[Freeipa] [Bug 1869215] Re: [MIR] python-jwcrypto
** Changed in: python-jwcrypto (Ubuntu) Assignee: (unassigned) => Dan Streetman (ddstreet) -- You received this bug notification because you are a member of FreeIPA, which is subscribed to python-jwcrypto in Ubuntu. https://bugs.launchpad.net/bugs/1869215 Title: [MIR] python-jwcrypto Status in python-jwcrypto package in Ubuntu: New Bug description: [Availability] In universe [Rationale] New dependency for websockify [Security] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jwcrypto One CVE from 2016 in older released version (resolved). [Quality assurance] Package has tests which are run as part of the package build. [Dependencies] All in main. [Standards compliance] OK [Maintenance] ubuntu-openstack [Background Information] JWCrypto is an implementation of the Javascript Object Signing and Encryption (JOSE) Web Standards as they are being developed in the JOSE IETF Working Group and related technology. JWCrypto is Python2 and Python3 compatible and uses the Cryptography package for all the crypto functions. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-jwcrypto/+bug/1869215/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1869215] Re: [MIR] python-jwcrypto
[Summary] MIR ack, with 2 notes below. This does need a security review, so I'll assign ubuntu-security Two notes that do not need to block MIR: 1. As upstream has released v0.7.0 (over 1 month ago), Debian should update to that version sometime soon, and try to stay up to date with upstream. 2. It would be good to create a simple autopkgtest that just runs the build tests. [Duplication] OK: - There is no other package in main providing the same functionality. [Dependencies] OK: - no other Dependencies to MIR due to this - does have build deps in universe, but all binary deps in main - no -dev/-debug/-doc packages that need exclusion [Embedded sources and static linking] OK: - no embedded source present - no static linking [Security] OK: - history of CVEs does not look concerning - only 1 CVE with very quick upstream resolution - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Problems: - does parse data formats - the purpose of the package is to provide a python lib to perform signing and encryption on Javascript objects [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error (verified by forcing failure in a test) - The package has a team bug subscriber (Openstack team) - no translation present, but none needed for this case (not user visible) - no new python2 dependency - Python package that is using dh-python - not Go package Problems: - does not have a test suite that runs as autopkgtest - running the build tests in an autopkgtest would be ideal, but I do not think is required, as there is only 1 binary dep that would cause reverse-depends autopkgtest run. [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking not applicable for this kind of code. - d/watch is present and looks ok - Upstream update history is good - promoting this does not seem to cause issues for MOTUs that so far maintained the package - N/A, since there are no Ubuntu changes - no massive Lintian warnings - d/rules is rather clean - not using Built-Using - not Go Package Problems: - Debian update history is sporadic - Debian updates in the past have skipped upstream releases, e.g. changelog shows no Debian update between v0.4.2 and v0.6.0 - However, current Debian code is relatively recent, though it would be good for Debian to move up to v0.7.0 which was released upstream last month - I do not think this should block MIR (see next item) - the current release is not packaged - as noted above, current upstream release is v0.7.0, which was recently released (Feb 19, 2020); Debian is up to date with the previous release, v0.6.0. - There are only 19 changes between v0.6.0 and v0.7.0 upstream, and most of them are trivial fixes. So, since v0.7.0 was released quite recently, and the changes are mostly minor, I don't think upgrading to v0.7.0 is a requirement for MIR, but it would be good to see Debian upgrade to v0.7.0 soon. [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - no embedded source copies - not part of the UI for extra checks -- You received this bug notification because you are a member of FreeIPA, which is subscribed to python-jwcrypto in Ubuntu. https://bugs.launchpad.net/bugs/1869215 Title: [MIR] python-jwcrypto Status in python-jwcrypto package in Ubuntu: New Bug description: [Availability] In universe [Rationale] New dependency for websockify [Security] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jwcrypto One CVE from 2016 in older released version (resolved). [Quality assurance] Package has tests which are run as part of the package build. [Dependencies] All in main. [Standards compliance] OK [Maintenance] ubuntu-openstack [Background Information] JWCrypto is an implementation of the Javascript Object Signing and Encryption (JOSE) Web Standards as they are being developed in the JOSE IETF Working Group and related technology. JWCrypto is Python2 and Python3 compatible and uses the Cryptography package for all the crypto functions. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-jwcrypto/+bug/1869215/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : ht
[Freeipa] [Bug 1869215] Re: [MIR] python-jwcrypto
** Changed in: python-jwcrypto (Ubuntu) Assignee: Dan Streetman (ddstreet) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of FreeIPA, which is subscribed to python-jwcrypto in Ubuntu. https://bugs.launchpad.net/bugs/1869215 Title: [MIR] python-jwcrypto Status in python-jwcrypto package in Ubuntu: New Bug description: [Availability] In universe [Rationale] New dependency for websockify [Security] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jwcrypto One CVE from 2016 in older released version (resolved). [Quality assurance] Package has tests which are run as part of the package build. [Dependencies] All in main. [Standards compliance] OK [Maintenance] ubuntu-openstack [Background Information] JWCrypto is an implementation of the Javascript Object Signing and Encryption (JOSE) Web Standards as they are being developed in the JOSE IETF Working Group and related technology. JWCrypto is Python2 and Python3 compatible and uses the Cryptography package for all the crypto functions. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-jwcrypto/+bug/1869215/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1772405] Re: freeipa dns install does not correctly configure reverse zones due to systemd-resolved
please reopen if this is still an issue ** Changed in: systemd (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1772405 Title: freeipa dns install does not correctly configure reverse zones due to systemd-resolved Status in freeipa package in Ubuntu: Triaged Status in systemd package in Ubuntu: Invalid Bug description: In Ubuntu 18.04, ipa-dns-intall (or ipa-server-install when asking to configure BIND) does not create reverse DNS zones for my domain. Note that I already fixed (or more correctly, circumvented) other bugs involving BIND, such as https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440. The problem seems due to the presence of systemd-resolved. When ipa- dns-install valuates whether to create a reverse DNS zone, it tries to use the local DNS for resolving the IP address of the server. When you want to install BIND alongside IPA, this normally fails, and the installer knows he needs to configure an appropriate reverse zone. But when systemd-resolved is active, it takes the role of local DNS and answers this query: therefore, the installer thinks a reverse DNS zone is already present. To fix this problem I had to perform the following steps before calling ipa-dns-install (or ipa-server-install): 1) stop systemd-resolved with "systemctl stop systemd-resolved". 2) disable systemd-resolved with "systemctl disable systemd-resolved". 3) delete the file "/etc/resolv.conf", which is a symlink to a file created by systemd. 4) optionally, recreate "/etc/resolv.conf" pointing to the (real) local DNS. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772405/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
