Sync php-mdb2 2.4.1-1 (universe) from Debian unstable (main).

it also install fine:
(jaunty)fabrice@fabrice-desktop:~/data/build/temp$ sudo gdebi php-mdb2_2.4.1-1_all.deb
Reading package lists: Done
Reading state information: Done
Reading state information: Done
Reading state information: Done
Reading state information: Done

Requires the installation of the following packages:
php-pear php5-cli php5-common
PHP PEAR module to provide a common API for supported RDBMS
 PEAR MDB2 is a merge of the PEAR DB and Metabase php database
 abstraction layers.
 .
 It provides a common API for all supported RDBMS. The main difference
 to most other DB abstraction packages is that MDB2 goes much further
 to ensure portability. MDB2 provides most of its many features
 optionally that can be used to construct portable SQL statements:
 .
  * Object-Oriented API
  * A DSN (data source name) or array format for specifying database
    servers
  * Datatype abstraction and on demand datatype conversion
  * Various optional fetch modes to fix portability issues
  * Portable error codes
  * Sequential and non sequential row fetching as well as bulk fetching
  * Ability to make buffered and unbuffered queries
  * Ordered array and associative array for the fetched rows
  * Prepare/execute (bind) named and unnamed placeholder emulation
  * Sequence/autoincrement emulation
  * Replace emulation
  * Limited sub select emulation
  * Row limit emulation
  * Transactions/savepoint support
  * Large Object support
  * Index/Unique Key/Primary Key support
  * Pattern matching abstraction
  * Module framework to load advanced functionality on demand
  * Ability to read the information schema
  * RDBMS management methods (creating, dropping, altering)
  * Reverse engineering schemas from an existing database
  * SQL function call abstraction
  * Full integration into the PEAR Framework
  * PHPDoc API documentation
Do you want to install the software package? [y/N]:Y
Done http://archive.ubuntu.com jaunty/main php5-common 5.2.6.dfsg.1-3ubuntu2
Done http://archive.ubuntu.com jaunty/main php5-cli 5.2.6.dfsg.1-3ubuntu2
Done http://archive.ubuntu.com jaunty/main php-pear 5.2.6.dfsg.1-3ubuntu2
Done downloading
Selecting previously deselected package php5-common.
(Reading database ... 87930 files and directories currently installed.)
Unpacking php5-common (from .../php5-common_5.2.6.dfsg.1-3ubuntu2_amd64.deb) ...
Selecting previously deselected package php5-cli.
Unpacking php5-cli (from .../php5-cli_5.2.6.dfsg.1-3ubuntu2_amd64.deb) ...
Selecting previously deselected package php-pear.
Unpacking php-pear (from .../php-pear_5.2.6.dfsg.1-3ubuntu2_all.deb) ...
Processing triggers for man-db ...
Setting up php5-common (5.2.6.dfsg.1-3ubuntu2) ...
Setting up php5-cli (5.2.6.dfsg.1-3ubuntu2) ...

Creating config file /etc/php5/cli/php.ini with new version

Setting up php-pear (5.2.6.dfsg.1-3ubuntu2) ...
Selecting previously deselected package php-mdb2.
(Reading database ... 88125 files and directories currently installed.)
Unpacking php-mdb2 (from php-mdb2_2.4.1-1_all.deb) ...
Setting up php-mdb2 (2.4.1-1) ...

Why we need this one?

This package is required to install roundcube-core (see Bug #331944). According to the changelog of roundcube, it's not possible to use db:
roundcube (0.2~stable-1) unstable; urgency=low

  * New upstream version. Closes: #503573, #504570.
      + Add SQL update scripts for this new release and for
        0.2~alpha. Remove copy of SQL upgrade script from debian/rules.
      + Remove patch for CVE-2008-5620 which is now fixed upstream.
      + Remove patch correcting a vulnerability in html2text.php.
      + Remove patch fixing login issue. This is fixed upstream.
      + Remove patch setting the default backend to db instead of mdb2:
        this is not possible any more. We depend on php-mdb2 now.
      + Update patch to use packaged tinymce.

