[SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main)

Bug #1582340 reported by Nish Aravamudan on 2016-05-16
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
drupal7 (Ubuntu)
High
Unassigned
Xenial
High
Unassigned

Bug Description

Drupal7 in 16.04 has been left as broken while we wait on upstream Drupal7 to gain PHP7.0 compatibility. This has been achieved in Debian's current version, which we should be able to sync as we have no delta currently.

[Impact]

 * drupal7 is currently uninstallable in 16.04.

[Test Case]

 * There is no test case for this issue, other than attempting to install drupal7 itself, which will currently fail due to php5 dependencies.

[Regression Potential]

 * As drupal7 is currently uninstallable, there is no possibility of regression in 16.04 itself.

[Other Info]

 * To reiterate, the plan for drupal7 in 16.04 was to wait for PHP7 compatibility to be available and to SRU in the corresponding version.

Please sync drupal7 7.43-3 (universe) from Debian unstable (main)

Changelog entries since current xenial version 7.41-1:

drupal7 (7.43-3) unstable; urgency=medium

  * Moved the farbstatic sources from debian/missing-sources
    todebian/missing-sources/misc, to keep lintian happy
  * The right name for one of our conditional dependencies is no longer
    php-sqlite, but php-sqlite3. Thanks to Nish Aravamudan for pointing
    this out!

 -- Gunnar Wolf <email address hidden> Mon, 09 May 2016 12:25:34 -0500

drupal7 (7.43-2) unstable; urgency=medium

  * Update dependencies to use PHP 7 instead of 5 (Closes: #821482)
  * Updated debian/watch to work reliably
  * Standards-version 3.9.6.0→3.9.8 (no changes needed)

 -- Gunnar Wolf <email address hidden> Mon, 09 May 2016 10:54:11 -0500

drupal7 (7.43-1) unstable; urgency=high

  * New upstream version
  * Fixes several security vulnerabilities (SA-CORE-2016-001): File
    upload access bypass and DoS, brute force amplification attack via
    XML-RPC, open redirect via path manipulation, reflected file
    download, wrong modes set on some user accounts setting saves,
    information disclosure of email addresses
  * Several non-security bugfixes from 7.42 included
  * Fix typo in README.Debian
  * Add several needed lintian overrides

 -- Gunnar Wolf <email address hidden> Thu, 25 Feb 2016 22:43:55 -0600

Nish Aravamudan (nacc) on 2016-05-16
Changed in drupal7 (Ubuntu):
importance: Undecided → Wishlist
Nish Aravamudan (nacc) on 2016-05-16
description: updated
summary: - Sync drupal7 7.43-3 (universe) from Debian unstable (main)
+ [SRU] Sync drupal7 7.43-3 (universe) from Debian unstable (main)
tags: added: xenial
tags: added: upgrade-software-version
Changed in drupal7 (Ubuntu):
importance: Wishlist → Low
Changed in drupal7 (Ubuntu):
status: New → Fix Released
Michael Terry (mterry) wrote :

Thanks for the pointers! I've uploaded a backported version to xenial. I'll subscribe the SRU team here for the next steps.

Hello Nish, or anyone else affected,

Accepted drupal7 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/drupal7/7.43-3~16.04.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in drupal7 (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed
Changed in drupal7 (Ubuntu Xenial):
importance: Undecided → Low
Jeremy Bicha (jbicha) wrote :

Bumping importance to High. drupal7 is unusable in Ubuntu 16.04 LTS without this fix and it is such a high profile package it was release noted:

https://wiki.ubuntu.com/XenialXerus/ReleaseNotes#PHP_7.0

Changed in drupal7 (Ubuntu Xenial):
importance: Low → High
Changed in drupal7 (Ubuntu):
importance: Low → High
Jeremy Bicha (jbicha) wrote :

Ubuntu 16.04 LTS:
=================
$ sudo apt install drupal7
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 drupal7 : Depends: php5 but it is not installable
           Depends: php5-mysql but it is not installable or
                    php5-pgsql but it is not installable or
                    php5-sqlite but it is not installable
           Depends: php5-gd but it is not installable
           Recommends: mysql-server or
                       postgresql but it is not going to be installed or
                       sqlite3
E: Unable to correct problems, you have held broken packages.

After enabling -proposed:
========================
Install works. See attached for log.

http://localhost/ shows the default Ubuntu apache2 page.
I briefly read the docs and follow the instructions:

$ less /usr/share/doc/drupal7/README.Debian.gz
$ sudo a2enconf drupal7
Enabling conf drupal7.
To activate the new configuration, you need to run:
  service apache2 reload
$ sudo service apache2 reload
$ sudo systemctl reload apache2

http://localhost/drupal7/ shows nothing
http://localhost/drupal7/install.php shows

system requirements page for more information.'; exit; } // Start the installer. require_once DRUPAL_ROOT . '/includes/install.core.inc'; install_drupal();

I'm marking this verification failed since although it installs (which is an improvement), it didn't actually run for me.

Also, shouldn't we go ahead and backport the security update from yakkety now too?

tags: added: verification-failed
removed: verification-needed
Jeremy Bicha (jbicha) wrote :

drupal7 needs to depends on php-xml (bug 1595788)
In Debian testing and yakkety, php7.0 depends on libapache2-mod-php7.0 (and with this installed, the installer works).

