[MIR] zeromq3 as dependency of mailman3
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
zeromq3 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
[Availability]
zeromq3 exists in Universe already. Current version in disco is 4.2.5-2 and it
builds in amd64, arm64, armhf, i386, ppc64el, s390x.
It produces two binary packages: a library runtime, and its corresponding
development package. We need the runtime libzmq5 in main.
Disco proposed has had 4.3.1-3 for 45 days and it hasn't migrated because it's
failing to build due to a failing test. UPDATE: fixed in 4.3.1-3ubuntu2, which migrated.
[Rationale]
This is part of the MIR activity for all dependencies of mailman3
The "main" MIR of it is at bug 1775427:
Mailman (2) has only python2 support, but we strive for python3,
therefore Mailman3 which has python3 support should be promoted to main.
Please do note that there were former MIRs in:
- bug 1597436
- bug 1597439
The latter being accepted.
It seems to have been demoted since then, we need to check why but hopefully this easens the re-promotion.
[Security]
CVE history:
- http://
A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka
0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp
zmq::
to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which
can be leveraged to run arbitrary code on the target system. The memory layout
allows the attacker to inject OS commands into a data structure located
immediately after the problematic buffer (i.e., it is not necessary to use a
typical buffer-overflow exploitation technique that changes the flow of
control).
- http://
The ZeroMQ parser in tcpdump before 4.9.0 has an integer overflow in
print-
- http://
libzmq (aka ZeroMQ/C++) 4.0.x before 4.0.5 does not ensure that nonces are
unique, which allows man-in-the-middle attackers to conduct replay attacks via
unspecified vectors.
- http://
stream_engine.cpp in libzmq (aka ZeroMQ/C++)) 4.0.5 before 4.0.5 allows
man-in-the-middle attackers to conduct downgrade attacks via a crafted
connection request.
Ubuntu CVE tracker at
http://
- lists https:/
still open in disco
- debian: https:/
- upstream (patch and exploit): https:/
[Quality assurance]
As part of the mailman3 stacks as of now (Disco) this installs fine and works fine.
On itself it is useful to (many) other dependencies and does not need a post install configuration on its own.
No debconf questions asked, it's just a library package.
It's currently stuck in disco-proposed migration due to a build (test,
actually) failure:
http://
Ubuntu bugs:
- one open bug from 2016: https:/
libzmq3 crashes when 'getifaddrs()' is unavailable
Fixed upstream in 4.2.0, which leaves only xenial and older without a fix.
- remaining open CVE in disco (see previous section)
Debian bugs: https:/
- https:/
libzmq5: Wrong dependency?
- https:/
zeromq3: please package curve_keygen utility
- https:/
libzmq3: upgrading from 3.2.3 to 4.0.4 breaks python-pytango
Upstream issues: https:/
- 138 open, >1k closed
- self-labeled critical bugs (6): https:/
- half from 2018, the rest is older
Upstream has CI:
- https:/
- https:/
- https:/
Debian PTS: https:/
- seems to get frequent uploads
Misc observations
- building 4.3.1-3 locally (where the tests pass) shows that new symbols are
being introduced in this update, but not reflected in the symbols file.
- http://
- active development community
- dev mailing list: https:/
- frequent commits: https:/
- mismatched majors between dev and runtime library packages:
- libzmq3-dev
- libzmq5
No exotic hardware involved in this package.
Tests
- no DEP8 tests
- test suite run at package build time, with a "nocheck" check in
DEB_BUILD_OPTIONS
- failure in the test suite actually fails the build, as can be seen in the
failed migration in disco-proposed
The package includes a working debian/watch file.
Lintian
Full output: https:/
I'd highlight:
- d/copyright needs updating (wildcard-
- testsuite-
- hardening-
- symbols file probably will need updating (if the package migrates away from
disco-proposed)
No reliance on obsolete or orphaned packages.
[UI standards]
N/A, since this is a library.
[Dependencies]
Some dependencies are not in main, but we drive MIR for all related packages
that are not in main at the same time.
Please check the list of bugs from the main Mailman3 MIR in bug 1775427 to get an overview.
[Standards compliance]
No FHS violations.
d/control declares somewhat current standards version 4.3.0
Just found the mismatch between dev and runtime major versions in the package
name a bit odd.
Source package is trivial to maintain, d/rules uses debheloer and is easy to
understand
[Maintenance]
The Server team will subscribe for the package for maintenance
[Background]
None at this time.
Not yet subscribing the MIR Team until the FTBFS is fixed and it was clarified why it was demoted since the former MIR.