On 1 October 2016 at 00:18, Nicolás Alvarez <nicolas.alva...@gmail.com> wrote:
> 2016-09-30 6:31 GMT-03:00 Jaroslaw Staniek <stan...@kde.org>:
>>
>> Dear Debian contributors,
>> I am maintainer of Kexi, one of Calligra apps.
>> I've just noticed that in Debian stable Jessi the recent Calligra is 2.8.5
>> which is 13 releases old. There are no updates to 2.8.7, and zero updates to
>> 2.9.*.
>>
>> 2.8.5 is a July 2014 version. Due to security and stability issues it may be
>> even better *not* to have this version released at all than receiving
>> reports and users thinking that's the most recent version (this is my own
>> opinion).
>>
>> When users run, say, a Raspberry, they see that old and unsupported (by us)
>> version. So here Jessi distributes this unstable software despite many
>> updates being available. I don't see the same issue with MySQL for example,
>> which was updated just this month. Maybe a man power issue?
>>
>> I have questions then:
>> - what happens?
>> - what can be done to fix the situation?
>> - how to coordinate better?
>>
>
> Jessie is frozen, I doubt Kexi 2.9 will ever be in 'jessie'. I don't
> see how MySQL is different, the latest version from upstream is
> 5.7.15, Jessie has 5.5.52, it was upgraded from 5.5.50 because of a
> specific security fix.
>
> See this for the criteria to get an update in stable:
> https://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable
>
> Can you mention specific security bugs that 2.8.5 has? That could
> justify bringing 2.8.7 in (or backporting the security fixes).
>
> And maybe 2.9 could be in the 'jessie-backports' repository. But I
> wouldn't expect it in 'jessie'.
>
>
> Of course, this is in addition to the possible lack of manpower to do
> such packaging :)
Thanks for the useful info, Nicolás.
Let's see 1st commit from 2.8.7 which removes possibility of preparing
attack that can
crash your db. Please see below. It's enough to cause Kexi to ask
a specific question and it enters infinite loop and exits with exception, thus
e.g. loosing unsaved designs.
Really we did not set formal distinction between type of instabilities
knowing that *normally* distributors take all fixes and deploy them to
the users; because this is a connected/network software for multiuser
environment consequences may be more serious than, say, in a locally
running text editor.
Honestly, we know via telemetrics that more than needed users run
outdated software.
And request free support for it.
commit db59286ef26be67eccf6f0fb31e5abdcf9911d02
Author: Jaroslaw Staniek <stan...@kde.org>
Date: Tue Nov 25 23:06:03 2014 +0100
Fix infinite recursion in msghandler.cpp
The Calligra 2.7.90 build log using msvc2010 gives this warning
concerning msghandler.cpp: 'KexiDB::MessageHandler::askQuestion' :
recursive on all control paths, function will cause runtime stack overflow
Thanks, Stephen Leibowitz
CCMAIL:librestep...@gmail.com
REVIEW:121180
FIXED-IN:2.8.7
Another, specific query can be passed by one user to another and cause
a crash; in theory also executing arbitrary code on some
architectures:
commit eaefd12562da5b422ae175351423fa15fd1a2cb4
Author: Jaroslaw Staniek <stan...@kde.org>
Date: Wed Jun 4 13:12:22 2014 +0200
Fix crash when accessing a query with duplicated table names
Example query that crashed: SELECT t.foo FROM t, t.
Now error message is displayed so user can fix the statement.
BUG:315852
FIXED-IN:2.8.4
If the database serves more than one user it can also mean denial of
service attacks: it's enough to set query to be always executed
initially e.g. for a main form.
--
regards, Jaroslaw Staniek
KDE:
: A world-wide network of software engineers, artists, writers, translators
: and facilitators committed to Free Software development - http://kde.org
Calligra Suite:
: A graphic art and office suite - http://calligra.org
Kexi:
: A visual database apps builder - http://calligra.org/kexi
Qt Certified Specialist:
: http://www.linkedin.com/in/jstaniek