More precisely:
16.04: php7.0 depends on php7.0-fpm | libapache2-mod-php7.0
16.10: php7.0 depends on libapache2-mod-php7.0 | php7.0-fpm

For the purposes of this SRU, should we have drupal7 depend on libapache2-mod-php7.0...or, because I believe we should probably do it anyway, do an SRU for php7 to have that dependency added there?

Either way, I propose we replace this SRU with a new backport from yakkety of 7.44-1 and the php-xml dependency.

On 24.06.2016 [03:24:08 -0000], Jeremy Bicha wrote:
> drupal7 needs to depends on php-xml (bug 1595788)

Ack.

> In Debian testing and yakkety, php7.0 depends on libapache2-mod-php7.0
> (and with this installed, the installer works).

Well, to be clear, it depends on libapache2-mod-php7.0 in Xenial as
well, it's just the default choice that has changed (the first
alternative). This was actually done on purpose, as libapache2-mod-php
is not considered the best option (even if the most common).

> More precisely:
> 16.04: php7.0 depends on php7.0-fpm | libapache2-mod-php7.0
> 16.10: php7.0 depends on libapache2-mod-php7.0 | php7.0-fpm

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822774

There isn't a perfect solution. Probably you are right, we should toggle
the default selection back to apache, but then we'll get the same bugs
filed as before about nginx pulling in apache by default...

> For the purposes of this SRU, should we have drupal7 depend on
> libapache2-mod-php7.0...or, because I believe we should probably do it
> anyway, do an SRU for php7 to have that dependency added there?

I will add the above bugfix to an already pending PHP7.0 SRU request.

> Either way, I propose we replace this SRU with a new backport from
> yakkety of 7.44-1 and the php-xml dependency.

Given that yakkety is in sync with Debian, and probably there will be
more Drupal7 releases before it closes (and autosync is turned on), I'm
not sure it matters too much. Yes, there are security fixes that are
needed. But there are security issues in all drupal7 packages in Ubuntu,
and I don't think we're asserting they can all be fixed (cf. that trusty
is shipping 7.26-1 + 1 security release.

Jeremy Bicha (jbicha) wrote :

Ok, I'm uploading a new version now with the php-xml dependency.

Yeah, the php-fpm situation is complicated because as I found out php-fpm doesn't work out of the box with Ubuntu 16.04 LTS. See also https://bugs.debian.org/820282. But there's complaints about using libapache by default too: https://bugs.debian.org/822774.

tags: removed: verification-failed
Nish Aravamudan (nacc) wrote :

@Jeremy, thanks for taking care of this. I'll sync up with Ondřej and get back to you on the php7.0 solution (for now, installing libapache2-mod-php with drupal7 is an appropriate workaround).

-Nish

Hello Nish, or anyone else affected,

Accepted drupal7 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/drupal7/7.44-1ubuntu1~16.04.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Jeremy Bicha (jbicha) wrote :

Ubuntu GNOME 16.04 LTS:
=================
$ sudo apt install drupal7
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 drupal7 : Depends: php5 but it is not installable
           Depends: php5-mysql but it is not installable or
                    php5-pgsql but it is not installable or
                    php5-sqlite but it is not installable
           Depends: php5-gd but it is not installable
           Recommends: mysql-server or
                       postgresql but it is not going to be installed or
                       sqlite3
E: Unable to correct problems, you have held broken packages.

After enabling -proposed:
========================
$ sudo apt install drupal7 libapache2-mod-php
$ sudo a2enconf drupal7
$ sudo systemctl reload apache2
Navigate to http://localhost/drupal/install.php and fill in the blanks. (There's a somewhat scary error message at http://localhost/drupal/ if you navigate there before completing the install.php wizard.)

The install works fine (but you have to know to follow those steps). Marking as verification-done.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package drupal7 - 7.44-1ubuntu1~16.04.0

---------------
drupal7 (7.44-1ubuntu1~16.04.0) xenial; urgency=medium

  * Backport a version of drupal7 to Ubuntu 16.04 LTS that is
    installable with php7 (LP: #1582340)

drupal7 (7.44-1ubuntu1) yakkety; urgency=medium

  * Depend on php-xml (LP: #1595788)

drupal7 (7.44-1) unstable; urgency=high

  * New upstream version
  * Fixes a security vulnerability (SA-CORE-2016-002): Privilege
    escalation (within the webapp users realm)

drupal7 (7.43-3) unstable; urgency=medium

  * Moved the farbstatic sources from debian/missing-sources
    todebian/missing-sources/misc, to keep lintian happy
  * The right name for one of our conditional dependencies is no longer
    php-sqlite, but php-sqlite3. Thanks to Nish Aravamudan for pointing
    this out!

drupal7 (7.43-2) unstable; urgency=medium

  * Update dependencies to use PHP 7 instead of 5 (Closes: #821482)
  * Updated debian/watch to work reliably
  * Standards-version 3.9.6.0→3.9.8 (no changes needed)

drupal7 (7.43-1) unstable; urgency=high

  * New upstream version
  * Fixes several security vulnerabilities (SA-CORE-2016-001): File
    upload access bypass and DoS, brute force amplification attack via
    XML-RPC, open redirect via path manipulation, reflected file
    download, wrong modes set on some user accounts setting saves,
    information disclosure of email addresses
  * Several non-security bugfixes from 7.42 included
  * Fix typo in README.Debian
  * Add several needed lintian overrides

 -- Jeremy Bicha <email address hidden> Fri, 24 Jun 2016 13:29:56 -0400

Changed in drupal7 (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for drupal7 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.