[Bug 2063062] [NEW] Please remove src:cryptojs ; unmaintained and deprecated upstream
Public bug reported: The cryptojs library has been deprecated by upstream https://github.com/brix/crypto-js?tab=readme-ov-file#discontinued and recommends the native javascript Crypt library. It has no reverse dependencies: $ reverse-depends src:cryptojs No reverse dependencies found $ reverse-depends -b src:cryptojs No reverse dependencies found It has been removed from debian testing https://tracker.debian.org/news/1486067/cryptojs-removed-from-testing/ and has https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056014 ** Affects: cryptojs (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2063062 Title: Please remove src:cryptojs ; unmaintained and deprecated upstream To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cryptojs/+bug/2063062/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060354] Re: Segfaults and assertion failures in Xorg's render/glyph.c
** Also affects: xorg-server (Ubuntu Noble) Importance: High Status: Triaged ** Also affects: xwayland (Ubuntu Noble) Importance: High Status: Triaged ** Also affects: xorg-server (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: xwayland (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: xorg-server (Ubuntu Mantic) Importance: Undecided Status: New ** Also affects: xwayland (Ubuntu Mantic) Importance: Undecided Status: New ** Also affects: xorg-server (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: xwayland (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: xorg-server (Ubuntu Focal) Importance: Undecided => High ** Changed in: xorg-server (Ubuntu Focal) Status: New => In Progress ** Changed in: xorg-server (Ubuntu Jammy) Importance: Undecided => High ** Changed in: xorg-server (Ubuntu Jammy) Status: New => In Progress ** Changed in: xorg-server (Ubuntu Mantic) Importance: Undecided => High ** Changed in: xorg-server (Ubuntu Mantic) Status: New => In Progress ** No longer affects: xwayland (Ubuntu Focal) ** Changed in: xwayland (Ubuntu Jammy) Importance: Undecided => High ** Changed in: xwayland (Ubuntu Jammy) Status: New => In Progress ** Changed in: xwayland (Ubuntu Mantic) Importance: Undecided => High ** Changed in: xwayland (Ubuntu Mantic) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060354 Title: Segfaults and assertion failures in Xorg's render/glyph.c To manage notifications about this bug go to: https://bugs.launchpad.net/xorg-server/+bug/2060354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060354] Re: Segfaults and assertion failures in Xorg's render/glyph.c
I have prepared test packages for ubuntu 22.04 LTS/jammy in the https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages PPA for both xorg-server: https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+sourcepub/15921802/+listing-archive-extra and for xwayland: https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+sourcepub/15921798/+listing-archive-extra I was able to reproduce the crash under Xwayland in a jammy vm with both intellij and the glyph_memleak.c reproducer, and using the proposed upstream patch seems to address the crash, but more testing is welcome. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060354 Title: Segfaults and assertion failures in Xorg's render/glyph.c To manage notifications about this bug go to: https://bugs.launchpad.net/xorg-server/+bug/2060354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060354] Re: Segfaults and assertion failures in Xorg's render/glyph.c
The reproducer https://bugs.freedesktop.org/attachment.cgi?id=28621 from the original 2009 bug report https://bugs.freedesktop.org/show_bug.cgi?id=23286 does seem to work at triggering this issue, at least under Xwalyand. ** Bug watch added: freedesktop.org Bugzilla #23286 https://bugs.freedesktop.org/show_bug.cgi?id=23286 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060354 Title: Segfaults and assertion failures in Xorg's render/glyph.c To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/2060354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060354] Re: Segfaults and assertion failures in Xorg's render/glyph.c
Are people seeing this issue with any other Ubuntu releases, which also received updates addressing CVE-2024-31083, or is this strictly affecting the version in 22.04/jammy? It looks like https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476 has a proposed fix, in https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476.patch . -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060354 Title: Segfaults and assertion failures in Xorg's render/glyph.c To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/2060354/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1597017] Re: mount rules grant excessive permissions
** Description changed: + SRU Team; the packages for focal-proposed and jammy-proposed are + intended as security updates prepared by the Ubuntu Security team (and + have built in a ppa with only the security pockets enabled). However, + because the fix makes mount rules in apparmor policy be treated more + restrictively than they were prior to this update, we would like these + packages to gain more widespread testing. + + Risk of Regression: + + The update for this issue causes the apparmor parser, the tool that + translates written policy into the enforcement data structures used by + the kernel, to generate more strict policy for mount rules, like the + example below. They are not common in apparmor policy generally, but can + appear in policies written for container managers to restrict + containers, and thus can potentially break container startup. + + The packages prepared for focal-proposed and jammy-proposed have tested + with the versions of snapd, lxc, libvirt, and docker in the ubuntu + archive, but conainter managers outside of the ubunty archive may run + into issues, hence the need for testing and policy adjustments. + + Original Report: + The rule - mount options=(rw,make-slave) -> **, + mount options=(rw,make-slave) -> **, ends up allowing - mount -t proc proc /mnt + mount -t proc proc /mnt which it shouldn't as it should be restricted to commands with a make- slave flag -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1597017 Title: mount rules grant excessive permissions To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1597017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1597017] Re: mount rules grant excessive permissions
** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu) Status: New => Fix Released ** Changed in: apparmor (Ubuntu Focal) Status: New => In Progress ** Changed in: apparmor (Ubuntu Jammy) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1597017 Title: mount rules grant excessive permissions To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1597017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1975523] Re: [MIR] Promote to main in Jammy and Kinetic
** Tags added: sec-1058 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1975523 Title: [MIR] Promote to main in Jammy and Kinetic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ruby-webrick/+bug/1975523/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1963707] Re: [MIR] libqrtr-glib
** Tags added: sec-1057 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1963707 Title: [MIR] libqrtr-glib To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libqrtr-glib/+bug/1963707/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1972740] Re: Unprivileged users may use PTRACE_SEIZE to set PTRACE_O_SUSPEND_SECCOMP option
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-30594 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1972740 Title: Unprivileged users may use PTRACE_SEIZE to set PTRACE_O_SUSPEND_SECCOMP option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1972740/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1972043] Re: Please add -ftrivial-auto-var-init=zero to default build flags
** Tags added: sec-994 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1972043 Title: Please add -ftrivial-auto-var-init=zero to default build flags To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1972043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892559] Re: [MIR] ccid opensc pcsc-lite
** Tags added: sec-407 ** Tags added: sec-408 sec-409 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892559 Title: [MIR] ccid opensc pcsc-lite To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1892559/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1965115] Re: [MIR] nullboot
** Tags added: sec-976 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1965115 Title: [MIR] nullboot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nullboot/+bug/1965115/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1971895] Re: Warning messages from stat printed on installation with no user crontabs
** Also affects: cron (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: cron (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: cron (Ubuntu Xenial) Status: New => Triaged ** Changed in: cron (Ubuntu Bionic) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1971895 Title: Warning messages from stat printed on installation with no user crontabs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1971895/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1949186] Re: Missing Linux Kernel mitigations for 'SSB - Speculative Store Bypass' hardware vulnerabilities
** Changed in: linux-aws (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1949186 Title: Missing Linux Kernel mitigations for 'SSB - Speculative Store Bypass' hardware vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-aws/+bug/1949186/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950644] Re: ubuntu_ltp_syscalls / finit_module02 fails on v4.15 and other kernels
Hi, is this still on the kernel team's radar to address in trusty and in the various linux-azure kernels? Thanks! ** Changed in: linux-oem-5.14 (Ubuntu Trusty) Status: New => Invalid ** Changed in: linux-oem-5.13 (Ubuntu Trusty) Status: New => Invalid ** Changed in: linux-oem-5.10 (Ubuntu Trusty) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950644 Title: ubuntu_ltp_syscalls / finit_module02 fails on v4.15 and other kernels To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/1950644/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1951927] Re: Array overflow in au_procfs_plm_write
Thanks, making this public. ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1951927 Title: Array overflow in au_procfs_plm_write To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1951927/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961528] Re: Security: Arbitrary shell command injection through PDF import or unpaper preprocessing
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961528 Title: Security: Arbitrary shell command injection through PDF import or unpaper preprocessing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ocrfeeder/+bug/1961528/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1967626] Re: 22.04 beta Network Manager still sets wrong IPv6 routing
Given that this issue is public in the freedesktop gitlab instance, I'm making this issue public here as well. ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1967626 Title: 22.04 beta Network Manager still sets wrong IPv6 routing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1967626/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961854] Re: Thunderbid saves accepted calendar events in different identity
Hi Bartłomiej, was this issue reported to mozilla? Do you have a bug report there? Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1961854 Title: Thunderbid saves accepted calendar events in different identity To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1961854/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1970012] Re: package yaru-theme-gnome-shell 21.10.2 failed to install/upgrade: el subproceso nuevo paquete yaru-theme-gnome-shell script pre-installation devolvió el código de salida de error 1
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1970012 Title: package yaru-theme-gnome-shell 21.10.2 failed to install/upgrade: el subproceso nuevo paquete yaru-theme-gnome-shell script pre- installation devolvió el código de salida de error 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/yaru-theme/+bug/1970012/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1971415] Re: Remote desktop is automatically enabled after login
Jeremy, is there any progress on this? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1971415 Title: Remote desktop is automatically enabled after login To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-remote-desktop/+bug/1971415/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1972812] Re: The operating system does not ask for a password after unlocking the screen.
