search

linuxdeepin / developer-center

Deepin developer center, provide developer wiki and community forum.
450 stars 73 forks source link

[Deepin Integration]~[V23-Beta2] update glibc to 2.35-4 by UTsweetyfish@deepin-community/glibc by deepin-community-ci-bot[bot] #5268

Closed deepin-bot[bot] closed 11 months ago

deepin-bot[bot] commented 1 year ago

Package information | 软件包信息

integrationinfo: 包名 版本
glibc 2.35-deepin3
glib2.0 2.74.6-2
meson 1.1.1-1
netcdf 1:4.9.2-1deepin
heimdal 7.8.git20221117.28daf24+dfsg-3
assimp 5.2.5~ds0-1
linux-atm 1:2.5.1-4
cups 2.4.2-5
fltk1.3 1.3.8-5deepin
trilinos 13.2.0-4
valgrind 1:3.19.0-1
nfs-utils 1:2.6.3-3
ismrmrd 1.8.0-2
libstrophe 0.12.3-1
loudmouth 1.5.4-1
dot2tex 2.11.3-3
ecbuild 3.8.0-1
dh-lua 29
openldap 2.5.13+dfsg-5
apache2 2.4.57-2
apr 1.7.2-3
apr-util 1.6.3-1
audit 1:3.0.9-1deepin1
ceph 14.2.21-1.1
courier-authlib 0.71.1-2
cups-filters 1.28.17-3deepin
curl 8.3.0-2
libtool 2.4.7-7deepin1
cyrus-sasl2 2.1.27.1-deepin
evolution-data-server 3.42.1-deepin
gconf 3.2.6-7
gnupg2 2.2.27-2
isc-dhcp 4.4.3.1-1+dde
kldap 21.08.1.1-deepin1
krb5 1.20.1-4
python-kdcproxy 1.0.0-1
pyrad 2.1-3
~libnfsidmap~ ~0.25-6~
libreswan 4.7-1
php7.4 7.4.21-2+deb11u1
postgresql-15 15.3-1deepin1
postgresql-16 16.0-2
postgresql-common 255
spirv-llvm-translator-14 14.0.0-8deepin
spirv-headers 1.6.1+1.3.250.0-1
llvm-toolchain-15 1:15.0.7-10
python-ldap 3.2.0-4-deepin1
quota 4.06-1
samba 2:4.16.11+dfsg-1
seahorse 41.0-1
sendmail 8.17.1.9-1
strongswan 5.9.5-2
dee 1.2.7+17.10.20170616-7
ocaml 4.13.1-4
findlib 1.9.6-1
ocamlbuild 0.14.0-2
cppo 1.6.9-3
ocaml-csexp 1.5.2-4
ocaml-dune 3.9.1-1
ocaml-integers 0.7.0-3
lwt 5.6.1-4
ocaml-ctypes 0.17.1-2
ounit 2.2.7-1
ppxlib 0.30.0-2
react 1.2.1-1-deepin1
ocaml-result 1.5-deepin2
ocaml-mmap 1.2.0-3
ocplib-endian 1.2-3
ocaml-topkg 1.0.3-1
janest-ocaml-compiler-libs 0.12.4-4
ocaml-sexplib0 0.16.0-3
ppx-derivers 1.2.1-3
dh-ocaml 2.0
ocaml-bigarray-compat 1.1.0-3

Package repository address | 软件包仓库地址

deb [trusted=yes] https://ci.deepin.com/repo/obs/deepin:/CI:/TestingIntegration:/test-integration-pr-349/testing/ ./

Changelog | 更新信息

glibc (2.35-deepin3) unstable; urgency=medium

glib2.0 (2.74.6-2) unstable; urgency=medium

meson (1.1.1-1) experimental; urgency=medium

netcdf (1:4.9.2-1deepin) unstable; urgency=medium

heimdal (7.8.git20221117.28daf24+dfsg-3) unstable; urgency=medium

assimp (5.2.5~ds0-1) unstable; urgency=medium

linux-atm (1:2.5.1-4) unstable; urgency=medium

cups (2.4.2-5) unstable; urgency=medium

fltk1.3 (1.3.8-5deepin) unstable; urgency=medium

trilinos (13.2.0-4) unstable; urgency=medium

valgrind (1:3.19.0-1) unstable; urgency=medium

nfs-utils (1:2.6.3-3) unstable; urgency=medium

ismrmrd (1.8.0-2) unstable; urgency=medium

libstrophe (0.12.3-1) unstable; urgency=medium

loudmouth (1.5.4-1) unstable; urgency=medium

dot2tex (2.11.3-3) unstable; urgency=medium

[ Debian Janitor ]

