Merge ~bryce/ubuntu/+source/dovecot:eoan-merge-2.3.4.1-5 into ubuntu/+source/dovecot:debian/sid

Proposed by Bryce Harrington
Status: Merged
Merge reported by: Bryce Harrington
Merged at revision: a25190fdf262d67620314d9d30979dc3fd79d6a3
Proposed branch: ~bryce/ubuntu/+source/dovecot:eoan-merge-2.3.4.1-5
Merge into: ubuntu/+source/dovecot:debian/sid
Diff against target: 1038 lines (+881/-1)
2 files modified
debian/changelog (+867/-0)
debian/control (+14/-1)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
Review via email: mp+366939@code.staging.launchpad.net

Description of the change

Merge with debian's package. All ubuntu CVE changes are present in Debian's packaging and dropped, one Ubuntu change remains.

PPA available for testing is at
https://launchpad.net/~bryce/+archive/ubuntu/dovecot-merge-2.3.4.1-5

Usual tags pushed.

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi Bryce,
this seems to be one of the "drop almost everything" merges.
I checked them and agree that Debian picked the same CVE fixes and a few more.

Ack to drop the security patches
Ack to keep mail-stack-delivery transitional for now
Ack to the Changelog

Fortunately this was not changing the dovecot version at all, so we don't even need the extra bells and whistles around dovecot-abi-* changing and making things uninstallable.

For some minimal testing I ran the autopkgtests against the PPA
# using new version from <email address hidden>:ci-team/autopkgtest.git
$ sudo autopkgtest-buildvm-ubuntu-cloud -a amd64 -r eoan -s 15G
$ sudo ~/work/autopkgtest/autopkgtest/runner/autopkgtest --no-built-binaries --apt-upgrade --shell-fail --setup-commands="add-apt-repository ppa:bryce/dovecot-merge-2.3.4.1-5; apt update; apt -y upgrade" dovecot_2.3.4.1-5ubuntu1.dsc -- qemu --qemu-options='-cpu host' --ram-size=2048 --cpus 4 ~/work/autopkgtest-eoan-amd64.img
[...]
autopkgtest [11:36:55]: @@@@@@@@@@@@@@@@@@@@ summary
doveadm PASS
systemd PASS
command1 PASS

I think given that we only exchanged Ubuntu Delta vs Debian delta and both being equal we can stop review/validation here and upload this.

+1

review: Approve
Revision history for this message
Bryce Harrington (bryce) wrote :

Thank you for the review, and providing the command line for testing, that's handy.

One thing I noticed in a doublecheck is that for CVE-2019-11494, the vendor supplied 3 patches, which we included in ubuntu, but only 2 of the 3 were included in Debian. The stray patch appears to me to be simply cosmetic - it suppresses a warning for an unused variable in a struct. I've inquired with Debian about the rationale for dropping the patch (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928235), to verify my guess.

So, before uploading, just to be safe I'd like to just chase that one thread down to ground.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Sounds good. You can also comment on the salsa commit if there is no response in the bug: https://salsa.debian.org/debian/dovecot/commit/b4760702f90bc2f8ea863132a252c37f4f742786

In any case, the three changes are applied upstream, so as soon as we get a version bump, everybody will have the same again.

Revision history for this message
Bryce Harrington (bryce) wrote :

Right, I also verified the changes landed upstream, and there is a new .6 upstream release so presumably won't be long until the next version bump.

Revision history for this message
Bryce Harrington (bryce) wrote :

I ran the tests in the lxc container:

0. setup

   $ lxc launch ubuntu-daily:19.10 dovecot-merge-test
   $ lxc exec dovecot-merge-test bash
   # add-apt-repository -sy ppa:bryce/dovecot-merge-2.3.4.1-5
   # apt update

1. do an apt install on the package, then apt remove

   # apt policy dovecot-core
   Candidate: 1:2.3.4.1-5ubuntu1~ppa1

   # apt install dovecot-core

   # service dovecot status
   Active: active (running) since Mon 2019-05-06 21:28:51 UTC; 1min 38s ago

   # apt remove dovecot-core

   # service dovecot status
   Active: inactive (dead) since Mon 2019-05-06 21:31:24 UTC; 7s ago

2. Test upgrade:

   # apt install dovecot-core=1:2.3.4.1-1ubuntu3

   # apt policy dovecot-core
   Installed: 1:2.3.4.1-1ubuntu3
   Candidate: 1:2.3.4.1-5ubuntu1~ppa1

   # apt upgrade -y

   # apt policy dovecot-core
   Installed: 1:2.3.4.1-5ubuntu1~ppa1

3. Run tests:

   # apt install -y autopkgtest

   # autopkgtest dovecot -- null
   command1 SKIP Test breaks testbed but testbed does not provide revert-full-system
   doveadm PASS
   systemd PASS

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Yep, thanks for the double check on the CVE changes.

Strictly speaking we'd want to retain that lost patch if possible, but lets wait a few days for Debian to respond to your question first.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

This is the missing commit:

https://seclists.org/oss-sec/2019/q2/att-82/0001-submission-login-Remove-unused-client-pending_startt.patch

It looks fine to drop it; it'll introduce a warning, but it shouldn't affect anything.

Thanks

Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks Seth, and feedback from Debian is that was the reason they dropped it as well.
https://salsa.debian.org/debian/dovecot/commit/b4760702f90bc2f8ea863132a252c37f4f742786#login-pane

Since the patch is included upstream we will get it in a subsequent release, so looks good to go now.

There was an error fetching revisions from git servers. Please try again in a few minutes. If the problem persists, contact Launchpad support.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
The diff is not available at this time. You can reload the page or download it.

Subscribers

People subscribed via source and target branches