dhcpd in isc-dhcp-server-ldap cannot read /etc/ldap/ldap.conf due to missing entry in apparmor profile

This bug was fixed in the package isc-dhcp - 4.2.4-1ubuntu10

---------------
isc-dhcp (4.2.4-1ubuntu10) quantal; urgency=low

  * Allow dhcpd to read /etc/ldap/ldap.conf for isc-dhcp-server-ldap.
    (LP: #1057358)
 -- Stephane Graber <email address hidden> Tue, 09 Oct 2012 10:44:47 -0400

We need to add this to precise as well.

Debdiff attached for precise.

> We need to add this to precise as well. Debdiff attached for precise.

Thanks Dave, I've sponsored your update, it's waiting in the SRU review queue next:
https://launchpad.net/ubuntu/precise/+queue?queue_state=1&queue_text=isc-dhcp

Hello Tom, or anyone else affected,

Accepted isc-dhcp into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/isc-dhcp/4.1.ESV-R4-0ubuntu5.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

This didn't work in my testing. Confirmed by downloading the deb package from the above link and saw no changes to the apparmor file.

Looking at the diff for that upload, it makes sense. The patch in debian/patches/00list was added to the block that gets reverted halfway through the build, so the change is applied, then reverted, resulting in an identical binary package.

Unfortunately it looks like the sponsor didn't see the comment 2 lines above the change in 00list or didn't understand the implication of that comment. Anyway, I'd appreciate if an SRU team member could remove this package as it clearly doesn't fix anything.

I pushed an SRU to 12.10 a few days ago which is the first step before pushing a similar one to 12.04 in the near future, so this bug should probably be part of that update.

@Stéphane: I just sponsored the debdiff as it was on the bug, feel free to fix it if you know what's wrong ;-)

Sorry about the bad debdiff, I remember changing the patch order in 00list after having tested it to group the ldap changes together. Shame on me for not retesting *(or missing that comment).

Here's a tested debdiff that should fix the issue. All it does is move the diff up a few lines.

Also here's the built packages that I tested with this new debdiff.
http://people.canonical.com/~chiluk/lp1057358/

Talked to @stgraber on irc, and he mentioned that it was easier for him if I based the updated debdiff against the 5.6 version of code. So here it is.

Hi,

Could I get a possible ETA on when this will be committed?

Thanks
Adam

Hello Tom, or anyone else affected,

Accepted isc-dhcp into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/isc-dhcp/4.1.ESV-R4-0ubuntu5.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed to verification failed. Same problem as before. 00list needs to be fixed as the below diff or the debdiff in comment #9 in order for this patch to get pulled in to not be reverted.

--- /home/chiluk/src/isc-dhcp.p/isc-dhcp-4.1.ESV-R4/debian/patches/00list 2013-04-10 16:57:00.000000000 -0500
+++ 00list 2013-03-06 14:59:57.410644793 -0600
@@ -27,9 +27,10 @@ CVE-2012-3955
 # LP: #974284
 onetry_retry_after_initial_success

+dhcpd-ldap-apparmor.dpatch
+
 #ldap backend for dhcp server (docs and code)
 #these get reverted during the build, so put non-ldap
 #patches earlier
 dhcp-4.1.0-ldap-docs
 dhcp-4.1.0-ldap-code
-dhcpd-ldap-apparmor.dpatch

Additionally the change mentioned in #12 is already included in the debdiff provided here in comment #41

https://bugs.launchpad.net/ubuntu/+source/maas/+bug/1069570

Perhaps we can solve two birds with one stone?

So to restate what I've been saying on IRC to everyone asking so far, the various people I've been in touch with tell me that this bugfix isn't urgent and so I'm not planning on uploading it on its own. I'd appreciate if sponsors could leave this bug alone instead of re-uploading the same broken debdiff over and over again.

Thanks

4.1.ESV-R4-0ubuntu5.7 removed from precise-proposed, as verification has failed and this has been put on hold.

Thanks.

I removed the bad debdiffs from earlier comments so it's not as simple for people to re-upload bad debdiffs.

Uploaded to precise.

Hello Tom, or anyone else affected,

Accepted isc-dhcp into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/isc-dhcp/4.1.ESV-R4-0ubuntu5.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Just verified it using the dummy data (not a real ldap server), it no longer has any apparmor access denied messages.

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

This bug was fixed in the package isc-dhcp - 4.1.ESV-R4-0ubuntu5.8

---------------
isc-dhcp (4.1.ESV-R4-0ubuntu5.8) precise-proposed; urgency=low

  [ Dave Chiluk ]
  * Allow dhcpd to read /etc/ldap/ldap.conf for isc-dhcp-server-ldap.
    (LP: #1057358). Backported from Stéphane Graber's quantal patch.

  [ Stéphane Graber ]
  * Include patch from RedHat/Fedora to deal with hardware/xen/virtio offload
    of UDP checksums. (LP: #930962)
  * Update apparmor profile to add required the "network packet raw" rule
    for the checksum change.
 -- Stephane Graber <email address hidden> Thu, 23 May 2013 11:13:07 -0400