Bug#625894: logcheck-database: /etc/logcheck/ignore.d.server/spamd regexp broken, triggered by unusual Message-Id
On Thu, May 30 2024, Richard Lewis wrote: > On Thu, 09 May 2013 14:49:29 -0700 Gerald Turner wrote: >> Gerald Turner writes: >> > Hello, there are a few commas that are out of place in one of the >> > spamassassin expressions: >> >> FYI, but is still present in logcheck-database 1.3.15 (wheezy). > > (hello again) > > It looks like the spamd rules have changed a bit over the last 10 > years, is there still a bug in latest rules? Looks like it's been fixed in the package, great! -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#625895: logcheck-database: /etc/logcheck/ignore.d.server/dovecot rule misses unusual Message-Id
Hi Richard, On Sun, May 12 2024, Richard Lewis wrote: > On Fri, 06 May 2011 11:32:03 -0700 Gerald Turner wrote: >> Hello, I've seen some legitimate mails with unusual Message-Id headers >> that cause logchecks dovecot delivery rule to be bypassed. >> >> Example: … sieve: msgid=<20110422T2108.GA.(stdi.s...@fsing.rootsland.net>: >> stored mail into mailbox 'Mailing Lists/Debian/debian-devel' > > It's a shame no-one replied since 2011. > > That doesnt seem to be a valid msgid, so not sure logcheck should be > ignoring it by default. Obviously you can edit / make your own rules > to do so. > So not sure there is anything for debian to do in this one. Perhaps we > should close the bug? Yes, please close the bug. Apparently, thirteen years ago, I was in the spirit of opening many bugs to try and improve logcheck, however that is an immense task, one size *does not* fit all (such as invalid Message-Id), and I've grown accustomed to writing many personal rules. FWIW, I run logcheck on a dozen machines, have a large catalog of rules applied via ansible, and I find it immensely useful for 1) discovering daemon configuration problems, and 2) occasionally dealing with exotic brute force attempts. Peace of mind at the expense of adjusting rules after a dist-upgrade every few years. Keep up the good work =) -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#1030015: elpa-powerline: lot's of warning when starting emacs
There is a patch in the upstream github project, merged to master branch, but not released: https://github.com/milkypostman/powerline/pull/194 -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#961831: fail2ban: ejabberd-auth jail has incorrect failregex
Package: fail2ban Version: 0.10.2-2.1 Severity: minor Dear Maintainer, The ejabberd-auth.conf needs a couple tweaks to failregex in order to be compatible with current version ejabberd. Attached is ejabberd.log showing two failed login attempts. The existing regex is looking for "info" that should be "warning", as well as the erlang <0.pid.thread> stuff (not really sure what it is) has to allow more than one digit after the last dot. Diff attached. -- System Information: Debian Release: 10.4 APT prefers stable APT policy: (701, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-9-cloud-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages fail2ban depends on: ii lsb-base 10.2019051400 ii python3 3.7.3-1 Versions of packages fail2ban recommends: ii iptables 1.8.2-4 ii nftables 0.9.0-2 ii python 2.7.16-1 ii python3-pyinotify 0.9.6-1 ii python3-systemd234-2+b1 ii whois 5.4.3 Versions of packages fail2ban suggests: ii bsd-mailx [mailx]8.1.2-0.20180807cvs-1 ii mailutils [mailx]1:3.5-3 ii monit1:5.26.0-1~bpo10+1 ii rsyslog [system-log-daemon] 8.1901.0-1 ii sqlite3 3.27.2-3 -- Configuration Files: /etc/logrotate.d/fail2ban changed [not included] -- no debconf information -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D 2020-04-17 09:20:53.767 [warning] <0.27283.25>@ejabberd_c2s:handle_auth_failure:452 (tls|<0.27283.25>) Failed c2s PLAIN authentication for alexeylom960...