Your message dated Wed, 30 Oct 2019 19:19:35 +0000
with message-id <[email protected]>
and subject line Bug#889346: fixed in pure-ftpd 1.0.49-1
has caused the Debian Bug report #889346,
regarding pure-ftpd-mysql: pure-ftpd fails to start on newer MariaDB servers
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
889346: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889346
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: pure-ftpd-mysql
Severity: important
Hello,
Pure-ftpd fails to start on newer MariaDB versions (>=10.2) due to an issue
with my_make_scrambled_password. Full comment by MariaDB developers below. More
info at
https://jira.mariadb.org/browse/MDEV-12889?focusedCommentId=97156&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-
tabpanel#comment-97156
Quoted comment:
"There is definitely an issue with pureftpd. Or, rather, there was. Here's the
full story:
In its early days, say, about 20 years ago, libmysqlclient did not version
symbols and did not limit their visibility. Some functions were documented —
they were client API, and we promised to keep them stable, working over years.
Other functions were not documented, they were internal, no promises. But they
were exported and available too.
Later, in MariaDB time, we took a closer look at that. RedHat was versioning
libmysqlclient symbols. Old symbols from libmysqlclient.so.16.0.0 had the
version libmysqlclient_16, newer symbols had the version libmysqlclient_18.
Internal symols was hidden, with few exceptions. One of such exceptions was
my_make_scrambled_password, because pureftpd started using it since the old
days, when everything was kind of allowed. Debian had a different, simpler (and
less correct) approach to versioning, all symbols had libmysqlclient_18
version. In MariaDB we managed to create a library compatible with both
approaches. my_make_scrambled_password was not hidden, with the comment "for
pureftpd".
Now, a couple of days ago, I wanted to report this bug to pureftpd, to have it
finally fixed and not use internal non-public libmysqlclient symbols. And I
found that pureftpd source have this:
# ifdef HAVE_MY_MAKE_SCRAMBLED_PASSWORD
my_make_scrambled_password(scrambled_password, password,
strlen(password));
# elif defined(HAVE_MAKE_SCRAMBLED_PASSWORD)
make_scrambled_password(scrambled_password, password);
# else
{
SHA1_CTX ctx;
unsigned char h0[20], h1[20];
char *p;
SHA1Init(&ctx);
SHA1Update(&ctx, password, strlen(password));
SHA1Final(h0, &ctx);
SHA1Init(&ctx);
SHA1Update(&ctx, h0, sizeof h0);
pure_memzero(h0, sizeof h0);
SHA1Final(h1, &ctx);
*scrambled_password = '*';
hexify(scrambled_password + 1U, h1,
(sizeof scrambled_password) - 1U, sizeof h1);
*(p = scrambled_password) = '*';
while (*p++ != 0) {
*p = (char) toupper((unsigned char) *p);
}
}
# endif
That is, it only uses make_scrambled_password if it's available, otherwise it
can perfectly do without. So, now it's Debian bug, because they build pureftpd
to use internal libmysqlclient symbols, while they perfectly can avoid that.
Even more, I've found that in the latest pureftpd sources on github, they've
removed this ifdef and don't use make_scrambled_password at all anymore.
https://github.com/jedisct1/pure-
ftpd/commit/27443b29320d85352d8b52c0120836843e10c0f9
So it was pureftpd issue, and they've fixed it.
Sergei Golubchik
Missing versioning is our issue and we'll fix it." - Sergei Golubchik
Waiting for the newer version to trickle down through the normal release cycle
would mean that every one that uses pure-ftpd with newer MariaDB servers will
wait at least a couple of years for a solution, which in production
environments is not an acceptable solution. The easiest solution would be to
provide an up-to-date version through debian-backports, or alternatively bump
up the package in Debian stable to the latest version through an exception to
the normal release schedule.
-- System Information:
Debian Release: 9.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages pure-ftpd-mysql depends on:
ii libc6 2.24-11+deb9u1
ii libcap2 1:2.25-1
pn libmariadbclient18 <none>
ii libpam0g 1.1.8-3.6
ii libssl1.1 1.1.0f-3+deb9u1
ii lsb-base 9.20161125
pn openbsd-inetd | inet-superserver <none>
pn pure-ftpd-common <none>
ii zlib1g 1:1.2.8.dfsg-5
pure-ftpd-mysql recommends no packages.
pure-ftpd-mysql suggests no packages.