ecbuild (3.8.0-1) unstable; urgency=medium

dh-lua (29) unstable; urgency=medium

openldap (2.5.13+dfsg-5) unstable; urgency=medium

apache2 (2.4.57-2) unstable; urgency=medium

apr (1.7.2-3) unstable; urgency=medium

apr-util (1.6.3-1) unstable; urgency=medium

[ Stefan Fritsch ]

audit (1:3.0.9-1deepin1) unstable; urgency=medium

[ Gui-Yue ]

ceph (14.2.21-1.1) unstable; urgency=medium

courier-authlib (0.71.1-2) unstable; urgency=medium

cups-filters (1.28.17-3deepin) unstable; urgency=medium

curl (8.3.0-2) unstable; urgency=medium

libtool (2.4.7-7deepin1) unstable; urgency=medium

cyrus-sasl2 (2.1.27.1-deepin) UNRELEASED; urgency=medium

evolution-data-server (3.42.1-deepin) stable; urgency=medium

gconf (3.2.6-7) UNRELEASED; urgency=medium

gnupg2 (2.2.27-2) unstable; urgency=medium

isc-dhcp (4.4.3.1-1+dde) UNRELEASED; urgency=medium

kldap (21.08.1.1-deepin1) unstable; urgency=medium

krb5 (1.20.1-4) unstable; urgency=low

[ Steve Langasek ]

python-kdcproxy (1.0.0-1) unstable; urgency=medium

pyrad (2.1-3) unstable; urgency=low

[ Debian Janitor ]

~libnfsidmap (0.25-6) unstable; urgency=medium~

~ QA upload.~ ~ Set Maintainer to Debian QA Group. (see #925022)~ ~* Build depend on automake instead of automake1.11. (Closes: #865185)~

~[ Andreas Hasenack ]~ ~* d/p/03-uid-map-krb5.patch: fix uid mapping when sec=krb5 is used~ ~(Closes: #581199, #924425)~

libreswan (4.7-1) UNRELEASED; urgency=medium

php7.4 (7.4.21-2+deb11u1) UNRELEASED; urgency=medium

postgresql-15 (15.3-1deepin1) unstable; urgency=medium

postgresql-16 (16.0-2) unstable; urgency=medium

postgresql-common (255) unstable; urgency=medium

spirv-llvm-translator-14 (14.0.0-8deepin) unstable; urgency=medium

spirv-headers (1.6.1+1.3.250.0-1) unstable; urgency=medium

llvm-toolchain-15 (1:15.0.7-10) unstable; urgency=medium

[ Gianfranco Costamagna ]

python-ldap (3.2.0-4-deepin1) unstable; urgency=medium

quota (4.06-1) unstable; urgency=medium

samba (2:4.16.11+dfsg-1) unstable; urgency=medium

seahorse (41.0-1) unstable; urgency=medium

sendmail (8.17.1.9-1) UNRELEASED; urgency=medium

strongswan (5.9.5-2) unstable; urgency=medium

[ Deepin Packages Builder ]

dee (1.2.7+17.10.20170616-7) UNRELEASED; urgency=medium

ocaml (4.13.1-4) unstable; urgency=medium

findlib (1.9.6-1) unstable; urgency=medium

ocamlbuild (0.14.0-2) unstable; urgency=medium

cppo (1.6.9-3) unstable; urgency=medium

ocaml-csexp (1.5.2-4) unstable; urgency=medium

ocaml-dune (3.9.1-1) unstable; urgency=medium

ocaml-integers (0.7.0-3) unstable; urgency=medium

lwt (5.6.1-4) unstable; urgency=medium

ocaml-ctypes (0.17.1-2) unstable; urgency=medium

ounit (2.2.7-1) unstable; urgency=medium

ppxlib (0.30.0-2) unstable; urgency=medium

react (1.2.1-1-deepin1) unstable; urgency=medium

ocaml-result (1.5-deepin2) unstable; urgency=medium

ocaml-mmap (1.2.0-3) unstable; urgency=medium

ocplib-endian (1.2-3) unstable; urgency=medium

ocaml-topkg (1.0.3-1) unstable; urgency=medium

janest-ocaml-compiler-libs (0.12.4-4) unstable; urgency=medium

ocaml-sexplib0 (0.16.0-3) unstable; urgency=medium

[ Stéphane Glondu ]

ppx-derivers (1.2.1-3) unstable; urgency=medium

dh-ocaml (2.0) unstable; urgency=medium

ocaml-bigarray-compat (1.1.0-3) unstable; urgency=medium

Test suggestion | 测试建议

Influence | 影响范围

ADDITIONAL INFORMATION | 额外补充

deepin-bot[bot] commented 1 year ago

IntegrationProjector Bot Deepin Testing Integration Project Manager Info Link to https://github.com/deepin-community/Repository-Integration/pull/349