@example.com from :::185.244.172.37: Invalid username or password 2020-04-17 10:11:15.556 [warning] <0.27727.25>@ejabberd_c2s:handle_auth_failure:452 (tls|<0.27727.25>) Failed c2s PLAIN authentication for aralda243...@example.com from :::185.244.172.37: Invalid username or password --- ejabberd-auth.conf 2020-05-29 16:38:39.881910606 -0700 +++ ejabberd-auth.local 2020-05-29 16:39:15.097336217 -0700 @@ -16,8 +16,7 @@ # searched for other failures. This tag can be used multiple times. # Values: TEXT # -failregex = ^=INFO REPORT ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for \S+ from (?:IP )?(?: \({{(?:\d+,){3}\d+},\d+}\))?$ -^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:\w+:\d+ \([^\)]+\) Failed (?:c2s \w+ )?authentication for \S+ from (?:IP )?(?::::)?(?:: |$) +failregex = ^(?:\.\d+)? \[(info|warning)\] <0\.\d+\.\d+>@ejabberd_c2s:\w+:\d+ \([^\)]+\) Failed (?:c2s \w+ )?authentication for \S+ from (?:IP )?(?::::)?(?:: |$) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. signature.asc Description: PGP signature
Bug#959841: munin-plugins-core: ntp_kernel_* plugins trivially incompatible with ntpsec package
Control: found -1 2.0.57-1 Control: tags -1 + patch On Tue, May 05 2020, Gerald Turner wrote: > I believe changing these to support ntpsec will be trivial. Patch to > follow ;-) Attached patch fixes the version check to work with newer ntpsec daemon in addition to classic ntpd. I have tested and verified the same data is reported under ntpsec daemon. -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D From 2806265c2a8014d02c5a030453cc95771743d300 Mon Sep 17 00:00:00 2001 From: Gerald Turner Date: Tue, 5 May 2020 19:41:44 -0700 Subject: [PATCH] Fix Bug#959841: munin-plugins-core: ntp_kernel_* plugins trivially incompatible with ntpsec package --- plugins/node.d/ntp_kernel_err.in | 2 +- plugins/node.d/ntp_kernel_pll_freq.in | 2 +- plugins/node.d/ntp_kernel_pll_off.in | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/node.d/ntp_kernel_err.in b/plugins/node.d/ntp_kernel_err.in index 9dc6d0f1..23646106 100644 --- a/plugins/node.d/ntp_kernel_err.in +++ b/plugins/node.d/ntp_kernel_err.in @@ -51,7 +51,7 @@ fi printf 'ntp_err.value ' -if [ "$(ntpq -c version | grep --extended-regexp --only-matching '[[:digit:]]\.[[:digit:]]\.[[:digit:]]' | tr -d '.')" -ge 427 ] +if [ "$(ntpq -c version | sed 's/[^[:alpha:]].*//')" = "ntpsec" -o "$(ntpq -c version | grep --extended-regexp --only-matching '[[:digit:]]\.[[:digit:]]\.[[:digit:]]' | tr -d '.')" -ge 427 ] then ntpq -c kerninfo | awk '/^estimated error:/ { print $3 / 1000 }' else diff --git a/plugins/node.d/ntp_kernel_pll_freq.in b/plugins/node.d/ntp_kernel_pll_freq.in index 30af52a8..7b1839d7 100644 --- a/plugins/node.d/ntp_kernel_pll_freq.in +++ b/plugins/node.d/ntp_kernel_pll_freq.in @@ -65,7 +65,7 @@ fi printf 'ntp_pll_freq.value ' -if [ "$(ntpq -c version | grep --extended-regexp --only-matching '[[:digit:]]\.[[:digit:]]\.[[:digit:]]' | tr -d '.')" -ge 427 ] +if [ "$(ntpq -c version | sed 's/[^[:alpha:]].*//')" = "ntpsec" -o "$(ntpq -c version | grep --extended-regexp --only-matching '[[:digit:]]\.[[:digit:]]\.[[:digit:]]' | tr -d '.')" -ge 427 ] then cmd=ntpq else diff --git a/plugins/node.d/ntp_kernel_pll_off.in b/plugins/node.d/ntp_kernel_pll_off.in index b38cbd4d..dfac2c20 100644 --- a/plugins/node.d/ntp_kernel_pll_off.in +++ b/plugins/node.d/ntp_kernel_pll_off.in @@ -51,7 +51,7 @@ fi printf 'ntp_pll_off.value ' -if [ "$(ntpq -c version | grep --extended-regexp --only-matching '[[:digit:]]\.[[:digit:]]\.[[:digit:]]' | tr -d '.')" -ge 427 ] +if [ "$(ntpq -c version | sed 's/[^[:alpha:]].*//')" = "ntpsec" -o "$(ntpq -c version | grep --extended-regexp --only-matching '[[:digit:]]\.[[:digit:]]\.[[:digit:]]' | tr -d '.')" -ge 427 ] then ntpq -c kerninfo | awk '/^pll offset:/ { print $3 / 1000 }' else -- 2.26.2 signature.asc Description: PGP signature
