--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
The attached debdiff fixes the FTBS. Details are in the relevant bugs
(as per the debian/changelog). Please allow me to upload the fix to
Buster.
Cheers,
Thomas Goirand (zigo)
diff -Nru cloudkitty-8.0.0/debian/changelog cloudkitty-8.0.0/debian/changelog
--- cloudkitty-8.0.0/debian/changelog 2019-01-24 14:45:39.000000000 +0100
+++ cloudkitty-8.0.0/debian/changelog 2019-06-28 15:01:45.000000000 +0200
@@ -1,3 +1,11 @@
+cloudkitty (8.0.0-4+deb10u1) buster; urgency=medium
+
+ * Add upstream patch to fix FTBFS after we updated SQLAlchemy to fix
+ CVE-2019-7164 CVE-2019-7548 (SQL injection) (see debian bug 922669 and
+ 929321 for more info) (Closes: #930996).
+
+ -- Thomas Goirand <zigo@debian.org> Fri, 28 Jun 2019 15:01:45 +0200
+
cloudkitty (8.0.0-4) unstable; urgency=medium
* Correct default path to metrics.yml in [collect]/metrics_conf.
diff -Nru cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch
--- cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch 1970-01-01 01:00:00.000000000 +0100
+++ cloudkitty-8.0.0/debian/patches/Fix_sqlalchemy_grouping_on_v1_storage.patch 2019-06-28 15:01:45.000000000 +0200
@@ -0,0 +1,39 @@
+Description: Fix sqlalchemy grouping on v1 storage (Fixes FTBFS in Buster)
+ This fixes "CompileError: Can't resolve label reference for
+ ORDER BY / GROUP BY." error messages raised by sqlalchemy when the groupby
+ expression includes a comma.
+Author: Luka Peschke <luka.peschke@objectif-libre.com>
+Date: Tue, 4 Jun 2019 15:21:05 +0200
+Change-Id: Ia253175b45b8222aaee415ea535fa4102312be5a
+Bug-Debian: https://bugs.debian.org/930996
+Origin: upstream, https://review.opendev.org/668120
+Last-Update: 2019-06-28
+
+diff --git a/cloudkitty/storage/v1/sqlalchemy/__init__.py b/cloudkitty/storage/v1/sqlalchemy/__init__.py
+index 77403e3..7b56da6 100644
+--- a/cloudkitty/storage/v1/sqlalchemy/__init__.py
++++ b/cloudkitty/storage/v1/sqlalchemy/__init__.py
+@@ -127,7 +127,7 @@ class SQLAlchemyStorage(storage.BaseStorage):
+ self.frame_model.end <= end,
+ self.frame_model.res_type != '_NO_DATA_')
+ if groupby:
+- q = q.group_by(groupby)
++ q = q.group_by(sqlalchemy.sql.text(groupby))
+
+ # Order by sum(rate)
+ q = q.order_by(sqlalchemy.func.sum(self.frame_model.rate))
+diff --git a/releasenotes/notes/fix-v1-storage-groupby-e865d1315bd390cb.yaml b/releasenotes/notes/fix-v1-storage-groupby-e865d1315bd390cb.yaml
+new file mode 100644
+index 0000000..02c1e4d
+--- /dev/null
++++ b/releasenotes/notes/fix-v1-storage-groupby-e865d1315bd390cb.yaml
+@@ -0,0 +1,6 @@
++---
++fixes:
++ - |
++ ``CompileError: Can't resolve label reference for ORDER BY / GROUP BY.``
++ errors that were sometimes raised by SQLAlchemy when using the v1 storage
++ backend and grouping on ``tenant_id`` and ``res_type`` have been fixed.
+--
+2.7.4
+
diff -Nru cloudkitty-8.0.0/debian/patches/series cloudkitty-8.0.0/debian/patches/series
--- cloudkitty-8.0.0/debian/patches/series 2019-01-24 14:45:39.000000000 +0100
+++ cloudkitty-8.0.0/debian/patches/series 2019-06-28 15:01:45.000000000 +0200
@@ -1,3 +1,4 @@
allow-any-sqla-version.patch
missing-files.patch
remove-mathjax-extention-from-sphinx-doc.patch
+Fix_sqlalchemy_grouping_on_v1_storage.patch
--- End Message ---