZFsbIGbLUaXUYzmqkJ5f
=HI+F
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#599255; Package release.debian.org. (Mon, 18 Oct 2010 20:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mehdi Dogguy <mehdi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 18 Oct 2010 20:51:04 GMT) Full text and rfc822 format available.

Message #22 received at 599255@bugs.debian.org (full text, mbox):

From: Mehdi Dogguy <mehdi@debian.org>
To: Christoph Haas <haas@debian.org>, 599255@bugs.debian.org
Subject: Re: Bug#599255: unblock: zabbix/1.8.3-2
Date: Mon, 18 Oct 2010 22:44:24 +0200
tag 599255 + moreinfo
thanks

On 10/10/2010 01:50 PM, Christoph Haas wrote:
> 
> Okay, I'm talking to the upstream about a minimal patch to fix this
> very issue.
> 

Any news?

I'd appreciate an upload fixing #598578, #594304, #591967, various bugs
about bashism and #578879.

Regards,

-- 
Mehdi Dogguy مهدي الدڤي
http://dogguy.org/




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#599255; Package release.debian.org. (Mon, 18 Oct 2010 20:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Haas <haas@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 18 Oct 2010 20:57:03 GMT) Full text and rfc822 format available.

Message #27 received at 599255@bugs.debian.org (full text, mbox):

From: Christoph Haas <haas@debian.org>
To: Mehdi Dogguy <mehdi@debian.org>
Cc: 599255@bugs.debian.org
Subject: Re: Bug#599255: unblock: zabbix/1.8.3-2
Date: Mon, 18 Oct 2010 22:52:53 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 18.10.2010 22:44, schrieb Mehdi Dogguy:
> On 10/10/2010 01:50 PM, Christoph Haas wrote:
>> Okay, I'm talking to the upstream about a minimal patch to fix this
>> very issue.
> 
> Any news?
> 
> I'd appreciate an upload fixing #598578, #594304, #591967, various bugs
> about bashism and #578879.

Yes, I already got a reply from the upstream support. I have submitted a
patch they were evaluating. So far it looks good and they proposed to
patch another file for the 1.8.3 security fix. They promised to get back
to me quickly to confirm that the final patch will do the job but wanted
to run it by their QA. I'm confident they are taking the matter
seriously but will send them a ping nonetheless.

…Christoph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAky8s6IACgkQCV53xXnMZYaGJACgjmMgpNwqzhNqsA6HKdvWcML2
vYcAoIsDUSOEbOBz4zXTMYGQjSQXyFET
=miEU
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#599255; Package release.debian.org. (Mon, 18 Oct 2010 20:57:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Haas <haas@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 18 Oct 2010 20:57:05 GMT) Full text and rfc822 format available.

Message #32 received at 599255@bugs.debian.org (full text, mbox):

From: Christoph Haas <haas@debian.org>
To: Mehdi Dogguy <mehdi@debian.org>
Cc: 599255@bugs.debian.org
Subject: Re: Bug#599255: unblock: zabbix/1.8.3-2
Date: Mon, 18 Oct 2010 22:52:53 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 18.10.2010 22:44, schrieb Mehdi Dogguy:
> On 10/10/2010 01:50 PM, Christoph Haas wrote:
>> Okay, I'm talking to the upstream about a minimal patch to fix this
>> very issue.
> 
> Any news?
> 
> I'd appreciate an upload fixing #598578, #594304, #591967, various bugs
> about bashism and #578879.

Yes, I already got a reply from the upstream support. I have submitted a
patch they were evaluating. So far it looks good and they proposed to
patch another file for the 1.8.3 security fix. They promised to get back
to me quickly to confirm that the final patch will do the job but wanted
to run it by their QA. I'm confident they are taking the matter
seriously but will send them a ping nonetheless.

…Christoph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAky8s6IACgkQCV53xXnMZYaGJACgjmMgpNwqzhNqsA6HKdvWcML2
vYcAoIsDUSOEbOBz4zXTMYGQjSQXyFET
=miEU
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#599255; Package release.debian.org. (Mon, 25 Oct 2010 18:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 25 Oct 2010 18:30:03 GMT) Full text and rfc822 format available.

