Bug#913307: osmosis: please switch to libmariadb-java

Markus Koschany Fri, 09 Nov 2018 05:10:14 -0800

Package: osmosis
Version: 0.47-2
Severity: important
Tags: patch

Hello,


we would like to remove libmysql-java from Debian because it is
frequently affected by security vulnerabilities which are not fully
disclosed. This makes it hard to determine the impact of such a flaw.[1]
However we also have libmariadb-java which is a drop-in replacement
and upstream is more transparent about security issues.

Please find attached two patches that make the necessary changes to
the Debian packaging.

[1] https://bugs.debian.org/912916

Regards,

Markus

>From 561c7f24a826bd66698eab804e52b7e4e2e9d2c1 Mon Sep 17 00:00:00 2001
From: Markus Koschany <a...@debian.org>
Date: Fri, 9 Nov 2018 13:39:08 +0100
Subject: [PATCH 1/2] Switch from libmysql-java to libmariadb-java.

---
 debian/control                     | 4 ++--
 debian/maven.rules                 | 1 +
 debian/patches/02-fix_plexus.patch | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/debian/control b/debian/control
index 1484230..fb9f2af 100644
--- a/debian/control
+++ b/debian/control
@@ -17,7 +17,7 @@ Build-Depends: debhelper (>= 9),
                libcommons-dbcp-java,
                libjdepend-java,
                libjpf-java,
-               libmysql-java,
+               libmariadb-java,
 #               libnetty-3.9-java,
                libpostgis-java,
                libpostgresql-jdbc-java,
@@ -47,7 +47,7 @@ Depends: default-jre-headless | java8-runtime-headless,
          libcommons-dbcp-java,
          libcommons-pool-java,
          libjpf-java,
-         libmysql-java,
+         libmariadb-java,
 #         libnetty-3.9-java,
          libpostgis-java,
          libpostgresql-jdbc-java,
diff --git a/debian/maven.rules b/debian/maven.rules
index 71365ce..3898b15 100644
--- a/debian/maven.rules
+++ b/debian/maven.rules
@@ -5,3 +5,4 @@ org.springframework spring-jdbc * s/.*/debian/ * *
 #s/org.jboss.netty/io.netty/ netty * s/.*/debian/ * *
 s/org.postgis/net.postgis/ postgis-jdbc * s/.*/debian/ * *
 s/com.fasterxml.woodstox/org.codehaus.woodstox/ 
s/woodstox-core/woodstox-core-lgpl/ * s/.*/debian/ * *
+s/mysql/org.mariadb.jdbc/ s/mysql-connector-java/mariadb-java-client/ * 
s/.*/debian/ * *
diff --git a/debian/patches/02-fix_plexus.patch 
b/debian/patches/02-fix_plexus.patch
index 26151a2..4fc867c 100644
--- a/debian/patches/02-fix_plexus.patch
+++ b/debian/patches/02-fix_plexus.patch
@@ -14,7 +14,7 @@ Forwarded: not-needed
 +load /usr/share/java/commons-compress.jar
 +load /usr/share/java/commons-codec.jar
 +load /usr/share/java/commons-dbcp.jar
-+load /usr/share/java/mysql-connector-java.jar
++load /usr/share/java/mariadb-java-client.jar
 +load /usr/share/java/postgis-jdbc.jar
 +load /usr/share/java/postgresql.jar
 +load /usr/share/java/spring3-beans.jar
-- 
2.19.1

>From 4b71149fb6e54088c184c0a6d75bce327688dfb6 Mon Sep 17 00:00:00 2001
From: Markus Koschany <a...@debian.org>
Date: Fri, 9 Nov 2018 13:56:12 +0100
Subject: [PATCH 2/2] Add mariadb.patch

---
 debian/patches/mariadb.patch | 24 ++++++++++++++++++++++++
 debian/patches/series        |  1 +
 2 files changed, 25 insertions(+)
 create mode 100644 debian/patches/mariadb.patch

diff --git a/debian/patches/mariadb.patch b/debian/patches/mariadb.patch
new file mode 100644
index 0000000..86e2359
--- /dev/null
+++ b/debian/patches/mariadb.patch
@@ -0,0 +1,24 @@
+From: Markus Koschany <a...@debian.org>
+Date: Fri, 9 Nov 2018 13:55:11 +0100
+Subject: mariadb
+
+Use MariaDB driver class.
+
+Forwarded: no
+---
+ .../java/org/openstreetmap/osmosis/apidb/common/DataSourceFactory.java  | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git 
a/osmosis-apidb/src/main/java/org/openstreetmap/osmosis/apidb/common/DataSourceFactory.java
 
b/osmosis-apidb/src/main/java/org/openstreetmap/osmosis/apidb/common/DataSourceFactory.java
+index fe0f28d..adc4924 100644
+--- 
a/osmosis-apidb/src/main/java/org/openstreetmap/osmosis/apidb/common/DataSourceFactory.java
++++ 
b/osmosis-apidb/src/main/java/org/openstreetmap/osmosis/apidb/common/DataSourceFactory.java
+@@ -38,7 +38,7 @@ public final class DataSourceFactory {
+                               /*+ "?loglevel=2"*/);
+               break;
+         case MYSQL:
+-              dataSource.setDriverClassName("com.mysql.jdbc.Driver");
++              dataSource.setDriverClassName("com.mariadb.jdbc.Driver");
+               dataSource.setUrl("jdbc:mysql://" + credentials.getHost() + "/" 
+ credentials.getDatabase());
+             break;
+         default:
diff --git a/debian/patches/series b/debian/patches/series
index abefb2d..ef0b803 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 02-fix_plexus.patch
 04-osmosis-version.patch
 disable-netty3.patch
+mariadb.patch
-- 
2.19.1

Bug#913307: osmosis: please switch to libmariadb-java

Reply via email to