| kiboneu | morn | 02:21 |
|---|---|---|
| amurray | hey kiboneu | 06:00 |
| LocutusOfBorg | hello guys, the latest jinja2 CVE regressed the python2 https://bugs.launchpad.net/ubuntu/+source/jinja2/+bug/2102129 | 14:49 |
| LocutusOfBorg | can anybody please revert or try to fix? | 14:49 |
| ebarretto | LocutusOfBorg: I will forward it internally | 14:52 |
| LocutusOfBorg | we can workaround if testing is needed, let me know | 14:53 |
| LocutusOfBorg | I have some ideas to change getattr_static into getattr for python2 | 14:53 |
| ebarretto | LocutusOfBorg: just missed one information there, in which release you saw the issue? And if you tested in more than one, I imagine all will fail the same given python2 | 14:56 |
| ebarretto | and thanks for the report btw :) | 14:57 |
| mdeslaur | LocutusOfBorg: I hope you don't mind, I made the bug public so others can find it | 15:32 |
| teward | remind me to go yell at IS | 15:47 |
| teward | because the CVE tracker is 500ing again | 15:47 |
| teward | mdeslaur: ebarretto: is the CVE tracker data still on bzr or did you finally move it to git? | 15:48 |
| * teward is tempted to just pull down a copy and grep the old fashioned way | 15:48 | |
| ebarretto | teward: it is on git | 15:48 |
| teward | i still only have the ancient bzr, do you have the updated git URL? | 15:49 |
| ebarretto | https://git.launchpad.net/~ubuntu-security/ubuntu-cve-tracker | 15:49 |
| teward | thank you kindly | 15:50 |
| teward | (that's a lot of objects, >1GiB in size) | 15:51 |
| teward | ebarretto: to answer your question about 'release' LoB is reerring to 2.10.1 which I believe is only in focal right now at the very least, so you can probably mark for LoB's info that it's at least in focal | 15:54 |
| teward | (one thing i like about the git data is i can see allllll the CVEs xD) | 15:54 |
| teward | ebarretto: i can spin some containers to test the other distros, except I don't have enough esm-infra licensing for containers if you'd like me to do some things for LoB's reported jinja2 regression | 15:55 |
| teward | ebarretto: confirmed Focal is all I can test, every version of src:jinja2 in jammy and later are all Python 3 flavored. | 16:08 |
| teward | (updated LoB's bug with what I could test) | 16:11 |
| ebarretto | thanks teward | 16:29 |
| ebarretto | from what we can see trusty and xenial got a correct fix, only bionic and later are affected | 16:29 |
| ebarretto | John will be uploading a new version soon | 16:29 |
| ebarretto | this is also John's first regression, so we are celebrating his achievement :) | 16:30 |
| teward | LocutusOfBorg: ^^ for status updates | 16:30 |
| teward | ebarretto: tell John "good job, you broke it, time to fix it." xD | 16:30 |
| ebarretto | ahahah message forwarded | 16:32 |
| ebarretto | and thank again for all the reports and tests and sorry for the inconvenience | 16:32 |
| teward | not an inconvenience :P | 17:36 |
| LocutusOfBorg | teward, yes because after focal the python2 was deprecated... | 17:40 |
| teward | LocutusOfBorg: yep, but i'm just doing followup and "due diligence" in testing - and you were asked to verify affected suites and didn't reply so I did some testing ;) | 17:40 |
| LocutusOfBorg | thanks for fixing! | 17:40 |
| teward | that way ebaretto, etc. don't go unanswered. | 17:40 |
| LocutusOfBorg | I can test right now | 17:41 |
| LocutusOfBorg | I was afk | 17:41 |
| LocutusOfBorg | you know, the aws world was blown today due to this security update, once I got a fix I had to speak with many people | 17:41 |
| LocutusOfBorg | let me know if you have any fix and I'll happily test t | 17:42 |
| teward | LocutusOfBorg: i think that's on John, according to ebaretto, Trusty and Xenial got the correct fix, only Bionic an later are affected, except for those which went to Py3 | 17:46 |
| teward | so unless you have spare Pro licenses to devote to test machines for Bionic and Focal... :P | 17:47 |
| teward | (I just don't have spare Pro licenses right now for ESM) | 17:47 |
| LocutusOfBorg | oh no I only have focal machine | 17:51 |
| ebarretto | focal is already building in the ppa: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=jinja&field.status_filter=published&field.series_filter= just pending publishing there. If you could both test it | 17:51 |
| ebarretto | we appreaciate it | 17:51 |
| LocutusOfBorg | but if you throw me a deb... | 17:51 |
| LocutusOfBorg | tested successfully! | 17:55 |
| LocutusOfBorg | btw it would be nice to know if we could have had some autopkgtest to trigger such a regression and not release on security pocket | 17:58 |
| teward | ebarretto: i didn't install jinja, but i executed the same steps that triggered the alert in a Python2 environment, which was that import line | 18:01 |
| teward | which is how it traces down to a Python2 issue | 18:01 |
| teward | LoB would be in better place to actually *test* jinja2 itself than I would :) | 18:02 |
| teward | I am also currently At War (TM) with StackOverflow for banning my static IP range from their services for no apparent reason, so i'm a little preoccupied. | 18:02 |
| ebarretto | LocutusOfBorg: we do have autopkgtest for security-proposed, and from what I see nothing failed. Probably most of the packages are using py3 and perhaps that was why it didn't show up to us. Nevertheless John will add some testing for it in our test suite for us to not miss it again | 18:04 |
| LocutusOfBorg | thanks, this is really appreciated | 18:05 |
| LocutusOfBorg | and on my side I'll try to make sure that we use the yocto provided python2 package, and not the Ubuntu one. The main goal of yocto is to build everything from scratch to not have divergences due to server/versions of tools, but our supplier didn't know that :D | 18:05 |
| LocutusOfBorg | teward, the fix looks good to me | 18:06 |
| teward | ebarretto: ^^ | 18:06 |
| ebarretto | thanks both! we are just waiting launchpad to finish doing its thing | 18:07 |
| john-breton | i also just wanted to come in and thank you both for your prompt testing and involvement, and to thank ebarretto for letting me know about the issue in the first place. As mentioned I will be adding in some tests to try to ensure this doesn't happen again | 18:41 |
| teward | john-breton: no worries, i needed access to the CVE tracker data anyways to check a CVE, fortunately I know that it's on git somewhere for when the website is glitchy so i was coming in here anyways | 18:43 |
| teward | was happy to loan a bit of testing ;) | 18:43 |
| teward | *returns to his ongoing feud with StackOverflow** | 18:44 |
| === john-breton_ is now known as john-breton | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!