On 6/27/19 8:39 PM, Paul Gevers wrote: > Hi Thomas, > > On 31-05-2019 01:34, Thomas Goirand wrote: >> Dear package maintainer, >> >> We're about to upgrade SQLAlchemy in Buster to address an SQL injection >> issue. The fixed package is in unstable, under the version 1.2.18+ds1-2. >> >> In some rare cases, this update may break reverse depenencies, leading >> to non-working SQL queries. >> >> This is why I'm writing this email to you today: to ask you to please >> test your application with SQLAlchemy 1.2.18+ds1-2 ASAP, to address any >> potential unforecast issue before the Buster release. >> >> Details about the discussion can be seen here in the Debian bug #929321. >> >> Best regards, > > Is this explaining the FTBFS of cloudkitty? We're looking at all the RC > bugs to see what needs to happen and cloudkitty is about to be removed > due this FTBFS. (I am not promising anything, but if the fix is clear, > we may leave it in an let you fix it in the first point release). > > Paul >
Hi Paul, I applied upstream patch, released today: https://review.opendev.org/#/c/668120/ Debdiff attached. I've opened an unblock bug too: #931220 Cheers, Thomas Goirand (zigo)
diff -Nru cloudkitty-8.0.0/debian/changelog cloudkitty-8.0.0/debian/changelog --- cloudkitty-8.0.0/debian/changelog 2019-01-24 14:45:39.000000000 +0100 +++ cloudkitty-8.0.0/debian/changelog 2019-06-28 15:01:45.000000000 +0200 @@ -1,3 +1,11 @@ +cloudkitty (8.0.0-5) unstable; urgency=medium + + * Add upstream patch to fix FTBFS after we updated SQLAlchemy to fix + CVE-2019-7164 CVE-2019-7548 (SQL injection) (see debian bug 922669 and + 929321 for more info) (Closes: #930996). + + -- Thomas Goirand <z...@debian.org> Fri, 28 Jun 2019 15:01:45 +0200 + cloudkitty (8.0.0-4) unstable; urgency=medium * Correct default path to metrics.yml in [collect]/metrics_conf. diff -Nru cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch --- cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch 1970-01-01 01:00:00.000000000 +0100 +++ cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch 2019-06-28 15:01:45.000000000 +0200 @@ -0,0 +1,39 @@ +Description: Fix sqlalchemy grouping on v1 storage (Fixes FTBFS in Buster) + This fixes "CompileError: Can't resolve label reference for + ORDER BY / GROUP BY." error messages raised by sqlalchemy when the groupby + expression includes a comma. +Author: Luka Peschke <luka.pesc...@objectif-libre.com> +Date: Tue, 4 Jun 2019 15:21:05 +0200 +Change-Id: Ia253175b45b8222aaee415ea535fa4102312be5a +Bug-Debian: https://bugs.debian.org/930996 +Origin: upstream, https://review.opendev.org/668120 +Last-Update: 2019-06-28 + +diff --git a/cloudkitty/storage/v1/sqlalchemy/__init__.py b/cloudkitty/storage/v1/sqlalchemy/__init__.py +index 77403e3..7b56da6 100644 +--- a/cloudkitty/storage/v1/sqlalchemy/__init__.py ++++ b/cloudkitty/storage/v1/sqlalchemy/__init__.py +@@ -127,7 +127,7 @@ class SQLAlchemyStorage(storage.BaseStorage): + self.frame_model.end <= end, + self.frame_model.res_type != '_NO_DATA_') + if groupby: +- q = q.group_by(groupby) ++ q = q.group_by(sqlalchemy.sql.text(groupby)) + + # Order by sum(rate) + q = q.order_by(sqlalchemy.func.sum(self.frame_model.rate)) +diff --git a/releasenotes/notes/fix-v1-storage-groupby-e865d1315bd390cb.yaml b/releasenotes/notes/fix-v1-storage-groupby-e865d1315bd390cb.yaml +new file mode 100644 +index 0000000..02c1e4d +--- /dev/null ++++ b/releasenotes/notes/fix-v1-storage-groupby-e865d1315bd390cb.yaml +@@ -0,0 +1,6 @@ ++--- ++fixes: ++ - | ++ ``CompileError: Can't resolve label reference for ORDER BY / GROUP BY.`` ++ errors that were sometimes raised by SQLAlchemy when using the v1 storage ++ backend and grouping on ``tenant_id`` and ``res_type`` have been fixed. +-- +2.7.4 + diff -Nru cloudkitty-8.0.0/debian/patches/series cloudkitty-8.0.0/debian/patches/series --- cloudkitty-8.0.0/debian/patches/series 2019-01-24 14:45:39.000000000 +0100 +++ cloudkitty-8.0.0/debian/patches/series 2019-06-28 15:01:45.000000000 +0200 @@ -1,3 +1,4 @@ allow-any-sqla-version.patch missing-files.patch remove-mathjax-extention-from-sphinx-doc.patch +Fix_sqlalchemy_grouping_on_v1_storage.patch