** Package changed: ubuntu => gnome-shell (Ubuntu) ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1972812 Title: The operating system does not ask for a password after unlocking the screen. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-shell/+bug/1972812/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1214787] Re: busybox crashed with signal 7
** Information type changed from Private to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1214787 Title: busybox crashed with signal 7 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1214787/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1970267] [NEW] Unable to save macaroons in MozillaCookieJar() under python3.10
Public bug reported:
Upstream bug report: https://github.com/go-macaroon-bakery/py-macaroon-
bakery/issues/88
See above for details, but the essential bug is that doing something
like the following:
client = httpbakery.Client(cookies=MozillaCookieJar(".cooklefile"))
if os.path.exists(client.cookies.filename):
client.cookies.load(ignore_discard=True)
response = client.request("POST", url=url, json=payload)
client.cookies.save(ignore_discard=True)
stated throwing a traceback under python3.10:
[ELIDED]
File "/usr/lib/python3.10/http/cookiejar.py", line 2120, in save
if cookie.has_nonstandard_attr(HTTPONLY_ATTR):
File "/usr/lib/python3.10/http/cookiejar.py", line 805, in
has_nonstandard_attr
return name in self._rest
TypeError: argument of type 'NoneType' is not iterable
because py-macaroon-bakery creates a http.cookiejar.Cookie() object with
the rest field set to None, causing the writing out of a cookie file to
fail.
** Affects: py-macaroon-bakery (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1970267
Title:
Unable to save macaroons in MozillaCookieJar() under python3.10
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/py-macaroon-bakery/+bug/1970267/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1969619] Re: RDP Sharing appears on by default in jammy
Hi, yes, from the Ubuntu Security team's perspective, this should go to the security pocket. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1969619 Title: RDP Sharing appears on by default in jammy To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-control-center/+bug/1969619/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926321] Re: [MIR] telegraf
** Tags added: sec-753 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926321 Title: [MIR] telegraf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/telegraf/+bug/1926321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1956617] Re: [MIR] protobuf-c
** Tags added: sec-754 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1956617 Title: [MIR] protobuf-c To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/protobuf-c/+bug/1956617/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1746629] Re: [MIR] libbluray
** Tags added: sec-751 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746629 Title: [MIR] libbluray To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libbluray/+bug/1746629/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1808537] Re: [bionic] ffmpeg update to 3.4.5
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1808537 Title: [bionic] ffmpeg update to 3.4.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1808537/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964710] Re: XSS vulnerability in row_create
This was fixed in Jammy (Ubuntu 22.04 LTS pre-release) in phpliteadmin 1.9.8.2-2, closing that task. ** Changed in: phpliteadmin (Ubuntu Jammy) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964710 Title: XSS vulnerability in row_create To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/phpliteadmin/+bug/1964710/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968725] Re: baloo_file crashed with SIGSEGV in start_thread()
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Attachment removed: "CoreDump.gz" https://bugs.launchpad.net/ubuntu/+source/baloo-kf5/+bug/1968725/+attachment/5579957/+files/CoreDump.gz ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968725 Title: baloo_file crashed with SIGSEGV in start_thread() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/baloo-kf5/+bug/1968725/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1914279] Re: linux from security may force reboots without complete dkms modules
All work for this report has been completed, I believe the linux and linux-meta tasks can be closed out as well. ** Changed in: linux (Ubuntu) Status: Triaged => Fix Released ** Changed in: linux-meta (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1914279 Title: linux from security may force reboots without complete dkms modules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/acpi-call/+bug/1914279/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1949186] Re: Missing Linux Kernel mitigations for 'SSB - Speculative Store Bypass' hardware vulnerabilities
Hi Ammar, apologies for the delayed followup, what is the version of the kernel that you are seeing this with? I.E. what is the output of running the command 'cat /proc/version_signature' where this is showing up? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1949186 Title: Missing Linux Kernel mitigations for 'SSB - Speculative Store Bypass' hardware vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-aws/+bug/1949186/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950940] Re: Integer underflow in the vrend_decode_set_shader_images() on virglrenderer
** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0135 ** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0175 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950940 Title: Integer underflow in the vrend_decode_set_shader_images() on virglrenderer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/virglrenderer/+bug/1950940/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950939] Re: OOB write in the vrend_renderer_transfer_write_iov on virglrenderer
This was fixed in https://ubuntu.com/security/notices/USN-5309-1 for focal and newer; it is unfixed in bionic where virglrenderer is community maintained. (Edited to fix USN URL.) ** Also affects: virglrenderer (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: virglrenderer (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: virglrenderer (Ubuntu Impish) Importance: Undecided Status: New ** Changed in: virglrenderer (Ubuntu) Status: New => Fix Released ** Changed in: virglrenderer (Ubuntu Bionic) Status: New => Confirmed ** Changed in: virglrenderer (Ubuntu Bionic) Status: Confirmed => Triaged ** Changed in: virglrenderer (Ubuntu Focal) Status: New => Fix Released ** Changed in: virglrenderer (Ubuntu Impish) Status: New => Fix Released ** Information type changed from Private Security to Public Security ** Tags added: community-security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950939 Title: OOB write in the vrend_renderer_transfer_write_iov on virglrenderer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/virglrenderer/+bug/1950939/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950784] Re: information leak from host to guest in the virglrenderer
This was fixed in https://ubuntu.com/security/notices/USN-5309-1 for focal and newer; it is unfixed in bionic where virglrenderer is community maintained. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0175 ** Also affects: virglrenderer (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: virglrenderer (Ubuntu Impish) Importance: Undecided Status: New ** Also affects: virglrenderer (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: virglrenderer (Ubuntu Bionic) Status: New => Triaged ** Changed in: virglrenderer (Ubuntu) Status: New => Fix Released ** Changed in: virglrenderer (Ubuntu Focal) Status: New => Fix Released ** Changed in: virglrenderer (Ubuntu Impish) Status: New => Fix Released ** Information type changed from Private Security to Public Security ** Tags added: community-security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950784 Title: information leak from host to guest in the virglrenderer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/virglrenderer/+bug/1950784/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950940] Re: Integer underflow in the vrend_decode_set_shader_images() on virglrenderer
Issue 251 is not open upstream, but it looks like this was addressed in https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/2aed5d419722a0d9fbd17be9c7a1147e22b681de along with a couple of other security fixes in https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge_requests/654 . It does not look like these fixes have landed in a release yet upstream. Hoever, the other two issues (249, 250) did get CVEs assigned for them, CVE-2022-0175 and CVE-2022-0135 respectively. Jun Yao, was a CVE ever assigned for this issue? ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0135 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0175 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950940 Title: Integer underflow in the vrend_decode_set_shader_images() on virglrenderer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/virglrenderer/+bug/1950940/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1954832] Re: sctp: account for stream padding for reconf chunk
This has been fixed in all affected Ubuntu kernels, closing. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0322 ** Information type changed from Private Security to Public Security ** Changed in: linux (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1954832 Title: sctp: account for stream padding for reconf chunk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1954832/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1964427] Re: [Security] CVE-2022-0847 lib/iov_iter: initialize "flags" in new pipe_buffer
This was fixed in affected kernels in https://ubuntu.com/security/notices/USN-5317-1 and https://ubuntu.com/security/notices/USN-5362-1 ** Package changed: ubuntu => linux (Ubuntu) ** Changed in: linux (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964427 Title: [Security] CVE-2022-0847 lib/iov_iter: initialize "flags" in new pipe_buffer To manage notifications about this bug go to: https://bugs.launchpad.net/intel/+bug/1964427/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1966352] Re: list-oem-metapackages crashed with AttributeError in packages_for_modalias(): 'Cache' object has no attribute 'packages'
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1966352 Title: list-oem-metapackages crashed with AttributeError in packages_for_modalias(): 'Cache' object has no attribute 'packages' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/1966352/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968043] Re: Open CVE-2021-4048 with critical severity