Message #37 received at 599255@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Christoph Haas <haas@debian.org>, 599255@bugs.debian.org
Cc: Mehdi Dogguy <mehdi@debian.org>
Subject: Re: Bug#599255: unblock: zabbix/1.8.3-2
Date: Mon, 25 Oct 2010 20:27:24 +0200
[Message part 1 (text/plain, inline)]
On Mon, Oct 18, 2010 at 22:52:53 +0200, Christoph Haas wrote:

> Am 18.10.2010 22:44, schrieb Mehdi Dogguy:
> > On 10/10/2010 01:50 PM, Christoph Haas wrote:
> >> Okay, I'm talking to the upstream about a minimal patch to fix this
> >> very issue.
> > 
> > Any news?
> > 
> > I'd appreciate an upload fixing #598578, #594304, #591967, various bugs
> > about bashism and #578879.
> 
> Yes, I already got a reply from the upstream support. I have submitted a
> patch they were evaluating. So far it looks good and they proposed to
> patch another file for the 1.8.3 security fix. They promised to get back
> to me quickly to confirm that the final patch will do the job but wanted
> to run it by their QA. I'm confident they are taking the matter
> seriously but will send them a ping nonetheless.
> 
Any luck?

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#599255; Package release.debian.org. (Mon, 25 Oct 2010 20:09:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Haas <haas@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 25 Oct 2010 20:09:08 GMT) Full text and rfc822 format available.

Message #42 received at 599255@bugs.debian.org (full text, mbox):

From: Christoph Haas <haas@debian.org>
To: Julien Cristau <jcristau@debian.org>
Cc: 599255@bugs.debian.org, Mehdi Dogguy <mehdi@debian.org>
Subject: Re: Bug#599255: unblock: zabbix/1.8.3-2
Date: Mon, 25 Oct 2010 22:05:05 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 25.10.2010 20:27, schrieb Julien Cristau:
> On Mon, Oct 18, 2010 at 22:52:53 +0200, Christoph Haas wrote:
> 
>> Am 18.10.2010 22:44, schrieb Mehdi Dogguy:
>>> On 10/10/2010 01:50 PM, Christoph Haas wrote:
>>>> Okay, I'm talking to the upstream about a minimal patch to fix this
>>>> very issue.
>>>
>>> Any news?
>>>
>>> I'd appreciate an upload fixing #598578, #594304, #591967, various bugs
>>> about bashism and #578879.
>>
>> Yes, I already got a reply from the upstream support. I have submitted a
>> patch they were evaluating. So far it looks good and they proposed to
>> patch another file for the 1.8.3 security fix. They promised to get back
>> to me quickly to confirm that the final patch will do the job but wanted
>> to run it by their QA. I'm confident they are taking the matter
>> seriously but will send them a ping nonetheless.
>>
> Any luck?

Apparently there was a miscommunication between the support and the
developers. Seems I have what I need. I'll prepare a package until tomorrow.

…Christoph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzF4vEACgkQCV53xXnMZYYnsQCg8P806SpWK6P62WaomrHQLaWk
ogMAnjmLjqGXoLuLCiYnY5QCqN7TZAnQ
=+KGk
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#599255; Package release.debian.org. (Tue, 26 Oct 2010 21:57:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Haas <haas@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 26 Oct 2010 21:57:02 GMT) Full text and rfc822 format available.

Message #47 received at 599255@bugs.debian.org (full text, mbox):

From: Christoph Haas <haas@debian.org>
To: Mehdi Dogguy <mehdi@debian.org>
Cc: 599255@bugs.debian.org
Subject: Re: Bug#599255: unblock: zabbix/1.8.3-2
Date: Tue, 26 Oct 2010 23:55:46 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mehdi…

Am 18.10.2010 22:44, schrieb Mehdi Dogguy:
> On 10/10/2010 01:50 PM, Christoph Haas wrote:
>>
>> Okay, I'm talking to the upstream about a minimal patch to fix this
>> very issue.
>>
> I'd appreciate an upload fixing #598578, #594304, #591967, various bugs
> about bashism and #578879.

