Debian Bug report logs - #686814
unblock: swift/1.4.8-2

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Thomas Goirand <zigo@debian.org>

Date: Thu, 6 Sep 2012 09:00:02 UTC

Severity: normal

Tags: moreinfo

Done: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, openstack-devel@lists.alioth.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#686814; Package release.debian.org. (Thu, 06 Sep 2012 09:00:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Goirand <zigo@debian.org>:
New Bug report received and forwarded. Copy sent to openstack-devel@lists.alioth.debian.org, Debian Release Team <debian-release@lists.debian.org>. (Thu, 06 Sep 2012 09:00:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thomas Goirand <zigo@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: swift/1.4.8-2
Date: Thu, 06 Sep 2012 16:56:52 +0800
[Message part 1 (text/plain, inline)]
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package swift. This new version fixes CVE-2012-4406 / #686812.
Debdiff attached: it only adds upstream patch as see here:
https://github.com/openstack/swift/commit/e1ff51c04554d51616d2845f92ab726cb0e5831a

Pleaes unblock swift/1.4.8-2,
Cheers,

Thomas Goirand (zigo)
[swift_1.4.8-2.debdiff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#686814; Package release.debian.org. (Thu, 06 Sep 2012 18:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Thu, 06 Sep 2012 18:57:03 GMT) Full text and rfc822 format available.

Message #10 received at 686814@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Thomas Goirand <zigo@debian.org>, 686814@bugs.debian.org
Subject: Re: Bug#686814: unblock: swift/1.4.8-2
Date: Thu, 06 Sep 2012 19:52:27 +0100
Control: tags -1 + moreinfo

On Thu, 2012-09-06 at 16:56 +0800, Thomas Goirand wrote:
> Please unblock package swift. This new version fixes CVE-2012-4406 / #686812.
> Debdiff attached: it only adds upstream patch as see here:
> https://github.com/openstack/swift/commit/e1ff51c04554d51616d2845f92ab726cb0e5831a

+ To avoid issues on upgrades (unability to read pickled values, and cache

s/unability/inability/, fwiw.

+ poisoning for old servers not understanding JSON), we add a
+ memcache_serialization_support configuration option, with the following
+ values:
+ .
+  0 = older, insecure pickle serialization
+  1 = json serialization but pickles can still be read (still insecure)
+  2 = json serialization only (secure and the default)
+ .
+ To avoid an instant full cache flush, existing installations should
+ upgrade with 0, then set to 1 and reload, then after some time (24
+ hours) set to 2 and reload. Support for 0 and 1 will be removed in
+ future versions.

Reading the patch, I'm assuming that this means that every user
upgrading the package will have their cache immediately invalidated, as
there's no way they can know the above information before the upgrade
has been completed.

Not being that familiar with the package, I'm not sure whether this is a
practical issue in this case...

Regards,

Adam




Added tag(s) moreinfo. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to 686814-submit@bugs.debian.org. (Thu, 06 Sep 2012 18:57:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#686814; Package release.debian.org. (Fri, 07 Sep 2012 12:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Danjou <julien@danjou.info>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 07 Sep 2012 12:18:03 GMT) Full text and rfc822 format available.

Message #17 received at 686814@bugs.debian.org (full text, mbox):

From: Julien Danjou <julien@danjou.info>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 686814@bugs.debian.org, Thomas Goirand <zigo@debian.org>
Subject: Re: Bug#686814: unblock: swift/1.4.8-2
Date: Fri, 07 Sep 2012 14:14:26 +0200
[Message part 1 (text/plain, inline)]
On Thu, Sep 06 2012, Adam D. Barratt wrote:

> Reading the patch, I'm assuming that this means that every user
> upgrading the package will have their cache immediately invalidated, as
> there's no way they can know the above information before the upgrade
> has been completed.

You are right.

> Not being that familiar with the package, I'm not sure whether this is a
> practical issue in this case...

It's not an issue in term of proper functioning, only in term of
performance after restart since this will be a cold start.

But that's the price to pay for security, so I think it's worth it.

-- 
Julien Danjou
/* Free Software hacker & freelance
   http://julien.danjou.info */
[Message part 2 (application/pgp-signature, inline)]

Reply sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
You have taken responsibility. (Fri, 07 Sep 2012 15:03:03 GMT) Full text and rfc822 format available.

Notification sent to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer. (Fri, 07 Sep 2012 15:03:03 GMT) Full text and rfc822 format available.

Message #22 received at 686814-done@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Julien Danjou <julien@danjou.info>, 686814-done@bugs.debian.org
Cc: Thomas Goirand <zigo@debian.org>
Subject: Re: Bug#686814: unblock: swift/1.4.8-2
Date: Fri, 07 Sep 2012 16:00:31 +0100
On Fri, 2012-09-07 at 14:14 +0200, Julien Danjou wrote:
> On Thu, Sep 06 2012, Adam D. Barratt wrote:
> > Reading the patch, I'm assuming that this means that every user
> > upgrading the package will have their cache immediately invalidated, as
[...]
> > Not being that familiar with the package, I'm not sure whether this is a
> > practical issue in this case...
> 
> It's not an issue in term of proper functioning, only in term of
> performance after restart since this will be a cold start.

Thanks for the confirmation; unblocked.

Regards,

Adam




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 06 Oct 2012 07:25:38 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:15:20 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.