This is fixed in jammy (Ubuntu 22.04 LTS pre-release) but not in focal or bionic. ** Also affects: lapack (Ubuntu Impish) Importance: Undecided Status: New ** Also affects: lapack (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: lapack (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: lapack (Ubuntu) Status: Confirmed => Fix Released ** Changed in: lapack (Ubuntu Bionic) Status: New => Confirmed ** Changed in: lapack (Ubuntu Focal) Status: New => Confirmed ** Changed in: lapack (Ubuntu Impish) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968043 Title: Open CVE-2021-4048 with critical severity To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lapack/+bug/1968043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968043] Re: Open CVE-2021-4048 with critical severity
** Changed in: lapack (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968043 Title: Open CVE-2021-4048 with critical severity To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lapack/+bug/1968043/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1967631] Re: Ubuntu 22.04 / snap-store installing outdated software and misses security updates
As an aside, the wireguard-dkms package is not necessary to install (unless one is running an older non Ubuntu kernel that does not have the wireguard module available) as the wireguard kernel module has been enabled and backported to all Ubuntu kernels going back to the 4.4 kernel in Ubuntu 16.04 ESM. Marking public and closing. Thanks! ** Information type changed from Private Security to Public Security ** Changed in: snapd (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1967631 Title: Ubuntu 22.04 / snap-store installing outdated software and misses security updates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1967631/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968626] Re: kioslave5 crashed with SIGSEGV in QString::endsWith()
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Attachment removed: "CoreDump.gz" https://bugs.launchpad.net/ubuntu/+source/kio/+bug/1968626/+attachment/5579490/+files/CoreDump.gz ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968626 Title: kioslave5 crashed with SIGSEGV in QString::endsWith() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kio/+bug/1968626/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
I reviewed glusterfs 10.1-1 as checked into jammy. This shouldn't be considered a full audit but rather a quick gauge of maintainability. GlusterFS is a clustered network file-system. - CVE History: 27 CVEs, though the most recent are from 2018. Issue resolution looks okay. One or two of the later CVEs were incomplete fixes for earlier issues. - Build-Depends on openssl, libtirpc, libxml2, rdma libs. - Several pre/post inst/rm scripts, dedicated to managing the systemd services, adding/removing a dedicated gluster user, ensuring an initial config file is created, and dealing with compiled python files. Most are generated by debhelper tools and look okay. - No init scripts. - The glusterfs-server package includes to systemd units, to manage the primary GlusterFS daemon and the gluster events notifier service. The GlusterFS daemon does depend on rpcbind services being enabled/started. (The upstream source includes a couple more systemd unit files that are not included in any of the binary packages.) - No dbus services. - No setuid binaries; however, see Andreas' discussion on the fusermount-glusterfs binary. In general, the security team would STRONGLY prefer to not have another setuid binary, especially for what upstream considers a non-standard use case and for one that is a modified version of an existing binary that has had its own history of security problems. - There are several binaries in PATH, mostly as one would expect (the service daemon itself, mount utilities, the events daemon, and some other specialized utilities. - No sudo fragments. - No polkit files. - No udev rules. - Tests: - it has one basic autopkgtest, a smoke test that creates and writes to a mountpoint. - As Andreas noted, there is an unused semblance of unittest infrastructure. There is a wholly unused tests/ subdirectory. It's great that upstream gates on tests passing, but does nothing for us for testing updates/patches we might apply. That's not great. - No cron jobs. - As noted, build logs contain some warnings, some of them somewhat concerning highlighting where string copy operations are performed with a bounds limiter based on the length of the source of the copy rather than the size of the target. Cursory looks indicate that they may not be an issue, and there has been some effort to fix these sorts of things in the upstream github. There's a couple of warnings about not checking the result of calls to setreuid() in contrib/fuse-lib/mount-common.c:59 which just emphasizes again that it would be best to not make the fusermount-glusterfs setuid. Nothing concerning in the lintian warnings, though that the warning of a lack of symbols tracking in the libraries has been silenced is not a great look. (The upstream libraries export a defined set of symbols, but don't make use of symbol versioning, either.) - Processes are spawned in a few locations, but look to be handled safely (outside of testcases). - Lots of fiddly memory management happening, memcpys, strcpys, etc. - File IO is okay. - Logging is complex but okay. - Minimal use of environment variables, mostly for geo-replication, and is okay. - Privileged function use oustide of fuse is okay. - RPC can use tls via libssl, looks okay. - Use of temp files looks to be safe, though TMPDIR is not honored. - As one would expect, significant Use of networking; in general looks okay. - No use of WebKit. - No use of PolicyKit. - No significant cppcheck issues that were not likely false positives. - Coverity reported around 500 issues, but spot checking a few, they appeared to be false positives or things like failing to deallocate memory in a command line tool. Upstream appears to be making fixes based on the public Coverity scanner, so that's good. - shellcheck found some issues, including in xlators/mount/fuse/utils/mount.glusterfs.in which gets installed as /sbin/mount.glusterfs. Not a direct security concern and there is at least some effort to address shellcheck issues upstream. - No significant bandit results. Close to 500 TODO/FIXME type comments which is not a great sign. I investigated the lintian override for the fortify hardening check, and it does appear to be a false positive that is being silenced, and thus okay. In talking with Andreas, I understand the difficulty with trying to get the upstream tests (in particular those driven by the run-tests.sh script) working, but I think it still would be something that would give us far more confidence when performing updates, security or otherwise. It would also be good to clarify explicitly why (debian) symbol versioning is not done, or get it in place. Neither are blockers for acceptance. Overall, there seems to be a marked improvement focusing on quality versus the last time this package was submitted for an MIR. Security team ACK for promoting glusterfs to main. -- You received this bug
Re: [Bug 1957932] Re: [MIR] rustc, cargo, dh-cargo
On Mon, Apr 04, 2022 at 09:31:39AM -, Simon Chopin wrote: > We also have a provisional ACK from the security team (I'll keep working > on surfacing the vendored deps data in a better way than Cargo.lock!). > > The seed changes are in a MP at > https://code.launchpad.net/~schopin/ubuntu-seeds/+git/ubuntu- > seeds/+merge/416688 > > @paelzer could you confirm that we can move ahead, and perhaps review > the seed change? From the Ubuntu Security Team's perspective, ACK for moving ahead. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1957932 Title: [MIR] rustc, cargo, dh-cargo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cargo/+bug/1957932/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1961117] Re: Vulnerability in glibc - CVE-2022-23219
This issue was addressed in Ubuntu in https://ubuntu.com/security/notices/USN-5310-1 and https://ubuntu.com/security/notices/USN-5310-2 and the under development jammy/Ubuntu 22.04 LTS already has glibc 2.35 incorporated. Please also note that Ubuntu has been building with stack-protector enabled since 2006, and thus the issue was limited to a denial of service. Thanks. ** Changed in: glibc (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961117 Title: Vulnerability in glibc - CVE-2022-23219 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1961117/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
python distutils deprecation has been filed as a bug upstream at https://bugzilla.netfilter.org/show_bug.cgi?id=1594 For the security review, while I did do some review while preparing the MIR request, I supsect it is preferable for the submitter to not also be the one to do the security review. Alex gracefully agreed to perform it, as seen above. Yes, we would like to land this for 22.04 LTS, if possible. Thanks! ** Bug watch added: bugzilla.netfilter.org/ #1594 http://bugzilla.netfilter.org/show_bug.cgi?id=1594 ** Changed in: nftables (Ubuntu) Milestone: None => ubuntu-22.04-beta ** Changed in: nftables (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1965464] Re: add debian symbols tracking for libnftables1 package
Yes, that's correct, both commits are needed. The debdiff/merge request look good to me, please go ahead and upload them to jammy so we can have proper symbol versioning on the ibrary itself there. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1965464 Title: add debian symbols tracking for libnftables1 package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1965464/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1966017] Re: enable upstream python testsuite in autopkgtests
(If this were a build time testsuite, our log comparison process would pick up changes. We could *maybe* do something akin to how we try to detect new failing tests in openjdk in qrt's notes_testing/openjdk/ where we maybe compare our current adt runs of nftables against a prior run, and look for differences.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1966017 Title: enable upstream python testsuite in autopkgtests To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1966017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1966017] Re: enable upstream python testsuite in autopkgtests
So this looks okay, there are unfortunately a bunch of errors in the tests with v1.0.2 against a 5.15 kernel because the 'egress' hook support was only added in 5.16 (https://git.kernel.org/linus/42df6e1d221dddc0f2acf2be37e68d553ad65f96). This results in the following output in a jammy VM: 96 test files, 69 files passed, 1889 unit tests, 717 error, 0 warning I'd like to suggest one additional change, adding a `-f` option to the nft-test.py invocation in debian/tests/internaltest-py.sh . From the README in test/py/ that tells the testsuite to carry on testing additional families in case of error. With that change in place, I get the following total results, again in a jammy VM with a 5.15 kernel: 96 test files, 69 files passed, 1889 unit tests, 5776 total executed, 719 error, 0 warning I have not run this in adt, but running the tests manually doesn't return an error value on exit(), even with 700+ errors, so I'm not sure how the adt test will detect a regression that causes more test cases to error. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1966017 Title: enable upstream python testsuite in autopkgtests To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1966017/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