--- End Message ---
--- Begin Message ---
Source: pure-ftpd
Source-Version: 1.0.49-1
We believe that the bug you reported is fixed in the latest version of
pure-ftpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Hornburg (Racke) <[email protected]> (supplier of updated pure-ftpd
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 30 Oct 2019 19:37:46 +0200
Source: pure-ftpd
Architecture: source
Version: 1.0.49-1
Distribution: unstable
Urgency: medium
Maintainer: Stefan Hornburg (Racke) <[email protected]>
Changed-By: Stefan Hornburg (Racke) <[email protected]>
Closes: 889346 940505 943813
Changes:
pure-ftpd (1.0.49-1) unstable; urgency=medium
.
* New upstream release (Closes: #943813, #940505, #889346)
* Ignore FSCharset and ClientCharset options which have been removed in
release 1.0.48.
Checksums-Sha1:
3d7554bb92e3e4405978fad8d6287e8747765821 2221 pure-ftpd_1.0.49-1.dsc
a53c6968ec7adc4eb804d7159c4ca965f811a801 633262 pure-ftpd_1.0.49.orig.tar.gz
b7729aadcade74090e04ca2819c345bfa3413e06 44164 pure-ftpd_1.0.49-1.debian.tar.xz
cca04c658a733714806b3145f700a3ec1d66b2a9 9568
pure-ftpd_1.0.49-1_amd64.buildinfo
Checksums-Sha256:
d84a9f26cee687238260971048590e598a1cfd00563a96c36e6880580911398c 2221
pure-ftpd_1.0.49-1.dsc
0e1b7c0900c2f24260d28f01155d5df98214d31e71ee49115bffd6a607d0b4cb 633262
pure-ftpd_1.0.49.orig.tar.gz
a81f9ea8c52507b6fa556447c9a38c0ef646be0ef01520b34036eb5f3f68e038 44164
pure-ftpd_1.0.49-1.debian.tar.xz
0ef187cd30dee14c067bb36cb1f9ccb64fbf74272d4516e10515ac36f7a0ff6d 9568
pure-ftpd_1.0.49-1_amd64.buildinfo
Files:
e509685943d5521de05c8c2fa491dd7d 2221 net optional pure-ftpd_1.0.49-1.dsc
c1fbb6923aea9864ac72167ef1a81dd8 633262 net optional
pure-ftpd_1.0.49.orig.tar.gz
ea712c34db9f3e9deb5054b24523117f 44164 net optional
pure-ftpd_1.0.49-1.debian.tar.xz
6126bb2736530023a1622e37754e6f1c 9568 net optional
pure-ftpd_1.0.49-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEE1oFJdaJ3d0yY0N/vW5MBW/onIPgFAl2529YRHHJhY2tlQGxp
bnV4aWEuZGUACgkQW5MBW/onIPhD5xAAm57DhiL+coHxZ1Dm2TnvitpJaewhmRGw
u2Zo1wSw2Mwd72uVxoOMbXRD8SZ0AaJ8h1UUNIdlZhN6zOf8nK7aNfLIUulTqtDR
A1Zt9ABuiH/DopvjhEPRKtFSxTEjU8P3tJLc6VVMN9u9nXbQ9oZX/H+u4RvmNFp8
9DMZPskdNqsnTBMrJCn53RbND7hbbnahrqa07WEzS3qJAxJILuRxuMnWLV0ch/oy
XB1riGBNl3vG+jWKERlYztQowkaU0dRIuXT0M2ARLJI9ikW1A1+YWJCsj4CEQhQV
bxOZCKzQFKbdZYhGVnl9nA89dlJtbVnRd8+sAkp/0Dl6xiu3meaOEQZ0f8We0yCS
mR6c/Rypxfhy+aYHhHmVNRXZqhV7th96loRN6A6c5V9Qo0YlXSOiZlK+MfZaYnkK
jZQai3+C4PYt6ASoLtuSG598NotDDpafdJU6OJS7oTOPDbBZF6QPMx3XZRn4NYr8
m+oRlsmjx7v26pYtTUosFv7Qyfz5mz3a0A2vb8x+G7GSSOIS8dd57Sokfs6qNbmE
9hdw6rUM9MjJF/XPMuSb6Ky0g0UbOp9/c4CWgNPbd4+7U09SULES18s8jJrkim+G
TNLSitGm2EYsoHk+LDc0/BBcxK3kRUkZN2P2qGr+eqdi4dBNYtVFgy4WFYhEpkRU
YnTbjFTEJDE=
=HkvC
-----END PGP SIGNATURE-----
--- End Message ---