babyfengfjx commented 1 year ago

@kobe337 请开展集成验证,上文提到不添加内测源测试,这个点需要确认清楚,是什么原因不能添加内测源。

UTsweetyfish commented 1 year ago

@kobe337 请开展集成验证,上文提到不添加内测源测试,这个点需要确认清楚,是什么原因不能添加内测源。

历史遗留原因导致内测源的 libc6 版本号是不正确的,比本次集成高(内测源 2.35-deepin1 > 本次集成 2.35-4 > V23 Beta 2.35-1),使用内测源需要降级

kobe337 commented 1 year ago

与研发同事沟通,版本号需要滚动,待修改版本号,再行验证,支持内测源直接更新

kobe337 commented 1 year ago

与研发同事沟通,由于新的方案涉及的软件包依赖较多,需要解决后再行提测

UTsweetyfish commented 1 year ago

gloox 在 community 中,放弃集成 gloox

UTsweetyfish commented 1 year ago

python-iptables 在 community 中

UTsweetyfish commented 1 year ago

eckit 通过 OBS 集成 https://build.deepin.com/request/show/610

UTsweetyfish commented 1 year ago

dummy:

Details ``` Package: dummy-20230831 Version: 0 Architecture: all Depends: dh-lua (>= 27+nmu1~), libc-dev-bin (>= 2.31-8), nscd (>= 2.35), locales (>= 2.35), locales-all (>= 2.35), wcc (>= 0.0.2+dfsg-3), openssh-server (>= 1:8.1p1-5), busybox (>= 1.30.1-6), libgegl-0.4-0 (>= 0.4.18), aide (>= 0.17.3-4+b3), python3-iptables (>= 1.0.0-2), fakechroot (>= 2.19-3.5), chrony (>= 4.2-3~), valgrind (>= 1:3.19.0-1~), firefox (>= 91~), firefox-esr (>= 91~), libassimp-dev (>> 5.2.4~ds0-1), libeckit-dev (>> 1.20.0-1), libfltk1.3-dev (>> 1.3.8-4+b1), libismrmrd-dev (>> 1.8.0-2), libnetcdf-dev (>> 1:4.9.0-3), libtrilinos-amesos2-dev (>> 13.2.0-3), libtrilinos-amesos-dev (>> 13.2.0-3), libtrilinos-anasazi-dev (>> 13.2.0-3), libtrilinos-aztecoo-dev (>> 13.2.0-3), libtrilinos-belos-dev (>> 13.2.0-3), libtrilinos-epetra-dev (>> 13.2.0-3), libtrilinos-epetraext-dev (>> 13.2.0-3), libtrilinos-galeri-dev (>> 13.2.0-3), libtrilinos-ifpack2-dev (>> 13.2.0-3), libtrilinos-ifpack-dev (>> 13.2.0-3), libtrilinos-intrepid2-dev (>> 13.2.0-3), libtrilinos-intrepid-dev (>> 13.2.0-3), libtrilinos-isorropia-dev (>> 13.2.0-3), libtrilinos-kokkos-dev (>> 13.2.0-3), libtrilinos-kokkos-kernels-dev (>> 13.2.0-3), libtrilinos-komplex-dev (>> 13.2.0-3), libtrilinos-ml-dev (>> 13.2.0-3), libtrilinos-moertel-dev (>> 13.2.0-3), libtrilinos-muelu-dev (>> 13.2.0-3), libtrilinos-nox-dev (>> 13.2.0-3), libtrilinos-phalanx-dev (>> 13.2.0-3), libtrilinos-pike-dev (>> 13.2.0-3), libtrilinos-piro-dev (>> 13.2.0-3), libtrilinos-pliris-dev (>> 13.2.0-3), libtrilinos-rol-dev (>> 13.2.0-3), libtrilinos-rtop-dev (>> 13.2.0-3), libtrilinos-rythmos-dev (>> 13.2.0-3), libtrilinos-sacado-dev (>> 13.2.0-3), libtrilinos-shylu-dev (>> 13.2.0-3), libtrilinos-stokhos-dev (>> 13.2.0-3), libtrilinos-stratimikos-dev (>> 13.2.0-3), libtrilinos-teko-dev (>> 13.2.0-3), libtrilinos-teuchos-dev (>> 13.2.0-3), libtrilinos-thyra-dev (>> 13.2.0-3), libtrilinos-tpetra-dev (>> 13.2.0-3), libtrilinos-trilinoscouplings-dev (>> 13.2.0-3), libtrilinos-triutils-dev (>> 13.2.0-3), libtrilinos-xpetra-dev (>> 13.2.0-3), libtrilinos-zoltan2-dev (>> 13.2.0-3), libvtk7-dev (>> 7.1.1+dfsg2-10.2), libasyncns-dev (>> 0.8-6+b2), libatm1-dev (>> 1:2.5.1-4), libcups2-dev (>> 2.4.2-1), libghc-resolv-dev (>> 0.1.2.0-3), libghc-resolv-prof (>> 0.1.2.0-3), libglib2.0-dev (>> 2.72.3-1), libgloox-dev (>> 1.0.24-2+b1), libhesiod-dev (>> 3.2.1-3.1+b1), libldap-dev (>> 2.5.12+dfsg-2), libloudmouth1-dev (>> 1.5.4-1), libmongoc-dev (>> 1.22.1-1), libnfsidmap-dev (>> 1:2.6.1-2), libslurm-dev (>> 21.08.8.2-1), libstrophe-dev (>> 0.12.1-2), open-vm-tools-dev (>> 2:12.0.5-2), catch (>= 1.12.2-0.1), heimdal-multidev (>> 7.7.0+dfsg-4) ``` dummy-20230831 : 依赖: python3-iptables (>= 1.0.0-2) 但是它将不会被安装 依赖: chrony (>= 4.2-3~) 但是它将不会被安装 依赖: libvtk7-dev (> 7.1.1+dfsg2-10.2) 但是它将不会被安装 依赖: libgloox-dev (> 1.0.24-2+b1) 但是它将不会被安装 依赖: libldap-dev (> 2.5.12+dfsg-2) 依赖: libmongoc-dev (> 1.22.1-1) 但是它将不会被安装 依赖: libslurm-dev (> 21.08.8.2-1) 但是它将不会被安装
Zeno-sole commented 11 months ago