For the required todos: 1) yes, the Ubuntu Security team is willing to maintain the embedded code copies. 2) debian symbols tracking: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1965464 For the recommended todos, we will try to make progress on those. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1965464] Re: add debian symbols tracking for libnftables1 package
Submitted patch to Debian: https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=1007888 ** Bug watch added: Debian Bug tracker #1007888 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007888 ** Also affects: nftables (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007888 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1965464 Title: add debian symbols tracking for libnftables1 package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1965464/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1965464] Re: add debian symbols tracking for libnftables1 package
Debdiff to fix in ubuntu attached ** Patch added: "nftables_1.0.2-1ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1965464/+attachment/5570243/+files/nftables_1.0.2-1ubuntu1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1965464 Title: add debian symbols tracking for libnftables1 package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1965464/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1965464] Re: add debian symbols tracking for libnftables1 package
I attemped to fix it with the following patch:
Index: b/src/Makefile.am
===
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -91,7 +91,7 @@ libparser_la_CFLAGS = ${AM_CFLAGS} \
libnftables_la_LIBADD = ${LIBMNL_LIBS} ${LIBNFTNL_LIBS} libparser.la
libnftables_la_LDFLAGS = -version-info ${libnftables_LIBVERSION} \
---version-script=$(srcdir)/libnftables.map
+-Wl,--version-script=$(srcdir)/libnftables.map
if BUILD_MINIGMP
noinst_LTLIBRARIES += libminigmp.la
however, that FTBFS due to LTO being used in the build; examining the
generated library does show the appropriate versions on the symbols:
/build/nftables-r9ytiF/nftables-1.0.2/src$ nm -D --with-symbol-versions
--defined-only .libs/libnftables.so
A LIBNFTABLES_1
A LIBNFTABLES_2
A LIBNFTABLES_3
0005ad10 T nft_ctx_add_include_path@@LIBNFTABLES_1
0005abe0 T nft_ctx_add_var@@LIBNFTABLES_2
0005b150 T nft_ctx_buffer_error@@LIBNFTABLES_1
0005b050 T nft_ctx_buffer_output@@LIBNFTABLES_1
0005ad90 T nft_ctx_clear_include_paths@@LIBNFTABLES_1
0005acb0 T nft_ctx_clear_vars@@LIBNFTABLES_2
0005b2e0 T nft_ctx_free@@LIBNFTABLES_1
0005b590 T nft_ctx_get_dry_run@@LIBNFTABLES_1
0005b2a0 T nft_ctx_get_error_buffer@@LIBNFTABLES_1
0005b270 T nft_ctx_get_output_buffer@@LIBNFTABLES_1
0005add0 T nft_ctx_new@@LIBNFTABLES_1
0005b5d0 T nft_ctx_output_get_debug@@LIBNFTABLES_1
0005b5b0 T nft_ctx_output_get_flags@@LIBNFTABLES_1
0005b5e0 T nft_ctx_output_set_debug@@LIBNFTABLES_1
0005b5c0 T nft_ctx_output_set_flags@@LIBNFTABLES_1
0005b5a0 T nft_ctx_set_dry_run@@LIBNFTABLES_1
0005b550 T nft_ctx_set_error@@LIBNFTABLES_1
0005b510 T nft_ctx_set_output@@LIBNFTABLES_1
0005b200 T nft_ctx_unbuffer_error@@LIBNFTABLES_1
0005b0f0 T nft_ctx_unbuffer_output@@LIBNFTABLES_1
0005b5f0 T nft_run_cmd_from_buffer@@LIBNFTABLES_1
0005b940 T nft_run_cmd_from_filename@@LIBNFTABLES_1
My concern is if this gets fixed, will this cause us to need to do a SO
version bump?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1965464
Title:
add debian symbols tracking for libnftables1 package
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1965464/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1965464] Re: add debian symbols tracking for libnftables1 package
One concern with this is that the upstream symbol versioning is broken; generating the debian symbols file looks like so: libnftables.so.1 libnftables1 #MINVER# nft_ctx_add_include_path@Base 0.9.2 nft_ctx_add_var@Base 1.0.0 nft_ctx_buffer_error@Base 0.9.2 nft_ctx_buffer_output@Base 0.9.2 nft_ctx_clear_include_paths@Base 0.9.2 nft_ctx_clear_vars@Base 1.0.0 nft_ctx_free@Base 0.9.2 nft_ctx_get_dry_run@Base 0.9.2 nft_ctx_get_error_buffer@Base 0.9.2 nft_ctx_get_optimize@Base 1.0.2 nft_ctx_get_output_buffer@Base 0.9.2 nft_ctx_new@Base 0.9.2 nft_ctx_output_get_debug@Base 0.9.2 nft_ctx_output_get_flags@Base 0.9.2 nft_ctx_output_set_debug@Base 0.9.2 nft_ctx_output_set_flags@Base 0.9.2 nft_ctx_set_dry_run@Base 0.9.2 nft_ctx_set_error@Base 0.9.2 nft_ctx_set_optimize@Base 1.0.2 nft_ctx_set_output@Base 0.9.2 nft_ctx_unbuffer_error@Base 0.9.2 nft_ctx_unbuffer_output@Base 0.9.2 nft_run_cmd_from_buffer@Base 0.9.2 nft_run_cmd_from_filename@Base 0.9.2 @Base is used because of: $ nm -D --with-symbol-versions --defined-only /usr/lib/x86_64-linux-gnu/libnftables.so.1.1.0 0005ad10 T nft_ctx_add_include_path 0005abe0 T nft_ctx_add_var 0005b150 T nft_ctx_buffer_error 0005b050 T nft_ctx_buffer_output 0005ad90 T nft_ctx_clear_include_paths 0005acb0 T nft_ctx_clear_vars 0005b2e0 T nft_ctx_free 0005b590 T nft_ctx_get_dry_run 0005b2a0 T nft_ctx_get_error_buffer 0005b5b0 T nft_ctx_get_optimize 0005b270 T nft_ctx_get_output_buffer 0005add0 T nft_ctx_new 0005b5f0 T nft_ctx_output_get_debug 0005b5d0 T nft_ctx_output_get_flags 0005b600 T nft_ctx_output_set_debug 0005b5e0 T nft_ctx_output_set_flags 0005b5a0 T nft_ctx_set_dry_run 0005b550 T nft_ctx_set_error 0005b5c0 T nft_ctx_set_optimize 0005b510 T nft_ctx_set_output 0005b200 T nft_ctx_unbuffer_error 0005b0f0 T nft_ctx_unbuffer_output 0005b610 T nft_run_cmd_from_buffer 0005b960 T nft_run_cmd_from_filename This despite the symbol map in the upstream project: https://git.netfilter.org/nftables/tree/src/libnftables.map -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1965464 Title: add debian symbols tracking for libnftables1 package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1965464/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1965464] [NEW] add debian symbols tracking for libnftables1 package
Public bug reported: As part of the MIR for nftables, the addition of symbols tracking in the debian packaging for nftables is a requirement. ** Affects: nftables (Ubuntu) Importance: High Assignee: Steve Beattie (sbeattie) Status: Confirmed ** Changed in: nftables (Ubuntu) Status: New => Confirmed ** Changed in: nftables (Ubuntu) Importance: Undecided => High ** Changed in: nftables (Ubuntu) Assignee: (unassigned) => Steve Beattie (sbeattie) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1965464 Title: add debian symbols tracking for libnftables1 package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1965464/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1957932] Re: [MIR] rustc, cargo
On Tue, Mar 15, 2022 at 05:14:00PM -, Simon Chopin wrote: > Before even starting to address the various points further, I must ask > whether they're showstopper for the *rustc* MIR. > I ask because some of the concerns raised here are irrelevant for rustc > itself. For instance, the X-Cargo-Built-Using is not only not used by > the rustc packaging at all, it would also not be used by Rust packages > entering main since, under the proposed amended rules, those packages > would first vendor all their dependencies. Ah, I had missed this piece from the conversation on the github MR. That places more emphasis on making sure Cargo.lock at a minimum is included. Long term, it would be ideal to have these in package metadata as X-Embedded-Copies or whatever, but ultimately that's a feature that would be generally useful across the distro and in Debian, not just in the Rust portions of it. For X-Cargo-Built-Using vs Built-Using in dh-cargo, the Security team can compensate one way or the other, we just need to know that, no, Built-Using not going to land in jammy. With the intent to fully vendor things in main, it's less important (from our team's perspective) that this gets resolved one way or the other, but I note that we are not the only ones with an opinion here. One other consideration is that organizations and governments are pushing really strongly for Software Bills of Materials (SBOMs) so the more proactive we are about collecting needed information in a structured, easily consumable way, the more straightforward it will be to satisfy those requirements. > We intend to implement all tooling changes that are required for a > wider Rust ecosystem support in main, but this starts with having the > compiler! The reason I ask about ecosystem supportability here is because this is likely the sole point where it's even in bounds for an MIR security audit. The 'dh-cargo' package as a "build-time only" tool means there is no requirement for it to go into main, and thus will likely never receive an MIR. When it comes time to review cargo, the argument will then be "Of what use is having rustc in main without cargo?" Individual applications or libraries will have reviews focused on themselves. The reality is we accepted Go-lang into main with a hypothetical plan to support its ecosystem security-wise, but has been difficult to turn into something real. My concern is that we're about to do the same for Rust, despite our broad general approval of the language. [There are also other constraints within Canonical that cause me to be thinking about the supportability of the ecosystem as a whole beyond what gets integrated into main, but you are correct that they are out of bounds for an MIR.] Anyhow. I have concerns about supporting this ecosystem, but the provisional ACK is already there. Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1957932 Title: [MIR] rustc, cargo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cargo/+bug/1957932/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1957932] Re: [MIR] rustc, cargo
On Fri, Mar 11, 2022 at 10:17:47AM -, Simon Chopin wrote:
> @sbeattie there's some context on those various fields in
> https://github.com/cpaelzer/ubuntu-mir/pull/3
Thanks for this.
> Basically X-Cargo-Built-Using should be folded into Built-Using.
I agree with this, but is there a plan to land this in jammy?
If not, our tooling needs to compensate.
> There has been no talk of automating detection of packages that ought
> to have those fields, but that does sound like a good idea.
I think something needs to be in place, or there runs the risk of things
needing to pick up updates that don't get them applied.
> However, in the case of rustc and any future main package built using
> Rust, there are going to be vendored dependencies that are not packaged
> at all. It doesn't seem like a good idea to me to document those in the
> same fields as the dependencies that are separately packaged but
> statically linked, which is why I proposed shipping the Cargo.lock file.
>
> If you'd prefer, we could instead ship it in another field, maybe
> X-Vendored-Sources (as mentioned before, Built-Using seems out of scope
> for that).
