[MIR] uwsgi as dependency of mailman3
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
uwsgi (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
[Availability]
The uswgi source package is in Universe, and builds on amd64, arm64, armhf,
i386, ppc64el, s390x
https:/
Of the binary packages it produces, we need the following in main:
- uwsgi
- uwsgi-core
- uwsgi-plugin-
[Rationale]
This is part of the MIR activity for all dependencies of mailman3
The "main" MIR of it is at bug 1775427:
Mailman (2) has only python2 support, but we strive for python3,
therefore Mailman3 which has python3 support should be promoted to main.
[Security]
There are two CVEs in mitre:
- http://
uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the
--php-docroot option, allowing directory traversal.
- http://
The uwsgi_expand_path function in core/utils.c in Unbit uWSGI through 2.0.15
has a stack-based buffer overflow via a large directory length.
There are no hits in the ubuntu cve tracker at
http://
[Quality assurance]
As part of the mailman3 stacks as of now (Disco) this installs fine and works fine.
On itself it is useful to (many) other dependencies and does not need a post install configuration on its own.
There are no debconf questions.
Upstream bugs: https:/
- there are 514 open bugs, and 774 closed ones
- just 10 open issues with the label "bug": https:/
Debian bugs:
- a bit hard to get a list of all bugs, given that this package produces 50 binary packages
- focusing on the wants we want to MIR, that reduces the list to:
- https:/
- 1 normal, 1 minor, 5 wishlist
- 2 important already resolved
- https:/
- #772386: uwsgi-core: bashism in /bin/sh script (open)
- #846362: flaw in readline implementation causing it to return excess data (closed)
- https:/
Ubuntu bugs: https:/
- 12 open bugs at first
- most untriaged, many in xenial. Did a quick triage and found many were dupes
of #1616497, which is fixed in later releases.
- might need to fix https:/
which is about adding a systemd service file, specially since the package
ships both an upstart and a sysV initscript at the same time.
- there is a build-depends on libqdbm-dev, which has an intent to orphan bug in debian:
https:/
libqdbm14 doesn't show up as a reverse-depends, though. Maybe it's not used
anymore, or it's statically linked:
root@disco-uwsgi:~# reverse-depends libqdbm-dev -b
Reverse-
=======
* php7.2
* php7.3
* sylfilter
* uwsgi
root@disco-uwsgi:~# reverse-depends libqdbm14
Reverse-Depends
===============
* libqdbm-dev
* libqdbm-java
* libqdbm-perl
* libsylfilter0
* libxqdbm3c2
* php7.2-dba
* php7.3-dba
* qdbm-cgi
* qdbm-util
* ruby-qdbm
Disco build logs at (https:/
also don't show "qdbm" other then when installing the build-dep itself.
- FTBFS in disco that I just filed while doing this evaluation:
https:/
Debian seems to be keeping up with upstream releases.
No exotic hardware involved.
No DEP8 tests.
Doesn't look like it runs tests at package build time, but d/rules is complex
enough to parse and I may have missed it. I also checked build logs, though.
Finally, I ran "make check" manually, and "something" runs, but it doesn't look
like any test output I have seen before: http://
There is a working debian/watch file.
Lintian:
- As expected, there are many issues flagged by lintian. Focusing on the 3 packages we want to MIR, we have these:
uwsgi:
I: uwsgi: debian-
W: uwsgi: script-
W: uwsgi: script-
W: uwsgi: script-
P: uwsgi: missing-
uwsgi-core:
- many hardening-
- a few shared-
uwsgi-
- just one hardening-
Relying on obsolete packages:
As shown earlier, the package is relying on qdbm which is orphaned in Debian,
but there is no match for "qdbm" in the build logs. Seems it was originally
added by this:
uwsgi (1.9.11-1) unstable; urgency=low
(...)
* New binary package uwsgi-plugin-php. (Closes: #699174)
- New Build-Depends libphp5-embed, php5-dev, libonig-dev, libdb-dev,
libqdbm-dev and libbz2-dev.
-- Janos Guljas <email address hidden> Mon, 27 May 2013 03:55:54 +0200
The uwsgi-plugin-php package was later dropped, however, in 2.0.15-10:
uwsgi (2.0.15-10) unstable; urgency=medium
* Simplify packaging by offloading some parts to separate source:
+ Stop build plugins for PHP.
+ Drop binary package uwsgi-plugin-php.
+ Stop build-depend on php-dev libphp-embed.
(...)
-- Jonas Smedegaard <email address hidden> Fri, 20 Oct 2017 16:13:39 +0200
Therefore, I think the libqdbm-dev build-dep can be dropped as well. I filed a
debian bug:
https:/
[UI standards]
Does not apply, as it's a service used by other services.
[Dependencies]
Some dependencies are not in main, but we drive MIR for all related packages
that are not in main at the same time.
Please check the list of bugs from the main Mailman3 MIR in bug 1775427 to get an overview.
[Standards compliance]
- d/rules is very complex and hard to understand:
https:/
I didn't spot FHS violations.
It's up-to-date regarding standards versions: 4.3.0
[Maintenance]
The Server team will subscribe for the package for maintenance
[Background]
No further info at this time.
Changed in uwsgi (Ubuntu): | |
assignee: | Ubuntu Security Team (ubuntu-security) → nobody |
FYI: The FTBFS fix is in progress and soon resolved.
FYI: but the package is also:
a) more complex
b) more likely to be a Deny or at least extra work to be triggered
Therefore I'm on next weeks meeting passing the review of this one to a fellow MIR team member