Bug 6922 - update mariadb for feedback plugin bug
: update mariadb for feedback plugin bug
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: RPM Packages
: 2
: All Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
:
: MGA2-32-OK MGA2-64-OK
: Security, validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-07-31 22:23 CEST by AL13N
Modified: 2013-01-23 21:25 CET (History)
5 users (show)

See Also:
Source RPM: mariadb
CVE:
Status comment:


Attachments
Screenshot of phpmyadmin (210.60 KB, image/png)
2012-08-26 21:24 CEST, Dave Hodgins
Details

Description AL13N 2012-07-31 22:23:41 CEST
I've submitted mariadb-5.5.25-2.mga2 for update testing.

This update specifically adds an upstream patch which should fix the feedback OS problem.

How to test:

0. check http://mariadb.org/feedback_plugin/stats/os/ for the linux number
1. install mariadb
2. install mariadb-feedback
3. in my.cnf, in the load-plugin section, add

;feedback.so

4. restart mysqld service
5. check in logs if feedback is loaded properly and if it says POST ok (wrt feedback)
6. check with http://mariadb.org/feedback_plugin/stats/os/ if it has been increased with one. it is possible that you could wait 24h for this.
7. (also check regressions)
Comment 1 Thomas Backlund 2012-08-01 01:10:34 CEST
So let me get this straight...

they asked you to ask Mageia users to enable a feature that nether they nor you as the maintainer checked/verified to be working when pushing 5.5.25-1 and posting the request on mls and forum ....


And now you ask QA to do the mariadb tests all over again for no real enduser gain ?

IMHO this is not worth the effort at this time, not to mention useless downloads/installs for endusers stable systems... imho it can wait until the next 
real fixes to mariadb needs to be pushed...

But I'll let QA decide
Comment 2 Samuel Verschelde 2012-08-01 08:54:51 CEST
AL13N, do you foresee other mariadb updates in the coming weeks?
Comment 3 AL13N 2012-08-01 09:34:18 CEST
(In reply to comment #1)
> So let me get this straight...
> 
> they asked you to ask Mageia users to enable a feature that nether they nor you
> as the maintainer checked/verified to be working when pushing 5.5.25-1 and
> posting the request on mls and forum ....

ah no... it is my fault.

I saw the OS stats, and thought it'd be nice to have more Linux (mageia) stats. So i requested this, after i tested myself.

But alas, even though the post worked, one of the fields wasn't correctly filled (OS stat). I noticed this bug only yesterday, because the linux stat wasn't increasing. at first i thought only the stat wasn't regenerated.

(the post call did succeed, so the logs showed that all was ok)

the 5.5.26 is in the works, but it might be until end of august before it goes through. and afaik there is no major or security bug.

So, i'm not sure if i'll update if there isn't any such bug.

for testing, i thought it might be nice for the people who did have enabled feedback plugin before to test this.
Comment 5 Samuel Verschelde 2012-08-04 19:49:59 CEST
AL13N, what about asking to those who have enabled the plugin to install the update candidate (so that the feedback works for them already) and report here that everything goes well, so that QA doesn't have to test this update? You can tell them that you guarantee that, although this is an update candidate, you broke nothing :)

Then, depending on the news you get about future security fixes or bugfixes that are worth pushing, we'd decide together whether to push the update to all users or wait for the next.
Comment 6 AL13N 2012-08-05 13:14:04 CEST
that was the plan :-). i've added a comment in the forum, linking to this validation bug, so that they can validate here.
Comment 7 AL13N 2012-08-22 18:16:04 CEST
hold off on testing or validating for a bit, i'm not sure, but there might be an important fix soon-ish... i'll let you guys know if i have more info
Comment 8 claire robinson 2012-08-22 18:25:35 CEST
Thanks for letting us know AL13N, holding off until we hear from you again :)
Comment 9 Thomas Backlund 2012-08-22 19:48:58 CEST
assigning back to AL13N then until there is something real need to validate
Comment 10 AL13N 2012-08-23 00:43:14 CEST
ok, i'll be submitting mariadb-5.5.25-2.1.mga2 soon... it seems that last time, i forgot to set subrel and thus i changed release instead /o\

i donno if i should be releasing 1.1 instead; since rel 2 it was only in updates_testing repos...

This patch will be fixing a replication issue if your master < 5.5.25 (and this is a slave)
Comment 11 Dave Hodgins 2012-08-26 18:54:32 CEST
The count for Mageia 2 at http://mariadb.org/feedback_plugin/stats/distros/
was 13 before I enabled the feedback in two VB installs (one i586 and one
x86-64), including the kde config, about 5 hours ago.

I've tested both installs using phpmyadmin and glpi.