It would be great if we could get this information as a field in the
Packages info (modulo concerns about size explosion as the set of
packaged rust software expands). I agree that it is not appropriate
for Built-Using; X-Vendored-Sources sounds great (if only we could
get this incorporated across more language ecosystems!). It would
probably be beneficial to have both the field in the packages metadata
list as well as the Cargo.lock file, to be able to identify which
crate versions were incorporated in superseded versions, if need be.
> For instance, using this small Python snippet, I get this for
> the Cargo.lock file shipped in rustc (Jammy):
>
> $ zcat Cargo.lock.gz | python3 -c "import toml; import sys; print(',
> '.join(f\"{p['name']}/{p['version']}\" for p in
> toml.load(sys.stdin)['package'] if 'source' in p))"
Thanks for this, lots to chew on here. Quite a few rust crates have
at least two versions of themselves in the list, which based on reading,
seems to be normal in the ecosystem, but then leads to issues like:
crossbeam-utils/0.7.2
crossbeam-utils/0.8.5
while the latter was patched to address CVE-2022-23639 in the current
jammy packaging, the former (in vendor/crossbeam-utils-0.7.2) was not.
While upstream crossbeam-utils yanked all of the 0.8.x versions < 0.8.7,
but there doesn't appear to be a fixed version of 0.7.x from upstream.
That's somewhat concerning about the ecosystem as a whole.
> The 'if source in p' statement filters out crates that are internal to
> rustc. Surprinsingly, the remaining rustc-* crates are separately
> packaged forks of existing crates.
That is also less than ideal.
> Would the security team feel more comfortable with this?
Yes, I think so.
Thanks!
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-23639
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1957932
Title:
[MIR] rustc, cargo
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cargo/+bug/1957932/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1957932] Re: [MIR] rustc, cargo
> 'Built-Using' vs 'X-Cargo-Built-Using' dh-cargo behavior So there is no plan to change this in dh-cargo? The tool the security team has that queries Built-Using can be modified to use the alternate field, if necessary, but we need to know if that's what we need to do. Are the tools that help with library transitions in Ubuntu going to cope with this? > non-users of dh-cargo not emitting 'X-Cargo-Built-Using' Is there a plan to deal with this? Some sort of britney / autopkgtest check that could be added to flag these as needing to be addressed? Otherewise, this makes it more difficult to discern what might need to be rebuilt given an update to a given rust library. I do appreciate the Cargo.lock packaging, that is helpful, though it means neediing to unpack binary debs to gain access to them, rather than merely accessing archive metadata for 'Built-Using' or 'X-Cargo-Built- Using'. Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1957932 Title: [MIR] rustc, cargo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cargo/+bug/1957932/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1960864] Re: [MIR] plocate
I reviewed plocate 1.1.15-1ubuntu2 as checked into jammy. This shouldn't be considered a full audit but rather a quick gauge of maintainability. plocate is a locate implementation based on posting lists and io_uring, intended as a drop-in replacement for mlocate. - No CVE History. - Build-Depends on liburing and libzstd - The pre/post inst/rm scripts adds a plocate group, sets up alternatives to place it as the locate, and sets up the systemd timer. Things are cleaned up in the pre/post-rm scripts. - No init scripts. - One systemd timer and service to run updatedb - No dbus services - No setuid binaries, plocate binary is setgid. - binaries in PATH: plocate, plocate-build, and updatedb.plocate - No sudo fragments - No polkit files - No udev rules - test - no unit or other build-time tests - autopkgtests: a basic test plus a more complex test that tests visibility across differing users. - One cron job that exits immediately because systemd timers are available. - No build warnings or errors, lintian with one minor warning: command-with-path-in-maintainer-script - No processes spawned. - Memory management is okay, generally uses C++ style allocations / deallocations. - File IO is mostly performed on static names or parsed out of /proc/self/mountinfo. The exception is the db argument to plocate; however, if alternate db files are passed, a child process that drops privilege is forked to search the passed db file. - Logging is mostly done by perror, and is done safely. - Environment variable usage is okay. - Privileged functions (setgid) are used to drop privs and are okay (returned errors are checked for). - No use of cryptography / random number sources. - Sole use of temp files in database-builder is okay, uses O_TMPFILE if available. - No use of networking. - No use of WebKit. - No use of PolicyKit. - No significant cppcheck results. - No significant Coverity results, a couple of issues that could possibly warrant further investigation. Recommend upstream project make use of the public https://scan.coverity.com service. Code generally feels modern and readable. Security team ACK for promoting plocate to main. ** Changed in: plocate (Ubuntu Jammy) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1960864 Title: [MIR] plocate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/plocate/+bug/1960864/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
I'm working on the Security review of GlusterFS, which I have not quite completed, but to offer a comment on fusermount-glusterfs binary, the Security team would strongly prefer to not have another setuid binary for this; the original setuid fusermount has had its own security history and we would not like to see a forked version that has unknown tracking of vulnerabilities, especially for something that upstream considers to be a non-standard usage. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
** Changed in: glusterfs (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => Steve Beattie (sbeattie) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1957932] Re: [MIR] rustc, cargo
I reviewed rustc 1.57.0+dfsg1+llvm-0ubuntu2 as checked into jammy (but also peeked briefly at 1.58.1+dfsg1~ubuntu1-0ubuntu1~ppa5 in Simon's ppa). This shouldn't be considered a full audit but rather a quick gauge of maintainability, and this is a bit more streamlined review than normal due to the nature of Rust. Rust is a programming language and runtime environment that is intended to be a modern systems language. In general, the Ubuntu Security team views more widespread usage of Rust as a positive thing; the primary drawback being, like Go before it, the choice to static link everything makes security updates more challenging for both the deliverer and users on limited bandwidth. The Built-Using: mechanism at least gives us a chance to determine what needs to be rebuilt when a rust library has a security vulnerability that needs addressing. In order to get Built-Using: applied to Rust applications in jammy, does this mean that every Rust application needs at a minimum a no-change rebuild before jammy is released? If so, is there a plan for that? I'd like to ask what is the support expectation and commitment from the Foundations team for the rust toolchain and the separated out LLVM: - Is the expectation that version bumps of rust, possibly along with version bumps of LLVM necessary, will be brought back to 22.04 LTS? - If so, does the source package need a versioned name, as done for other toolchains? - As more thing depend on rust either wholly or partially (e.g. the ongoing work on the Linux kernel), is there an expectation this will change for 24.04 LTS? For CVE history, there are 21 CVEs in the security team's tracker that affect Rust, 20 in the standard library. (There is also a very recent additional issue that affects the vendored copy of rust-crossbeam in the rustc source package.) Generally, upstream looks responsive to security issues. Given all the above, the Ubuntu Security provisionally acks rustc for main, assuming the questions above can be answered. ** Changed in: rustc (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1957932 Title: [MIR] rustc, cargo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cargo/+bug/1957932/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950317] Re: [MIR] Wireguard
Andreas wrote: > If you happen to have a kernel installed that has the virtual provides > for wireguard-modules, then dkms won't be pulled in. Oh nice, I missed that, thanks for pointing it out. That definitely covers my complaint there. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950317 Title: [MIR] Wireguard To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1950317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950317] Re: [MIR] Wireguard
One other non-security opinionated comment: having the wireguard meta package pull in the dkms package will likely cause people to install them unnecessarily. While many people will read the documentation first and realize they only need to install wireguard-tools, it's likely others will hear that WireGuard is supported in Ubuntu and assume `apt install wireguard` will do the right thing. ** Changed in: wireguard (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950317 Title: [MIR] Wireguard To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1950317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950317] Re: [MIR] Wireguard
I reviewed wireguard 1.0.20210914-1ubuntu2 as checked into jammy. This shouldn't be considered a full audit but rather a quick gauge of maintainability. wireguard is the user space component of the WireGuard VPN, an in-kernel vpn. The tools provided are for querying and configuring the state of the kernel portion of WireGuard. - No directly applicable CVEs. - No significant Build-Depends. - pre/post inst/rm scripts deal with the wq-quick systemd unit - The wg-quick systemd unit in not enabled by default; it is a templated oneshot service to make automatic connections on boot. - No dbus services - No setuid binaries - wg and wg-quick are the binaries in added in PATH - No sudo fragments. - No polkit files. - No udev rules. - tests: - No unit tests, a couple of build time tests of key generation - Some autopkgtests to test basic functionality, no real negative tests - it is good to see built-in fuzzing support. - No cron jobs. - Build logs are clean - Processes spawned: - there are lots of wrapped calls to popen(); fortunately they are confined to contributed or android tools only, and not included in the wg binary. - Memory management is performed okay. - File IO is okay, primarily used from the command line to read and write keys and read configuration. Attempts to protect against writing world accessible keys. - Logging is done through perror(), strerror(), and gai_strerror(), and is okay. - Environment variable use is limited. - No use of privileged functions on Linux - Use of cryptography / random number sources: - uses getrandom() - curve25519 implementations are embedded code copies, implementations are good. - No use of temp files in C code, wg-quick uses a static name for writing out a config file before moving it into place. - networking for the userspace component looks to be limited to resolving ip addresses and talking via netlink to configure and query the kernel code, and looks okay. - No use of WebKit. - No use of PolicyKit. - No cppcheck warnings. - No Coverity results that weren't false positives. - shellcheck on wg-quick was mostly clean: - line 338 uses the variable $i as a loop index in multiple nested loops; it appears to work correctly, but is mildly confusing to read. - quoting issues that are likely false positives The wg-quick shell script feels like it is at that point of complexity where it might be worth re-implementing in a less error prone programming language than bash. The /usr/share/docs/wireguard-tools/examples directory contains all of the stuff in contrib/ which is of varying quality, but doesn't really provide any example configurations. Security team ACK for promoting wireguard to main. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950317 Title: [MIR] Wireguard To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1950317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1958293] Re: [MIR]: libyang2