Are there any packages which require this one? If not, could you please test if db backend for roundcube-core is working with php-mdb2?

< fabrice_sp> DktrKranz, about Bug #345263. This is one of the 4 packages required to install roundcube
< fabrice_sp> I still have to open 3 sync request
< DktrKranz> fabrice_sp: do we need three more packages?
< fabrice_sp> yes :-/
< fabrice_sp> php-mdb2-driver-mysql, php-mdb2-driver-pgsql and php-mdb2-driver-sqlite
< DktrKranz> fabrice_sp: ... and I don't think there's any other way to fix them in a safer way
< fabrice_sp> DktrKranz, no, it don't seems so: upstream seems to have dropped support for db backend.
< fabrice_sp> but in this case, a lot more test would be required
< DktrKranz> exactly
< fabrice_sp> so do I send the 3 additional sync requests?
< DktrKranz> probably roundcube should have been postponed for karmic, but that is
< DktrKranz> switching to a patched version seems way too risky than syncing four packages
< DktrKranz> so I'm fine with this approach as long as you (or some interested people) have a good test at roundcube
< lionel> DktrKranz: now I have tested, yes it works

After discussion in #ubuntu-motu, I'm fine with it, ACK #1

Nack. It's far to late for this. This will be automatically sync'ed for Karmic. If you want it in Jaunty, request a backport after it's in Karmic.

Setting back to New. I didn't read all the way down.

My vote would be to revert roundcube back to an earlier version that
doesn't need this.

hm... the new roundcube version seems to fix a number of CVE's, either through upstream changes or through debian changes. Rolling it back would mean to take care of these, and to diverge from upstream/unstable quite a bit (and hence probably not being able to cherry-pick easily there, in case of more problems)

php-mdb2, php-mdb2-driver-{psql,mysql} don't have any bugreports in unstable, I guess my slightly preferred route would be to convince archive admins that we want it, and to get these in.

But I must admit, that I'm also not 100% comfortable with adding new packages that late, but I'm also not too comfortable with having to backport all CVE fixes to an earlier version.

jdstrand volunteered to do the archive work if needed. I still lean to
backporting the security fixes for what we aleady have.

Fabrice, could you please try to look at fixed CVEs to see if they can be applied in current Jaunty version? Eventually, you could ask Jamie (jdstrand) about his feelings about such security patches.

Hi,

AFAIK, we have 3 options:
- sync the 4 missing packages (php-mdb2, php-mdb2-driver-mysql, php-mdb2-driver-pgsql and php-mdb2-driver-sqlite) from unstable
- Go back to 0.1.1-10, which is the previous version in Jaunty (and in etch backports), and try to patch the vulnerabilities marked as fixed in 0.2.1
- Try to patch 0.2 to use db instead of mdb2

the last option is not rally an option, as we will diverge from upstream and debian, and will require a lot of test to be sure everything is working fine.

For option 2, here are the vulnerabilities that are referenced in the changelog of 0.2.1, and appears as fixed since 0.1.1-10:
* Fix a vulnerability in the use of preg_replace (Closes: #508628).
  This is fixed by dont-use-preg-e-option.patch in 0.1.1-10

* Fix a vulnerability in quota image generation. This fixes CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes: #509596.
  This is fixed by cve-2008-5620.patch in 0.1.1-10

* Apply fix for XSS issue (CVE-2009-0413). Closes: #514179.
This patch can't be applied as the file program/lib/washtml.php doesn't even exist in 0.1.1. According to Debian bug #514179, this won't be fixed in 0.1.1 (as well as a lot of others vulnerabilities).

* Version 0.2.1 Remove patch correcting a vulnerability in html2text.php.
This is a 0.2 only problem

* Version 0.2.1 Remove patch fixing login issue. This is fixed upstream.
The patch log-failed-logins.patch can be adapted to be applied to 0.1.1-10, but what it really does is just logging the failed logins.

So I guess a FFe for this package is going to be granted now that php-mdb2-driver-sqlite and php-mdb2-driver-mysql (two other packages that depends on this package) have been synced tonight.

Sure. Approved.

Thanks!

Sync'ed and accepted.