Do you want to wait until tomorrow to see if the count goes up, or should
I go ahead and validate this update?
Comment 12 Samuel Verschelde 2012-08-26 19:03:31 CEST
What about regression testing, all done already?
Comment 13 AL13N 2012-08-26 19:36:17 CEST
the important part is the replication part; since Oracle hasn't released this one yet, there is no doc, no reproducer or anything, but if someone could confirm that replication is working, it would be nice. if not, we shouldn't wait for this.

for mariadb it'll be fixed in 5.5.27 and oracle mysql, could be still a while before it's fixed...
Comment 14 AL13N 2012-08-26 19:37:19 CEST
oh and the feedback part is only regenerated once a day.

normally, if the logs say that the feedback POST was successful, it should be working.
Comment 15 Dave Hodgins 2012-08-26 21:24:12 CEST
Created attachment 2682 [details]
Screenshot of phpmyadmin

I've setup a Mageia 1 x86-64 mysqld as the master, and both Mageia 2 i586
and x86-64 as slaves.

As shown by the attached screenshot, replication is working.

Regarding the feedback, there is nothing in /var/log/mysqld/mysqld.log
saying the feeback worked or didn't work.
Comment 16 AL13N 2012-08-26 21:28:10 CEST
is the feedback plugin loaded? check with "SHOW PLUGINS"

also, the feedback plugin doesn't post it's message right away, it takes a few minutes for it do start it.
Comment 17 AL13N 2012-08-27 13:41:59 CEST
sorry, another patch needs to be added, i'll rebuild a new version with a patch as soon as possible (BS will need to get fixed too)
Comment 18 Dave Hodgins 2012-08-27 16:17:07 CEST
Removing the ok tags, till the new version gets tested.
Comment 19 Dave Hodgins 2012-08-28 20:42:17 CEST
120827 19:11:57 [Note] feedback plugin: server replied 'ok'
120827 23:06:10 [Note] feedback plugin: report to 'http://mariadb.org/feedback_plugin/post' was sent
120827 23:06:13 [Note] feedback plugin: server replied 'ok'

Took a while, but the count at http://mariadb.org/feedback_plugin/stats/distros/
finally increased from 13 to 17, two of which should be my vb installs.
Comment 20 AL13N 2012-08-29 22:41:42 CEST
mariadb-5.5.25-2.2.mga2 is submitted
Comment 21 Dave Hodgins 2012-08-30 02:22:08 CEST
Testing complete on Mageia 2 i586 and x86-64.

The feedback plugin now reports ok in /var/log/mysqld/mysqld.log and
in ~/.local/share/akonadi/db_data/mysql.err

Also tested using glpi and phpmyadmin.

Could someone from the sysadmin team push the srpm
mariadb-5.5.25-2.2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory:  This security update for Mariadb corrects a problem that
is not yet being publicly disclosed.

In addition, a problem preventing the feedback plugin from working
has been corrected.

https://bugs.mageia.org/show_bug.cgi?id=6922
Comment 22 Thomas Backlund 2012-08-30 09:43:58 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0244
Comment 23 AL13N 2012-08-30 12:42:48 CEST
ah... i'd have preferred not to have mentioned security...
Comment 24 Thomas Backlund 2012-08-30 12:48:56 CEST
Then you as maintainer should have provided tha advisory as intended by the update request policy.

QA are not mindreaders... 

I really hope this didnt break an update embargo then...:/
Comment 25 AL13N 2012-08-30 12:54:51 CEST
i just checked, it seems we're still ok, it would've been better if it was differently formulated though.

i had informed david privately about the matter... but maybe i should've put the advisory myself... a thought for the future...

maybe we should have some kind of policy regarding such things...
Comment 26 AL13N 2012-08-30 12:58:04 CEST
i'm communicating with upstream regarding of future handlings, and the possibility of having a releasing embargodate as well... like a week before the disclosure date.
Comment 27 Thomas Backlund 2012-08-30 13:03:35 CEST
You mean the maintainer part:
https://wiki.mageia.org/en/Updates_policy#Maintainer_.28or_any_interested_packager.29

Or embargo/disclosure part ?

the embargo/disclosure part is already "set in stone" 
cf old cross-distro/os vendor-sec list (it has a new name nowdays, but the same applies)


Regarding embargoed stuff _nothing_ can be submitted to public svn or public bugzilla or public buildsystem before embargo is lifted...
Comment 28 AL13N 2012-08-30 20:32:30 CEST
i was speaking about disclosure part (i know i should've provided advisory)


well, the embargo/disclosure part is not set in stone (not for this).


This one comes from a mariadb-specific mailing list which are by invitation only. and their nondisclosure policy isn't written at all... specifically i was asked to "use common sense". i did mention i didn't have a private bugzilla or whatever, and that i was allowed to commit submit & release upfront, but that i was to have messages which would be allowed to specify the bug, but not relating to security.

after we talked, they said they would look into the matter and maybe organize this a bit better and perhaps even ask for release dates (maybe have a release embargo a week before the full disclosure date)


for mageia, we don't have a private bugzilla, we don't have private git, or private buildsystem or whatever...

So, that part is something that we should have a policy of. The idea of discribing the bug, and not mentioning security appeals to me.
Comment 29 David Walser 2013-01-23 21:25:52 CET
The CVE for this (CVE-2012-4414) finally hit LWN.  Our advisory was updated to reflect the CVE a while ago.  OpenSuSE just issued an advisory with the CVE.  Just in case anyone is looking for it.

http://lwn.net/Vulnerabilities/533755/

Note You need to log in before you can comment on or make changes to this bug.