I reviewed libyang2 2.0.112-6ubuntu2 as checked into jammy. This shouldn't be considered a full audit but rather a quick gauge of maintainability. The libyang2 source package is a rename of the libyang based on the upstream 2.0 version which included a new parser; the libyang source package has not yet been removed from the archive. libyang2 is a library for processing IETF YANG data modeling schemas, used primarily for expressing netowrk configuration for networking equipment. - CVE History: - Roughly fifteen or so CVEs affecting libyang. Upstream is generally responsive of reports. - Build-Depends - libpcre2 (ok) - No pre/post inst/rm scripts - No init scripts. - No systemd units. - No dbus services. - No setuid binaries. - Two binaries in PATH, used primarly for schema validation and development - No sudo fragments. - No polkit files. - No udev rules. - tests: - significant unit tests run during the build - very limited autopkgtests, that only exercise the cli tools - No cron jobs. - Build logs: - more build time tests on the cli tools could be run if the shunit2 package was installed - build logs mostly clean, some possible uninitialized value warnings (from -Wmaybe-uninitialized) - lintian warnings are fine - No processes spawned. - Memory management is generally okay, some error checking macros are present to assist with allocation errors. - File IO is okay. - Logging has complex infrastructure, but okay - Environment variable usage is okay. Alternate plugin and extension directories can be specified via env vars, but it's hard to see how this can be abused. - Uses ioctl in the cli tools for querying window size. - No obvious use of cryptography / random number sources. - Lint tool uses a known temp file name when recompiled with debugging macros enabled (disabled by default) - No obvious use of networking, parses ip addrs in config files - No use of WebKit. - No use of PolicyKit. - ccpcheck reported a large number of memory leaks plus a few double frees, but these look to be likely false positives. - Coverity flagged a few issues outside of the tests that also mostly look to be false positives. Overall code looks fine, if macro heavy, which seems to confuse static analyzers. Upstream is responsive to issues. Security team ACK for promoting libyang2 to main. ** Changed in: libyang2 (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1958293 Title: [MIR]: libyang2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libyang2/+bug/1958293/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
** Changed in: nftables (Ubuntu) Assignee: Seth Arnold (seth-arnold) => (unassigned) ** Changed in: nftables (Ubuntu) Status: Confirmed => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
** Description changed: - [Availability] * The package is already in universe and has been supported by Ubuntu kernels since at least Ubuntu 18.04 LTS. It builds and is supported on all Ubuntu architectures. [Rationale] * nftables is the future CLI and backend for firewalling which should be available on Ubuntu by default, and is the preferred tool by the upstream kernel community. * iptables will be switching to nftables backend, but iptables availability and usage will probably continue for forseeable future. It is expected that newer software will be adopting nftables directly, rather than via iptables compat tools. [Security] * There is no history of of vulnerabilities in the nftables user space tools (CVE-2015-1573 is in the kernel portion of nftables). * The nftables binary package contains the binary `/usr/bin/nft` which is neither setuid nor setgid. This binary is the utility that interacts with and configures the nftables subsystem in the Linux kernel. * The package also includes a oneshot systemd service used during boot to load the nftables configuration in /etc/nftables.conf. As packaged in Debian, this service is disabled by default. * It interacts with and configures the network filtering as performed by the Linux kernel. [Quality Assurance - function/usage] * The package works as installed; it does require enabling the systemd oneshot service to automatically reload defined rules on boot. [Quality assurance - maintenance] LP bugs: https://bugs.launchpad.net/ubuntu/+source/nftables/+bugs Debian: https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no=nftables Upstream: https://bugzilla.netfilter.org/buglist.cgi?bug_status=__open__=_redirect=1=Importance=nftables_format=specific * Ubuntu and Debian bugs are reasonably under control. Upstream has a larger set of bugs that are mostly about parsing errors (flex/yacc are complex) and documentation or feature requests. [Quality Assurance - testing] * Tests are not run at build time; there are many tests run during autopkgtests across all architectures, but the more extensive ones have been marked as flaky. Example autopkgtest log: https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/n/nftables/20220117_122101_70524@/log.gz [Quality Assurance - packaging] * A debian/watch file is present and works. Lintian reports nothing substantial, just minor standards version lag as well as debian/control missing the Rules-Requires-Root: field (silent-on-rules-requiring-root). It does not depend on obsolete or about to be demoted packages. There are no debconf settings or questions. [UI Standards] * It is primarily a command line system tool that is sysadmin facing, that does not contain translations. [Dependencies] * Documentation tools used during the build are in universe; all runtime dependencies are in main. It uses libjannson for JSON handling, not sure if there's a preferred JSON library in main. [Standards compliance] * This package correctly follows FHS and Debian Policy [Maintenance/Owner] - * The ubuntu-security team is not yet but will be - subscribed to bugs for nftables. There are no static - builds. There are some very minor embedded code copies that - are either disabled at build time (system gmp is used over - embedded mini-gmp) or are fairly small (David Woodhouse's - rbtree). It is relatively mature software with active - upstream commits (http://git.netfilter.org/nftables/log/) - as well as reasonably active maintenance in Debian. + * The ubuntu-security team is subscribed to bugs for + nftables. There are no static builds. There are some very + minor embedded code copies that are either disabled at + build time (system gmp is used over embedded mini-gmp) + or are fairly small (David Woodhouse's rbtree). It is + relatively mature software with active upstream commits + (http://git.netfilter.org/nftables/log/) as well as + reasonably active maintenance in Debian. [Background information] * The package description explains the package well. The upstream project is part of the larger netfilter project, and is documented at https://netfilter.org/projects/nftables/index.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887187] Re: [MIR] nftables
** Description changed: [Availability] - * The package is already in universe and has been supported by Ubuntu - kernels since at least Ubuntu 18.04 LTS. It builds and is supported - on all Ubuntu architectures. + * The package is already in universe and has been supported + by Ubuntu kernels since at least Ubuntu 18.04 LTS. It + builds and is supported on all Ubuntu architectures. [Rationale] - * nftables is the future CLI and backend for firewalling which should - be available on Ubuntu by default, and is the preferred tool by the - upstream kernel community. + * nftables is the future CLI and backend for firewalling + which should be available on Ubuntu by default, and is + the preferred tool by the upstream kernel community. - * iptables will be switching to nftables backened, but iptables - availability and usage will probably continue for forseeable future. - It is expected that newer software will be adopting nftables directly, - rather than via iptables compat tools. + * iptables will be switching to nftables backend, but + iptables availability and usage will probably continue for + forseeable future. It is expected that newer software will + be adopting nftables directly, rather than via iptables + compat tools. [Security] - * There is no history of of vulnerabilities in the nftables user - space tools (CVE-2015-1573 is in the kernel portion of nftables). + * There is no history of of vulnerabilities in the nftables + user space tools (CVE-2015-1573 is in the kernel portion + of nftables). - * The nftables binary package contains the binary `/usr/bin/nft` which - is neither setuid nor setgid. This binary is the utility that interacts - with and configures the nftables subsystem in the Linux kernel. + * The nftables binary package contains the binary + `/usr/bin/nft` which is neither setuid nor setgid. This + binary is the utility that interacts with and configures + the nftables subsystem in the Linux kernel. - * The package also includes a oneshot systemd service used during - boot to load the nftables configuration in /etc/nftables.conf. As - packaged in Debian, this service is disabled by default. + * The package also includes a oneshot systemd service + used during boot to load the nftables configuration in + /etc/nftables.conf. As packaged in Debian, this service + is disabled by default. - * It interacts with and configures the network filtering as performed - by the Linux kernel. + * It interacts with and configures the network filtering + as performed by the Linux kernel. [Quality Assurance - function/usage] - * The package works as installed; it does require enabling the systemd - oneshot service to automatically reload defined rules on boot. + * The package works as installed; it does require enabling + the systemd oneshot service to automatically reload defined + rules on boot. [Quality assurance - maintenance] LP bugs: https://bugs.launchpad.net/ubuntu/+source/nftables/+bugs Debian: https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no=nftables Upstream: https://bugzilla.netfilter.org/buglist.cgi?bug_status=__open__=_redirect=1=Importance=nftables_format=specific - * Ubuntu and Debian bugs are reasonably under control. Upstream has - a larger set of bugs that are mostly about parsing errors (flex/yacc - are complex) and documentation or feature requests. + * Ubuntu and Debian bugs are reasonably under + control. Upstream has a larger set of bugs that are + mostly about parsing errors (flex/yacc are complex) and + documentation or feature requests. [Quality Assurance - testing] - * Tests are not run at build time; there are many tests run during - autopkgtests across all architectures, but the more extensive ones - have been marked as flaky. Example autopkgtest log: + * Tests are not run at build time; there are many tests + run during autopkgtests across all architectures, but the + more extensive ones have been marked as flaky. Example + autopkgtest log: https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/n/nftables/20220117_122101_70524@/log.gz [Quality Assurance - packaging] * A debian/watch file is present and works. Lintian reports nothing substantial, just minor standards version lag as - well as debian/control missing the Rules-Requires-Root: field - (silent-on-rules-requiring-root). It does not depend on obsolete - or about to be demoted packages. There are no debconf settings or - questions. + well as debian/control missing the Rules-Requires-Root: + field (silent-on-rules-requiring-root). It does not depend + on obsolete or about to be demoted packages. There are no + debconf settings or questions. [UI Standards] - * It is primarily a command line system tool that is sysadmin facing, - that does not contain translations. + * It is primarily a command line system tool that is + sysadmin facing, that does not contain translations. [Dependencies] -
[Bug 1887187] Re: [MIR] nftables
