On 26/03/2021 17.09, wf...@niif.hu wrote:
Hi Andreas,
Sorry for not responding sooner, some mail forwarding problem
intervened. Looks like there's another serious problem with the
security upload breaking the buster upgrade path, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981088. I haven't
asked the Security Team yet, but if that problem can be solved through
the security channel, then maybe this one could be as well? I mean a
hypothetical 1.1.24-0+deb9u2 upload would (besides introducing the new
binary packages for the new SONAMEs to fix #981088) also move
/usr/lib/ocf/resource.d/pacemaker/ifspeed from pacemaker into
pacemaker-resource-agents, fixing the buster upgrade. Do you think that
would work out well? Or should we push this change regardless into
buster and unstable and bullseye?
Disregarding if and how this gets fixed in stretch, one should be able
to cleanly upgrade from all versions that are/were in stretch(-security)
to buster. This fix can go in via buster-pu, don't bother trying
buster-security for this. (Especially given the long time since the bug
was introduced in stretch-security.)
I've added Breaks against the bad library packages in stretch-security
(lib*10 shipping lib*.so.16) s.t. they get removed on upgrades to buster.
(I understand that introducing libpe-status16 wouldn't fix the damage
already done by 1.1.24-0+deb9u2, and the workaround (upgrading
pacemaker-cli-utils) is easy and already happened anyway in most of the
cases. So we could also follow the tactic of leaving stretch-security
alone, and tighten Breaks+Replaces in buster and beyond as you
implemented here.)
I wouldn't introduce NEW packages into stretch, but given the limited
amount of affected packages I'd just fake the transition with a number
of Breaks. I can try to provide a patch if I find some time ...
Andreas
diff -Nru pacemaker-2.0.1/debian/changelog pacemaker-2.0.1/debian/changelog
--- pacemaker-2.0.1/debian/changelog 2020-11-07 20:21:48.000000000 +0100
+++ pacemaker-2.0.1/debian/changelog 2021-03-17 18:55:13.000000000 +0100
@@ -1,3 +1,16 @@
+pacemaker (2.0.1-5+deb10u2) buster; urgency=medium
+
+ * pacemaker-resource-agents: Bump Breaks+Replaces: pacemaker to (<< 2).
+ A new upstream release instroduced as security update 1.1.24-0+deb9u1 in
+ stretch added the new file /usr/lib/ocf/resource.d/pacemaker/ifspeed to
+ pacemaker, while it resides in pacemaker-resource-agents in buster.
+ (Closes: #985173)
+ * libpe-status28/libpengine27: Add Breaks against
+ libpe-status10/libpengine10 (>= 1.1.24) in stretch-security which shipped
+ libraries with SOVERSION 16 instead of 10. (See: #981088)
+
+ -- Andreas Beckmann <a...@debian.org> Wed, 17 Mar 2021 18:55:13 +0100
+
pacemaker (2.0.1-5+deb10u1) buster-security; urgency=high
* [bf23450] Apply patch series fixing CVE-2020-25654: ACL bypass.
diff -Nru pacemaker-2.0.1/debian/control pacemaker-2.0.1/debian/control
--- pacemaker-2.0.1/debian/control 2020-11-07 20:21:48.000000000 +0100
+++ pacemaker-2.0.1/debian/control 2021-03-17 18:55:13.000000000 +0100
@@ -84,9 +84,9 @@
${misc:Depends},
# split out of pacemaker so that pacemaker-remote can also use them:
Breaks:
- pacemaker (<< 1.1.14-2~),
+ pacemaker (<< 2),
Replaces:
- pacemaker (<< 1.1.14-2~),
+ pacemaker (<< 2),
Description: cluster resource manager general resource agents
${S:X-Common-Description}
.
@@ -270,6 +270,8 @@
Depends:
${misc:Depends},
${shlibs:Depends},
+Breaks:
+ libpe-status10 (>= 1.1.24),
Description: cluster resource manager Policy Engine status library
${S:X-Common-Description}
.
@@ -282,6 +284,8 @@
Depends:
${misc:Depends},
${shlibs:Depends},
+Breaks:
+ libpengine10 (>= 1.1.24),
Description: cluster resource manager Policy Engine library
${S:X-Common-Description}
.