补充测试建议: 验证CVE-2023-4911 ,验证跨版本更新是否正常,验证升级后系统服务是否异常

UTsweetyfish commented 11 months ago

更新信息

可能影响

  1. glibc 2.35-deepin2 可能导致部分软件包无法安装,已知列表见 5268#issuecomment-1706120282
  2. 更新 openldap 2.5 可能导致部分软件包无法安装,目前已尽可能保证 main 组件中的软件包使用,但是 main 中仍有软件包可能无法安装;community 中可能也有部分软件包无法安装; 
    # main
libreoffice
    # community
cpu
ldap2zone
ldapvi
libnet-ldapapi-perl
mailutils
sope
squidguard
  3. libppx-derivers-ocaml-dev 降级(1.2.1-deepin1 -> 1.2.1-3)
  4. gnupg1 推荐 ldap-2.4,不依赖,影响范围不大

关联 topic

https://build.deepin.com/project/show/deepin:CI:topics:ocaml

babyfengfjx commented 11 months ago

@kobe337 请开展集成验证,主要沟通清楚核心影响点,开展针对性验证,并知会其他伙伴同步更新作为发散测试。

UTsweetyfish commented 11 months ago

CVE-2023-4911 相关链接 https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt

UTsweetyfish commented 11 months ago

libnfsidmap2 已由 nfs-utils 提供, @Zeno-sole 请在集成时移除 libnfsidmap2(src:libnfsidmap)。见 https://tracker.debian.org/news/1311233/removed-025-6-from-unstable/

kobe337 commented 11 months ago

关于CVE-2023-4911的漏洞修复,与研发同事沟通后,验证如下:

基于官方提供的数据,对代码进行了优化修复,一旦在缓冲区出现异常,做出相应处理。 image

截图_deepin-terminal_20231010140901 此版本glibc 2.35属于漏洞范围,官方提示范围2.34 <= glibc <= 2.38,与研发同事沟通,此次为代码优化修复,后续将更新到最新版本。

kobe337 commented 11 months ago

【环境】: 镜像:https://cdimage.uniontech.com/community/releases/23-Beta2/ 仓库:deb [trusted=yes] https://ci.deepin.com/repo/obs/deepin:/CI:/TestingIntegration:/test-integration-pr-349/testing/ ./ 内核:Linux deepin-PC 6.1.32-amd64-desktop-hwe #23.01.00.20 SMP PREEMPT_DYNAMIC Mon Sep 11 14:16:03 CST 2023 x86_64 GNU/Linux 【结论】: 测试通过,所有提测包均安装成功,暂无严重问题及影响 【补充】:与研发同事沟通,内测更新以后,由于openldap 2.4的包会被删除(测试环境存在),导致openldap 2.5的依赖会存在问题,计划下周将进行修复。具体影响如下图: image

valgrind:是一款检测内存泄漏、内存违例和分析cache的开放源代码(GPL V2)仿真调试工具的集合 valg curl:是一个用来与服务器之间传输数据的命令行工具 curl clang: 是LLVM编译器工具集的一个用于编译C、C++、Objective-C的组件 llvm-toolchain-15 PostgreSQL是一个功能强大的开源对象关系型数据库系统。 postgresql-16