** Description changed: + [Availability] - * The package is present in universe and is built for all architectures. + * The package is already in universe and has been supported by Ubuntu + kernels since at least Ubuntu 18.04 LTS. It builds and is supported + on all Ubuntu architectures. [Rationale] - * nftables is the future CLI and backend for firewalling which should be - avalable on Ubuntu by default. + * nftables is the future CLI and backend for firewalling which should + be available on Ubuntu by default, and is the preferred tool by the + upstream kernel community. * iptables will be switching to nftables backened, but iptables - availability and usage will probably continue for forseeable future. It - is epxected that newer software will be adopting nftables directly, + availability and usage will probably continue for forseeable future. + It is expected that newer software will be adopting nftables directly, rather than via iptables compat tools. + + [Security] + + * There is no history of of vulnerabilities in the nftables user + space tools (CVE-2015-1573 is in the kernel portion of nftables). + + * The nftables binary package contains the binary `/usr/bin/nft` which + is neither setuid nor setgid. This binary is the utility that interacts + with and configures the nftables subsystem in the Linux kernel. + + * The package also includes a oneshot systemd service used during + boot to load the nftables configuration in /etc/nftables.conf. As + packaged in Debian, this service is disabled by default. + + * It interacts with and configures the network filtering as performed + by the Linux kernel. + + [Quality Assurance - function/usage] + + * The package works as installed; it does require enabling the systemd + oneshot service to automatically reload defined rules on boot. + + [Quality assurance - maintenance] + + LP bugs: https://bugs.launchpad.net/ubuntu/+source/nftables/+bugs + Debian: https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no=nftables + Upstream: https://bugzilla.netfilter.org/buglist.cgi?bug_status=__open__=_redirect=1=Importance=nftables_format=specific + + * Ubuntu and Debian bugs are reasonably under control. Upstream has + a larger set of bugs that are mostly about parsing errors (flex/yacc + are complex) and documentation or feature requests. + + [Quality Assurance - testing] + + * Tests are not run at build time; there are many tests run during + autopkgtests across all architectures, but the more extensive ones + have been marked as flaky. Example autopkgtest log: + https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/n/nftables/20220117_122101_70524@/log.gz + + [Quality Assurance - packaging] + + * A debian/watch file is present and works. Lintian reports + nothing substantial, just minor standards version lag as + well as debian/control missing the Rules-Requires-Root: field + (silent-on-rules-requiring-root). It does not depend on obsolete + or about to be demoted packages. There are no debconf settings or + questions. + + [UI Standards] + + * It is primarily a command line system tool that is sysadmin facing, + that does not contain translations. + + [Dependencies] + + * Documentation tools used during the build are in universe; all + runtime dependencies are in main. It uses libjannson for JSON handling, + not sure if there's a preferred JSON library in main. + + [Standards compliance] + + * This package correctly follows FHS and Debian Policy + + [Maintenance/Owner] + + * The ubuntu-security team is not yet but will be subscribed to + bugs for nftables. There are no static builds. There are some very + minor embedded code copies that are either disabled at build time + (system gmp is used over embedded mini-gmp) or are fairly small + (David Woodhouse's rbtree). It is relatively mature software with + active upstream commits (http://git.netfilter.org/nftables/log/) + as well as reasonably active maintenance in Debian. + + [Background information] + + * The package description explains the package well. The upstream + project is part of the larger netfilter project, and is documented + at https://netfilter.org/projects/nftables/index.html . -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887187 Title: [MIR] nftables To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1887187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1888076] Re: nftables can't be statefull
Also, given that nftables is configuring netfilter in the kernel, it would probably be helpful to identify which kernel version you saw this with. Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1888076 Title: nftables can't be statefull To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1888076/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1888076] Re: nftables can't be statefull
Hi Elrik, Thanks for reporting your issue to Ubuntu, and apologies for the delayed response. Can you say explicitly what behavior you're expecting to have work that does not? I.E. are ssh connections to the host unsuccessful or are other outbound operations failing? Some useful diagnostics to see what's happening would be to install the conntrack package and then run: $ sudo conntrack -L -o id,extended to see what connections it's tracking. Additionally, it would probably be useful to add a log rule at the end of the input chain to see what's failing; something like: log prefix "[nftables] input denied: " flags all counter drop and then looking at dmesg output, journalctl output, or /var/log/kern.log can tell you what is getting blocked. It should be noted that Ubuntu 20.04 uses systemd-resolved as its DNS resolver and depending on whether you've adjusted your DNS settings, with the nftables configuration above, likely the problem you're seeing is that connections to the resolver listening on the loopback interface (ip addr 127.0.0.53) are being blocked; in my testing, this showed up looking like: [nftables] input denied: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08: 00 SRC=127.0.0.1 DST=127.0.0.53 LEN=86 TOS=0x00 PREC=0x00 TTL=64 ID=11108 DF PROTO=UDP SPT=45001 DPT=53 LEN=66 Given that, adding a rule like: udp dport 53 ip saddr 127.0.0.1 accept on the input chain caused outbound initiated network traffic to work. Is this what you were seeing or is there some other behavior you were expecting that did not work? Thanks. ** Changed in: nftables (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1888076 Title: nftables can't be statefull To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1888076/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1951837] Re: new kernel 5.4.0-90-generic contain error with snat in vrf
Hi, Thanks for reporting this issue. If the behavior fails due to a kernel update, it's unlikely to be a problem in the user space nftables tool. Looking for suspicious commits between 5.4.0-84.94 and 5.4.0-90.101, https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/focal/commit/?id=318d87fed75ab207f5913ae5c6abf4f781c507f1 looks supicious and landed in 5.4.0-89.100. However, that commit was reverted in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/focal/commit/?id=cb3a632a2da90d23629b59c8da26460af0bc455a , which landed in 5.4.0-97.110, published to focal at https://launchpad.net/ubuntu/+source/linux/5.4.0-97.110 on February 7, 2022. Are you still seeing this issue? ** Changed in: nftables (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1951837 Title: new kernel 5.4.0-90-generic contain error with snat in vrf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1951837/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955352] Re: Vulnerable to information disclosure through various actions
Hey Kunal, thanks again for preparing these debdiffs. After reviewing them, I've gone ahead and uploaded the packages to the ubuntu-security- proposed ppa at https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages to build and run through autopkgtests; any feedback or additional testing you or anyone can give would be greatly appreciated. Thanks again. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955352 Title: Vulnerable to information disclosure through various actions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mediawiki/+bug/1955352/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955352] Re: Vulnerable to information disclosure through various actions
Hi Kunal, Thanks for preparing these updates, I'm looking at them now. Apologies that they didn't get picked up earlier. ** Changed in: mediawiki (Ubuntu Bionic) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Changed in: mediawiki (Ubuntu Focal) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Changed in: mediawiki (Ubuntu Impish) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Changed in: mediawiki (Ubuntu Bionic) Status: New => In Progress ** Changed in: mediawiki (Ubuntu Focal) Status: New => In Progress ** Changed in: mediawiki (Ubuntu Impish) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955352 Title: Vulnerable to information disclosure through various actions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mediawiki/+bug/1955352/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1951837] Re: new kernel 5.4.0-90-generic contain error with snat in vrf
** Also affects: linux (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1951837 Title: new kernel 5.4.0-90-generic contain error with snat in vrf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1951837/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1958089] Re: Acer laptop screen goes black after a few hours of work
** Information type changed from Public Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1958089 Title: Acer laptop screen goes black after a few hours of work To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1958089/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1956585] Re: OOB write on BPF_RINGBUF
This was assigned CVE-2021-4204. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-4204 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1956585 Title: OOB write on BPF_RINGBUF To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1956585/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1956585] Re: OOB write on BPF_RINGBUF
