In GLSA 201606-04 dev-libs/libgcrypt was marked in versions below 1.6.3-r4. Package dev-db/xtrabackup-bin depends on vulnerable dev-libs/libgcrypt:0/11 or dev-libs/libgcrypt:11/11. I've checked newest version on upstream (2.4.3) but it still loads /usr/lib64/libgcrypt.so.11 I think we should try to move to non-binary version of this ebuild and get rid of this problematic dependency. There is one in bgo-overlay called dev-db/percona-xtrabackup
I think we just hard-mask these and wait until upstream uses the new libs. However, I've tried playing around with building percona xtrabackup from source and now it's much better - they have everything in the source package. Watch for https://bugs.gentoo.org/show_bug.cgi?id=265407.
manwe, can you please try the ebuild for 2.4.3 in https://bugs.gentoo.org/show_bug.cgi?id=265407 that is built from source?
Sure, will do, but that =dev-libs/boost-1.59.0 is kinda weird. It's neither newest stable [1.56.0-r1] nor unstable [1.61.0].
(In reply to manwe from comment #3) > Sure, will do, but that =dev-libs/boost-1.59.0 is kinda weird. It's neither > newest stable [1.56.0-r1] nor unstable [1.61.0]. Seems like MySQL 5.7 fails to build with other version of Boost. I've tried 1.60 but with no luck yet. If you wish, you can play around with other version, being able to use a wider range of Boost versions would be really great.
Created attachment 437168 [details] ebuild MySQL and related stuff needs boost only for build time, there's no need for requiring it in the system. So how about this approach? SRC_URI="https://www.percona.com/downloads/XtraBackup/Percona-XtraBackup-${PV}/source/tarball/${P}.tar.gz http://jenkins.percona.com/downloads/boost/boost_1_59_0.tar.gz" src_configure() { mkdir ${T}/boost || die tar --extract --directory ${T}/boost --file ${DISTDIR}/boost_1_59_0.tar.gz || die cmake -DBUILD_CONFIG=xtrabackup_release -DDOWNLOAD_BOOST=0 -DWITH_BOOST=${T}/boost || die } Might not be the nicest but works (just tested it) and there's nothing the package is downloading on itself. Modified ebuild as an attachment.
Created attachment 437170 [details] ebuild v2 One more time, I forgot to remove boost from DEPEND.
Yes, that is also an option. However I do believe that upstream will move on and adjust the building to work with boost 1.60 and higher. Try posting your ebuild to #265407.
dev-db/xtrabackup-bin is blocking removal of vulnerable libgcrypt 1.5 branch from stable tree, it should either be fixed to allow a newer libgcrypt (1.6 compatible ABI) or reduced to ~arch to match 11/11 subslot visibility
commit 6338c46d8f99ba1af6bcad49c853b71823e26250 Author: Kristian Fiskerstrand <k_f@gentoo.org> Date: Thu Aug 18 18:09:03 2016 +0200 profiles: stable mask use flag for sst-xtrabackup for mysql/mariadb In relation to removal of libgcrypt 1.5 from stable commit bea66751f3c367fe021041fec0eb80a638526df3 Author: Kristian Fiskerstrand <k_f@gentoo.org> Date: Thu Aug 18 17:34:19 2016 +0200 dev-db/xtrabackup-bin: Reduce to testing keywords libgcrypt 1.5 branch is no longer in stable, the compatibility slot 11 should be used which is in testing only. libgcrypt is scheduled for EOL and subject to complete removal Gentoo-Bug: 585366 Gentoo-Bug: 567382