LISTSERV - SCIENTIFIC-LINUX-DEVEL Archives

SCIENTIFIC-LINUX-DEVEL Archives

August 2015

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-DEVEL Home
	SCIENTIFIC-LINUX-DEVEL August 2015

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Broken security upgrade
From:	Patrick Riehecky <[log in to unmask]>
Reply To:	Patrick Riehecky <[log in to unmask]>
Date:	Wed, 5 Aug 2015 13:49:19 +0000
Content-Type:	text/plain
Parts/Attachments:	text/plain (64 lines)

Hello,

I can answer part of your questions.  The rpm packages were added to the security push to resolve an order of operations issue addressed by the OrderWithRequires tag.

I'm afraid I don't have a working maven installation, what error messages are being provided?

--
Pat Riehecky
Scientific Linux developer

Fermi National Accelerator Laboratory
www.fnal.gov
www.scientificlinux.org

________________________________________
From: Mailing list for Scientific Linux developers worldwide [[log in to unmask]] on behalf of Paul Millar [[log in to unmask]]
Sent: Wednesday, August 05, 2015 6:12 AM
To: scientific-linux-devel
Subject: [SCIENTIFIC-LINUX-DEVEL] Broken security upgrade

Hi,

I don't know if this is the correct place to report this, but a recent
security upgrade broke Scientific Linux 6.6 for building RPM packages.

The update was to 4.8.0-47:

     [root@vm-dcache-wn-sl6 ~]# grep Aug\ 04\ 04.*rpm /var/log/yum.log
     Aug 04 04:34:44 Installed: redhat-rpm-config-9.0.3-44.sl6.noarch
     Aug 04 04:34:46 Updated: rpm-4.8.0-47.el6.x86_64
     Aug 04 04:34:46 Updated: rpm-libs-4.8.0-47.el6.x86_64
     Aug 04 04:34:47 Updated: rpm-build-4.8.0-47.el6.x86_64
     Aug 04 04:34:47 Updated: rpm-python-4.8.0-47.el6.x86_64
     [root@vm-dcache-wn-sl6 ~]#

This happened automatically, via yum-autoupdate.

After this upgrade, the rpmbuild command started to fail.  The command
that failed was:

     rpmbuild -bb --define _topdir <> --buildroot <>
<>/SPECS/dcache-srmclient.spec

where I've used a "<>" to represent the absolute paths in the command.

The problem may be reproduced by cloning dCache from github and running
the command:

     mvn -am -pl modules/srm-client clean package -DskipTests -Prpm

Down-grading to v4.8.0-37 (and uninstalling the 'redhat-rpm-config'
package) is sufficient to fix the problem.

To confirm the cause, I re-ran yum manually, which upgraded the RPM
packages to v4.8.0-47.  This reintroduced the problem; so I am pretty
convinced the problem is with this security upgrade.

What I find odd is that there is no mention of a security issue with
RPM, so it isn't clear why the RPM packages have been updated.

Cheers,

Paul.

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV