*** This bug is a duplicate of bug 2045931 ***
https://bugs.launchpad.net/bugs/2045931
Ack, thanks for the explanation.
** Tags added: regression-security regression-update
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
@vorlon answered why in
https://bugs.launchpad.net/ubuntu/+source/blueman/+bug/2046084/comments/7
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046116
Title:
bluetooth device connected but not
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2064966
Title:
"accept_source_route" enabled by default in 24.04
To manage
@vanvugt, @vorlon, why is this marked as a regression?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2046116
Title:
bluetooth device connected but not recognised as output device
To manage
*** This bug is a duplicate of bug 2045931 ***
https://bugs.launchpad.net/bugs/2045931
This is not a security regression. This is upstreams fix to prevent
https://github.com/skysafe/reblog/blob/main/cve-2024-0230/README.md
If you wish to to enable legacy devices (and the vulnerability) with
** Description changed:
[ Impact ]
Focal's libcrypto++ 5.6.4-9 regresses elliptic curve generation. Uploading
this version from Debian appears to have been a mistake.
This is a security regression, but was not published through the security
pocket.
As far as I am aware,
** Description changed:
[ Impact ]
Focal's libcrypto++ 5.6.4-9 regresses elliptic curve generation. Uploading
this version from Debian appears to have been a mistake.
This is a security regression, but was not published through the security
pocket.
As far as I am aware,
Public bug reported:
[ Impact ]
Focal's libcrypto++ 5.6.4-9 regresses elliptic curve generation. Uploading
this version from Debian appears to have been a mistake.
This is a security regression, but was not published through the security
pocket.
As far as I am aware, Debian only packaged
** Attachment added: "main.cpp"
https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2064751/+attachment/5774479/+files/main.cpp
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2064751
Title:
** Patch added: "libcrypto++_5.6.4-9ubuntu1.debdiff"
https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2064751/+attachment/5774481/+files/libcrypto++_5.6.4-9ubuntu1.debdiff
** Also affects: libcrypto++ (Ubuntu Focal)
Importance: Undecided
Status: New
--
You received this
This has been addressed in the LXD snaps 5.21/stable
(https://github.com/canonical/lxd-pkg-snap/commit/764ee08b) and 5.0/edge
(https://github.com/canonical/lxd-pkg-snap/commit/bfe4270e).
All LXD software before version 4 are not affected.
Jammy, Mantic, and Noble do not have debs. Focal's deb is
This impacts all arm64 installs, not just raspberry pi.
The MIR for qrtr and protection-domain-mapper [0] was requested late in
the Mantic cycle and was only approved by Security since it was promised
to only be used for x13s hardware enablement. Hopefully Qualcomm IPC is
only enabled for x13s
http-parser has been deprecated [0] for llhttp [1] in libgit2 \o/
[0] https://github.com/libgit2/libgit2/issues/6074
[1] https://github.com/libgit2/libgit2/pull/6713
** Bug watch added: github.com/libgit2/libgit2/issues #6074
https://github.com/libgit2/libgit2/issues/6074
--
You received
Thank you!
This was mistriaged as not affecting Ubuntu, which has been corrected:
https://git.launchpad.net/ubuntu-cve-
tracker/commit/?id=83e00d6f10a8f7a234751a97f87a62c88d0143cb
I have messaged Debian Security to track this as well.
** CVE added:
** Changed in: jq (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2063014
Title:
CVE-2023-50246 and CVE-2023-50268
To manage notifications about this bug
CVE-2023-50246 only affects jq >= 1.7 until 1.7.1. That issue was
introduced with cf4b48c7ba30cb30e116b523cff036ea481459f6. Mantic (23.10)
has jq version 1.6-3 and Noble (24.04) has 1.7.1-3build1. This is why
unaffected versions are labeled as "Not vulnerable (code not present)"
on
I reviewed libyuv 0.0~git202401110.af6ac82-1 as checked into noble. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability.
libyuv is an open source project that includes YUV scaling and
conversion functionality.
- CVE History:
- none
- open bug reports are not
** Tags added: sec-4083
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2061750
Title:
[MIR] python-s3transfer as indirect dependency of simplestreams
(simplestreams -> python-boto3 ->
** Tags added: sec-4084
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2061751
Title:
[MIR] python-botocore as indirect dependency of simplestreams
(simplestreams -> python-boto3 ->
** Tags added: sec-4082
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2061217
Title:
[MIR] python-boto3 as a dependency of simplestreams
To manage notifications about this bug go to:
Hello, the MIR process says any MIRs assigned to the security team after
the Beta Freeze deadline need to be discussed with the Director of
Security Engineering:
For a MIR to be considered for a release, it must be assigned to the
Security team (by the MIR team) before Beta Freeze. This
There is a strong chance that
https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/1893934 is
related to the incomplete CVE-2019-14318 patch regression.
I plan to propose an SRU to effectively downgrade this regressed package
to 5.6.4-8.
Please see
When is Security review absolutely needed by? Is April 17th, the day
before Final Freeze okay? Would that give Foundation's enough time to
promote to main?
There may not be enough time for Security to complete a review by Final
Freeze, but we are looking for someone to take this asap.
--
You
Setting to In Progress per
https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-
perl/+bug/2023971/comments/28
** Changed in: libemail-mime-perl (Ubuntu)
Status: Won't Fix => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
** Tags added: sec-4053
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2004516
Title:
[MIR] libyuv (transitive dependency of libheif)
To manage notifications about this bug go to:
** Tags added: sec-4054
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2060035
Title:
[MIR] msgraph
To manage notifications about this bug go to:
Debian `libcrypto++` 5.6.4-9 introduced a security patch for
CVE-2019-14318.
According to a post in 2019 ,
https://github.com/weidai11/cryptopp/issues/869, the CVE-2019-14318
patch for 5.6.4 was incomplete. A comment in a later 2020 issue mentions
that the 2019 8.3 patch was broken:
With fresh amd64 VMs using the latest Ubuntu point releases, I was able
to reproduce your report on Ubuntu Focal 20.04.06 (`libcrypto++` version
5.6.4-9build1). Both Bionic 18.04.06 (`libcrypto++` version 5.6.4-8) and
Jammy 22.04.04 (`libcrypto++` version 8.6.0-2ubuntu1) had the expected
result.
*** This bug is a security vulnerability ***
Public security bug reported:
This issue was reported to the Security team over email and originally
posted to https://github.com/weidai11/cryptopp/issues/1269
> I typically never use Crypto++, but I had to yesterday, and I then
> experienced a
A fix has been released to Noble proposed and the CVE has been
published.
https://launchpad.net/ubuntu/+source/grub2/2.12-1ubuntu7
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
I believe this issue can be set to In Progress and is ready for
promotion to main.
@didrocks, @slyon: please ping me if anything is needed from Security.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I am posting this Security MIR on behalf of Sudhakar Verma (@sudhackar)
since he is out of the office.
---
I reviewed authd 0.2.1 as checked into noble. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
authd is a service that builds cloud based
I reviewed trace-cmd 3.2-1 as checked into noble. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
> TRACE-CMD: The front-end application to Ftrace. The back-end
application to KernelShark.
- CVE History
- none
- Build-Depends
- most are for docs
-
I reviewed libtraceevent 1:1.8.2-1 as checked into noble. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
> libtraceevent - Linux kernel trace event library
- CVE History:
- none
- Build-Depends?
- nothing concerning
- most dependencies are for
Per MIR Team's #3 requirement, the described issue was patched on May
20th 2020 (although the GH bug remains open). There are three commits: a
fix, a test, and documentation. These landed in upstream version 1.947.
Please see https://github.com/rjbs/Email-
MIME/issues/66#issuecomment-2019041975
Public bug reported:
If pam_pwqaulity is restrictively set a user can still be created by
adduser without a password.
e.g.,
```
eslerm@mino:~$ cat /etc/pam.d/common-password |grep pwquality
password requisite pam_pwquality.so retry=3 minlen=8 maxrepeat=3 ucredit=-1
lcredit=-1 dcredit=-1
Public bug reported:
If pam_pwqaulity is restrictively set a user can still be created by
adduser without a password.
e.g.,
```
eslerm@mino:~$ cat /etc/pam.d/common-password |grep pwquality
password requisite pam_pwquality.so retry=3 minlen=8 maxrepeat=3 ucredit=-1
lcredit=-1 dcredit=-1
Thanks Wouter
It appears nbd-client existed in main at some point http://old-
releases.ubuntu.com/ubuntu/pool/main/n/nbd/ (thanks Seth).
Between this MIR and tree's LP#2056099 I am concerned that Security is
being bypassed as NN approaches. That's not to say anything is wrong
with how nbd-client
Security is not asking to review this for NN, but this might have odd
code.
```
/* Should probably use strdup(), but we like our xmalloc() */
#define scopy(x)strcpy(xmalloc(strlen(x)+1),(x))
```
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Was -server code ever reviewed by a MIR?