Done!

#598578:
It only applies to version 1.8.3-1 so it does not matter for an updated
1.8.2 version.

#594304:
The cve-2010-2790 issue is now fixed.

#591967:
Patch taken from 1.8.3 package.

#578879:
init.d files taken from 1.8.3 package.

This should cover everything needed to ship Zabbix 1.8.2 with 'squeeze'.
I wished we could have 1.8.3 in Squeeze since it's out for two months
already with no serious bugs reported. Its packaging is way cleaner and
more robust. But in the end it's not my decision.

I have just uploaded the package as revision 1:1.8.2-1squeeze1 to the
testing-proposed-updates queue. Let me know if I need to do anything else.

…Christoph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzHTmIACgkQCV53xXnMZYZLGACgxS2dK/Lakf3JfwGLJjAFx66b
faEAnjuL6S/087/SJSP4FzzH1EaMFQvh
=qyq9
-----END PGP SIGNATURE-----




Reply sent to Mehdi Dogguy <mehdi@debian.org>:
You have taken responsibility. (Wed, 27 Oct 2010 08:24:04 GMT) Full text and rfc822 format available.

Notification sent to Jordi Mallach <jordi@debian.org>:
Bug acknowledged by developer. (Wed, 27 Oct 2010 08:24:04 GMT) Full text and rfc822 format available.

Message #52 received at 599255-done@bugs.debian.org (full text, mbox):

From: Mehdi Dogguy <mehdi@debian.org>
To: Christoph Haas <haas@debian.org>, 599255-done@bugs.debian.org
Subject: Re: Bug#599255: unblock: zabbix/1.8.3-2
Date: Wed, 27 Oct 2010 10:16:53 +0200
On 10/26/2010 11:55 PM, Christoph Haas wrote:
> Hi Mehdi&
> 
> Am 18.10.2010 22:44, schrieb Mehdi Dogguy:
>> On 10/10/2010 01:50 PM, Christoph Haas wrote:
>>>
>>> Okay, I'm talking to the upstream about a minimal patch to fix this
>>> very issue.
>>>
>> I'd appreciate an upload fixing #598578, #594304, #591967, various bugs
>> about bashism and #578879.
> 
> Done!
> 

Approved.

The changelog is missing:

   * Added weak dependency on mysql/postgresql in the LSB section of the
     init.d scripts for zabbix-server-mysql and zabbix-server-pgsql
     (closes: #578879).

I've marked #578879 as fixed in 1:1.8.2-1squeeze1.

Thanks for your work,

-- 
Mehdi Dogguy مهدي الدڤي
http://dogguy.org/




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#599255; Package release.debian.org. (Wed, 27 Oct 2010 08:27:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mehdi Dogguy <mehdi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 27 Oct 2010 08:27:08 GMT) Full text and rfc822 format available.

Message #57 received at 599255@bugs.debian.org (full text, mbox):

From: Mehdi Dogguy <mehdi@debian.org>
To: Christoph Haas <haas@debian.org>, 599255@bugs.debian.org
Subject: Re: Bug#599255: unblock: zabbix/1.8.3-2
Date: Wed, 27 Oct 2010 10:19:12 +0200
On 10/27/2010 10:16 AM, Mehdi Dogguy wrote:
> 
> The changelog is missing:
> 
>    * Added weak dependency on mysql/postgresql in the LSB section of the
>      init.d scripts for zabbix-server-mysql and zabbix-server-pgsql
>      (closes: #578879).
> 
> I've marked #578879 as fixed in 1:1.8.2-1squeeze1.
> 

Hum… no, I'm just blind. Anyway…

-- 
Mehdi Dogguy مهدي الدڤي
http://dogguy.org/




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 25 Nov 2010 07:32:38 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 02:11:55 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.