** Description changed: tr3e wang discovered that an OOB write existed in the eBPF subsystem in the Linux kernel on BPF_RINGBUF. Mitigation commit: https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/impish/commit/?id=53fb7741ff9d546174dbb585957b4f8b6afbdb83 Mitigation: Disable unprivileged ebpf with: - $ sudo sysctl kernel.unprivileged_bpf_disabled=1 + $ sudo sysctl kernel.unprivileged_bpf_disabled=1 + + Unprivileged ebpf is disabled by default in Ubuntu 21.10 and newer. See + https://www.kernel.org/doc/html/latest/admin- + guide/sysctl/kernel.html#unprivileged-bpf-disabled for details on the + configuration setting. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1956585 Title: OOB write on BPF_RINGBUF To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1956585/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1956585] Re: OOB write on BPF_RINGBUF
** Description changed: tr3e wang discovered that an OOB write existed in the eBPF subsystem in the Linux kernel on BPF_RINGBUF. Mitigation commit: https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/impish/commit/?id=53fb7741ff9d546174dbb585957b4f8b6afbdb83 + + Mitigation: + + Disable unprivileged ebpf with: + + $ sudo sysctl kernel.unprivileged_bpf_disabled=1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1956585 Title: OOB write on BPF_RINGBUF To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1956585/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1956585] Re: OOB write on BPF_RINGBUF
** Information type changed from Private Security to Public Security ** Description changed: - Placeholder bug. + tr3e wang discovered that an OOB write existed in the eBPF subsystem in + the Linux kernel on BPF_RINGBUF. + + Mitigation commit: https://git.launchpad.net/~ubuntu- + kernel/ubuntu/+source/linux/+git/impish/commit/?id=53fb7741ff9d546174dbb585957b4f8b6afbdb83 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1956585 Title: OOB write on BPF_RINGBUF To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1956585/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1916767] Re: firejail version in Ubuntu 20.04 LTS is vulnerable to CVE-2021-26910
Hi, thanks for preparing this and apologies that it got overlooked. I've uploaded it to the security-proposed ppa https://launchpad.net/~ubuntu- security-proposed/+archive/ubuntu/ppa/ where it has passed autopkgtests. Any additional testing before it gets released to focal-security would be appreciated! Just to confirm my understanding is correct, disabling the overlayfs confinement is disabling it as an option, and is not essential to firejail's effectiveness, correct? ** Changed in: firejail (Ubuntu) Status: Confirmed => In Progress ** Changed in: firejail (Ubuntu) Assignee: (unassigned) => Steve Beattie (sbeattie) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1916767 Title: firejail version in Ubuntu 20.04 LTS is vulnerable to CVE-2021-26910 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1916767/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1948698] Re: Update tzdata to version 2021e
Okay from the Ubuntu Security team for these tzdata updates to land in security pockets. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948698 Title: Update tzdata to version 2021e To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tzdata/+bug/1948698/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1945527] Re: Update tzdata to version 2021a-2
This was fixed for xenial/esm with tzdata 2021a-2ubuntu0.16.04+esm1 and for trusty/esm with tzdata 2021a-2ubuntu0.14.04+esm1. Thanks Brian, for preparing these updates! ** Changed in: tzdata (Ubuntu Xenial) Status: New => Fix Released ** Also affects: tzdata (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: tzdata (Ubuntu Trusty) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1945527 Title: Update tzdata to version 2021a-2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tzdata/+bug/1945527/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1755447] Re: issue 32185: SSLContext.wrap_socket sends SNI Extension when server_hostname is IP
I am not aware of a security impact from this issue, so if it is to be addressed in xenial ESM, it would eed to go through a support request. closing the xenial tasks as Won't Fix. ** Changed in: python2.7 (Ubuntu Xenial) Status: New => Won't Fix ** Changed in: python3.5 (Ubuntu Xenial) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1755447 Title: issue 32185: SSLContext.wrap_socket sends SNI Extension when server_hostname is IP To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1755447/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1755447] Re: issue 32185: SSLContext.wrap_socket sends SNI Extension when server_hostname is IP
For python2.7, this was fixed in https://github.com/python/cpython/commit/a5c9112300ecd492ed6cc9759dc8028766401f61 which landed in 2.7.15, so has been fixed in bionic-updates and newer. ** Changed in: python2.7 (Ubuntu Bionic) Status: New => Fix Released ** Changed in: python2.7 (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1755447 Title: issue 32185: SSLContext.wrap_socket sends SNI Extension when server_hostname is IP To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1755447/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1911465] Re: autopkgtest fails on Xenial
In actuality, the bug describing the autopkgtest failure for docker.io in xenial is bug 1855481. The fix for this in xenial was incorporated into the docker.io 18.09.7-0ubuntu1~16.04.9+esm1 ESM update. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911465 Title: autopkgtest fails on Xenial To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1911465/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946137] Re: distro-info-data update needed for 14.04/16.04 ESM being extended to five years
This was fixed in all releases (including trusty and xenial ESM) except impish, leaving that task open. ** Changed in: distro-info-data (Ubuntu) Status: Fix Released => Triaged ** Also affects: distro-info-data (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: distro-info-data (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: distro-info-data (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: distro-info-data (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: distro-info-data (Ubuntu Hirsute) Importance: Undecided Status: New ** Changed in: distro-info-data (Ubuntu Trusty) Status: New => Fix Released ** Changed in: distro-info-data (Ubuntu Xenial) Status: New => Fix Released ** Changed in: distro-info-data (Ubuntu Bionic) Status: New => Fix Released ** Changed in: distro-info-data (Ubuntu Focal) Status: New => Fix Released ** Changed in: distro-info-data (Ubuntu Hirsute) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946137 Title: distro-info-data update needed for 14.04/16.04 ESM being extended to five years To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/distro-info-data/+bug/1946137/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1946137] [NEW] distro-info-data update needed for 14.04/16.04 ESM being extended to five years
Public bug reported: It was recently announced the the 14.04 and 16.04 ESM releases would be receive a total of five years ESM support status each, and the distro- info-data for ubuntu should be updated to reflect that: $ dpkg -l distro-info-data | grep ^ii ii distro-info-data 0.51 all information about the distributions' releases (data files) $ grep -E '(Trusty|Xenial)' /usr/share/distro-info/ubuntu.csv 14.04 LTS,Trusty Tahr,trusty,2013-10-17,2014-04-17,2019-04-25,2019-04-25,2022-04-25 16.04 LTS,Xenial Xerus,xenial,2015-10-22,2016-04-21,2021-04-21,2021-04-21,2024-04-23 The last entries should be updated to 2024 and 2026 respectively, to match the information at https://ubuntu.com/security/esm ** Affects: distro-info-data (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1946137 Title: distro-info-data update needed for 14.04/16.04 ESM being extended to five years To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/distro-info-data/+bug/1946137/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1352007] Re: avconv crashed with SIGSEGV in paint_mouse_pointer()
** Information type changed from Private to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1352007 Title: avconv crashed with SIGSEGV in paint_mouse_pointer() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libav/+bug/1352007/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1368481] Re: avconv assert failure: avconv: /build/buildd/libav-11~beta1/libavcodec/put_bits.h:139: put_bits: Assertion `n <= 31 && value < (1U << n)' failed.
** Information type changed from Private to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1368481 Title: avconv assert failure: avconv: /build/buildd/libav-11~beta1/libavcodec/put_bits.h:139: put_bits: Assertion `n <= 31 && value < (1U << n)' failed. To manage notifications about this bug go to: https://bugs.launchpad.net/bombono/+bug/1368481/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 980943] Re: ffmpeg crashed with SIGSEGV in __libc_start_main()
** Attachment removed: "CoreDump.gz" https://bugs.launchpad.net/ubuntu/+source/libav/+bug/980943/+attachment/3059934/+files/CoreDump.gz ** Information type changed from Private to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/980943 Title: ffmpeg crashed with SIGSEGV in __libc_start_main() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libav/+bug/980943/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1928648] Re: expiring trust anchor compatibility issue
Ack from the Ubuntu Security team for both gnutls28 3.5.18-1ubuntu1.5 and 3.4.10-4ubuntu1.9 to go to bionic-security and xenial-security respectively. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1928648 Title: expiring trust anchor compatibility issue To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1943960] Re: s390x BPF JIT vulnerabilities
** Description changed:
[Impact]
s390 BPF JIT vulnerabilities allow the eBPF verifier to be bypassed, leading
to possible local privilege escalation.
[Mitigation]
Disable unprivileged eBPF.
sysctl -w kernel.unprivileged_bpf_disabled=1
[Potential regression]
BPF programs might execute incorrectly, affecting seccomp, socket filters,
tracing and other BPF users.
+
+ Commits to address this are upstream in Linus' tree; they are:
+
+ 1511df6f5e9e ("s390/bpf: Fix branch shortening during codegen pass")
+ 6e61dc9da0b7 ("s390/bpf: Fix 64-bit subtraction of the -0x8000
constant")
+ db7bee653859 ("s390/bpf: Fix optimizing out zero-extensions")
+
+ and have been applied to the 5.14, 5.4 , 4.19, and 4.4 stable branches.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1943960
Title:
s390x BPF JIT vulnerabilities
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1943960/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1943960] Re: s390x BPF JIT vulnerabilities
Commits to address this are upstream in Linus' tree; they are:
1511df6f5e9e ("s390/bpf: Fix branch shortening during codegen pass")
6e61dc9da0b7 ("s390/bpf: Fix 64-bit subtraction of the -0x8000 constant")
db7bee653859 ("s390/bpf: Fix optimizing out zero-extensions")
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1943960
Title:
s390x BPF JIT vulnerabilities
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1943960/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1929105] Re: CVE-2021-3326: The iconv app in glibc when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion & aborts
** Bug watch added: Sourceware.org Bugzilla #27256 https://sourceware.org/bugzilla/show_bug.cgi?id=27256 ** Also affects: glibc via https://sourceware.org/bugzilla/show_bug.cgi?id=27256 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1929105 Title: CVE-2021-3326: The iconv app in glibc when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion & aborts To manage notifications about this bug go to: https://bugs.launchpad.net/glibc/+bug/1929105/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1863299] Re: linux-aws fails to late load microcode, works with generic
Is this worth addressing in the cloud kernels or should we stick to early microcode loads only? ** Changed in: linux-aws (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1863299 Title: linux-aws fails to late load microcode, works with generic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-aws/+bug/1863299/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
