Page MenuHomePhabricator

Integrate Stretch 9.8 point update
Closed, ResolvedPublic

Description

The stretch 9.8 point release brings a number of bugfixes (including some security fixes):
https://lists.debian.org/debian-announce/2019/msg00001.html

Use this ticket to track the respective updates across the cluster. I've verified that all removed packages are not in use in our infrastructure.

  • base-files
  • c3p0
  • ca-certificates-java
  • cups
  • dnspython
  • erlang
  • glibc
  • gnupg2
  • intel-microcode -> T216802
  • libapache2-mod-perl2
  • libdatetime-timezone-perl
  • libemail-address-list-perl
  • libemail-address-perl
  • libssh
  • linux
  • pdns
  • pdns-recursor
  • postgresql-9.6
  • python-acme
  • python-josepy
  • ruby-rack
  • samba
  • twitter-bootstrap3
  • tzdata
  • uriparser

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 18 2019, 8:28 AM

These packages are not used in our production infrastructure:

  • arc
  • astroml-addons
  • chkrootkit
  • compactheader
  • courier
  • debian-edu-config
  • debian-installer
  • debian-installer-netboot-images
  • debian-security-support
  • egg
  • espeakup
  • freerdp
  • ganeti-os-noop
  • gnulib
  • graphite-api
  • grokmirror
  • gvrng
  • ibus
  • icinga2
  • isort
  • jdupes
  • kmodpy
  • libb2
  • libgpod
  • linux-igd
  • lttng-modules
  • mistral
  • monkeysign
  • mpqc
  • nvidia-graphics-drivers
  • nvidia-modprobe
  • nvidia-persistenced
  • nvidia-settings
  • nvidia-xconfig
  • openni2
  • openvpn
  • parsedatetime
  • photocollage
  • postfix
  • postgrey
  • pylint-django
  • python-arpy
  • python-certbot
  • python-certbot-apache
  • python-certbot-nginx
  • python-hypothesis
  • pyzo
  • r-cran-readxl
  • rtkit
  • sl-modem
  • sogo-connector
  • sox
  • ssh-agent-filter
  • supercollider
  • sympa
  • uglifyjs
hashar added a subscriber: hashar.Feb 22 2019, 9:18 AM

May we update our base Docker container as well? Looking at docker-registry.wikimedia.org/wikimedia-stretch:latest (29397cdce9f7):

base-files/stable 9.9+deb9u8 amd64 [upgradable from: 9.9+deb9u6]
gpgv/stable 2.1.18-8~deb9u4 amd64 [upgradable from: 2.1.18-8~deb9u3]
libc-bin/stable 2.24-11+deb9u4 amd64 [upgradable from: 2.24-11+deb9u3]
libc6/stable 2.24-11+deb9u4 amd64 [upgradable from: 2.24-11+deb9u3]
libsystemd0/stable 232-25+deb9u9 amd64 [upgradable from: 232-25+deb9u8]
libudev1/stable 232-25+deb9u9 amd64 [upgradable from: 232-25+deb9u8]
multiarch-support/stable 2.24-11+deb9u4 amd64 [upgradable from: 2.24-11+deb9u3]

May we update our base Docker container as well? Looking at docker-registry.wikimedia.org/wikimedia-stretch:latest (29397cdce9f7):

Agreed, that makes sense, especially as glibc was updated in this point release.

jbond updated the task description. (Show Details)Feb 25 2019, 4:05 PM
jbond updated the task description. (Show Details)
jbond updated the task description. (Show Details)Feb 27 2019, 11:24 AM
jbond updated the task description. (Show Details)Feb 27 2019, 11:30 AM
jbond triaged this task as Normal priority.Mar 4 2019, 7:47 PM

Eventually we had HHVM segfault that started to be very problematic since last week at least (T216689). A stacktrace points at pthreads_create and the Debian changelog glibc_2.24-11+deb9u4 has:

  • Fix a use after free in pthread_create(). Closes: #916925.

So we would need a rebuild of docker-registry.wikimedia.org/wikimedia-stretch. After an apt update I get:

base-files/stable 9.9+deb9u8 amd64 [upgradable from: 9.9+deb9u6]
gpgv/stable 2.1.18-8~deb9u4 amd64 [upgradable from: 2.1.18-8~deb9u3]
libc-bin/stable 2.24-11+deb9u4 amd64 [upgradable from: 2.24-11+deb9u3]
libc6/stable 2.24-11+deb9u4 amd64 [upgradable from: 2.24-11+deb9u3]
libsystemd0/stable 232-25+deb9u9 amd64 [upgradable from: 232-25+deb9u8]
libudev1/stable 232-25+deb9u9 amd64 [upgradable from: 232-25+deb9u8]
multiarch-support/stable 2.24-11+deb9u4 amd64 [upgradable from: 2.24-11+deb9u3]

Base images for jessie and stretch have been built and pushed to the docker registry.

Change 496608 had a related patch set uploaded (by Hashar; owner: Hashar):
[integration/config@master] docker: rebuild ci-stretch for debian/libc6 update

https://gerrit.wikimedia.org/r/496608

Change 496608 merged by jenkins-bot:
[integration/config@master] docker: rebuild ci-stretch for debian/libc6 update

https://gerrit.wikimedia.org/r/496608

hashar removed a subscriber: hashar.Mar 25 2019, 3:38 PM
MoritzMuehlenhoff closed this task as Resolved.Jul 11 2019, 4:42 PM
MoritzMuehlenhoff claimed this task.
MoritzMuehlenhoff updated the task description. (Show Details)

All complete