The client contains many ioctl calls.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2054480
Title:
[MIR] nbd-client
To manage notifications about this bug
There are unnecessary crates being vendored. I filed an upstream issue:
https://gitlab.gnome.org/GNOME/snapshot/-/issues/137
This causes a bandwidth strain on mirrors or wherever the source package
is needed.
To be clear, this is not a Security issue and does not impact Security's
review (since
The upstream chain for fdk-aac-free is precarious.
The Debian package fdk-aac-free watches
https://gitlab.freedesktop.org/wtaymans/fdk-aac-stripped/ This version
specifically removes the HE (High Efficiency) and HEv2 profiles which
have patent concerns (see README.fedora).
This version does not
Thank you @seb128. I was asked to get your feedback before completing
the Security review. Get well soon!
Security team ACK for promoting dbus-broker to main, under the condition
that src:dbus' binary packages are split as described by @paelzer in
comment #19.
--
You received this bug
I reviewed bpftrace 0.20.1 as checked into noble. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
> bpftrace is a high-level tracing language for Linux enhanced Berkeley
Packet Filter (eBPF) available in recent Linux kernels (4.x). bpftrace
uses LLVM as a
Assigning to Security early, so that this is not blocked for 24.04.
After Feature Freeze, if the MIR Team has requirements for a package,
but is reasonably sure that the owning-team will accomplish them, please
assign MIRs to the Security team immediately.
** Changed in: bpftrace (Ubuntu)
I reviewed bpfcc 0.29.1+ds-1ubuntu2 as checked into noble. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
- CVE History
- no CVEs tracked in UCT, initially
- searching for "bcc" CVEs finds false-positives
- Build-Depends
- nothing concerning
-
@seb128, could you please review the recent discussion?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2015538
Title:
[MIR] dbus-broker
To manage notifications about this bug go to:
Apologize for not responding earlier! This slipped through my emails.
> I know Canonical is also Root CNA, why are you redirecting to another
CNA?
Canonical is a CNA, not a Root CNA.
I don't see how an _unprivileged_ attacker could leverage this bug to be
a vulnerability. A clear proof of
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1231178
Title:
Altec Lansing speakers remote control not working
To manage notifications
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/927225
Title:
Yukon Optima 88E8059 fails to come up as a network interface when
system is
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884207
Title:
Wifi Enterprice Login Page does not appear at connect
To manage
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696859
Title:
package linux-image-4.10.0-22-generic (not installed) failed to
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1919150
Title:
My keyboard stop working
To manage notifications about this bug go to:
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1904391
Title:
Touchpad and Keyboard not detectable in the new kernel
To manage
** Tags added: sec-3932
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2051850
Title:
[MIR] trace-cmd
To manage notifications about this bug go to:
** Tags added: sec-3931
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2051916
Title:
[MIR] promote libtraceevent as a trace-cmd dependency
To manage notifications about this bug go to:
Some of the bpf tools do not work on mantic.
e.g. `/usr/sbin/tcptop-bpfcc` from `bpfcc-tools` does not work, but
`/usr/sbin/tcptop` from `libbpfcc` does (on mantic)
Kernel configs and pahole version used to build mantic's kernel should
be okay
** Changed in: gnome-snapshot (Ubuntu)
Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)
** Tags added: sec-3916
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2052652
Title:
A centralized vendor-linter is the best longterm option. Toolchains
needs more resources before they can provide a solution (FR-6859).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2048781
Title:
Máté, could you please see if the rational can be broadened for FO147?
I suspect that libbpf-tools is also important.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2052813
Title:
[MIR] bpfcc
To
Promoting bpfcc-tools and bpftrace is driving promotion of bpfcc based
on FO147.
Also, bpftrace's /usr/sbin/*.bt files re-implement bpfcc-tools with
bpftrace.
Assigning to Security for MIR, with root-use scope kept in mind. Only
code for libbpfcc and bpfcc-tools will be reviewed.
** Changed in:
** Tags added: sec-3898
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2052809
Title:
[MIR] bpftrace
To manage notifications about this bug go to:
** Tags added: sec-3897
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2052813
Title:
[MIR] bpfcc
To manage notifications about this bug go to:
Thanks @didrocks!
I added a comment to the upstream cargo issue based on advice from
toolchains and ~Rust [0]. This issue is also raised in ubuntu-mir [1].
I'll mention this at the next MIR meeting.
[0] https://github.com/rust-lang/cargo/issues/11929#issuecomment-1960081509
[1]
64 matches
Mail list logo