Bug#959841: munin-plugins-core: ntp_kernel_* plugins trivially incompatible with ntpsec package
Package: munin-plugins-core Version: 2.0.49-1 Severity: normal Dear Maintainer, Recent changes to bullseye and buster-backports systemd packages that split systemd-timesyncd to depend on alternatives like ntpsec (among others, but not classic ntpd) nudged me to upgrade from classic ntpd to ntpsec on a couple servers. These servers have munin-node monitoring their ntp daemons. After the move from classic ntpd to ntpsec caused the following plugins to begin failing: * ntp_kernel_err * ntp_kernel_pll_freq * ntp_kernel_pll_off Each of these are shell scripts that perform a version check on the ntpq binary, then fallback on ntpdc binary if the version isn't new enough. However with the ntpsec package, two problems arise: * ntpsec's ntpq command returns a version string that's "younger" than NTP classic's. + ntpsec: ntpsec-1.1.3 2019-11-18T06:04:00Z + ntpd: ntpq 4.2.8p12@1.3728-o (1) * ntpsec doesn't include the ntpdc binary and fallback fails. + /etc/munin/plugins/ntp_kernel_err: ntpdc: not found The line of shell script in question is: if [ "$(ntpq -c version | grep --extended-regexp --only-matching '[[:digit:]]\.[[:digit:]]\.[[:digit:]]' | tr -d '.')" -ge 427 ] then ntpq -c kerninfo | awk '/^estimated error:/ { print $3 / 1000 }' else ntpdc -c kerninfo | awk '/^estimated error:/ { print $3 }' fi I believe changing these to support ntpsec will be trivial. Patch to follow ;-) -- System Information: Debian Release: 10.3 APT prefers stable APT policy: (701, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-8-cloud-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages munin-plugins-core depends on: ii munin-common 2.0.49-1 ii perl 5.28.1-6 Versions of packages munin-plugins-core recommends: ii libnet-snmp-perl 6.0.1-5 Versions of packages munin-plugins-core suggests: pn acpi | lm-sensors pn conntrack pn default-mysql-client pn ethtool pn hdparm ii libcache-cache-perl 1.08-2 pn libdbd-mysql-perl pn libdbd-pg-perl ii libhttp-date-perl 6.02-1 pn liblwp-useragent-determined-perl ii libnet-dns-perl 1.19-1 ii libnet-ip-perl1.26-2 pn libnet-irc-perl ii libnet-ldap-perl 1:0.6500+dfsg-1 pn libnet-netmask-perl pn libnet-telnet-perl ii libxml-parser-perl2.44-4 ii libxml-simple-perl2.25-1 ii logtail 1.3.20 ii net-tools 1.60+git20180626.aebd88e-1 ii python3 3.7.3-1 pn ruby pn smartmontools -- no debconf information -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#909699: libotf0: crash on rendering Kannada script (affects Emacs)
Package: libotf0 Version: 0.9.13-7 Followup-For: Bug #909699 I'm experiencing the same crash, same backtrace, etc., however with one nuance: I've narrowed it down to Noto Serif Bengali as being the problematic font. Worked around by adding the following to my ~/.emacs: ;; Disable font which crashes emacs ;; See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909699 ;; See https://debbugs.gnu.org/cgi/bugreport.cgi?bug=30193 ;; GNU bug report mentions "Noto Serif Kannada", however through trial ;; and error, discovered that Bengali was causing the crash while ;; editing files like /etc/xdg/autostart/gnome-keyring-ssh.desktop (push "Noto Serif Bengali" face-ignored-fonts) I ran into this issue while setting up a brand new laptop running bullseye. One of the multitude of arcane steps I need to perform is disabling autostart of gnome-keyring's ssh agent. Opened up file /etc/xdg/autostart/gnome-keyring-ssh.desktop in Emacs, boom! -- System Information: Debian Release: bullseye/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-4-amd64 (SMP w/12 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libotf0 depends on: ii libc6 2.30-4 ii libfreetype6 2.10.1-2 libotf0 recommends no packages. libotf0 suggests no packages. -- no debconf information -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#932081: sogo: Unable to connect to a remote IMAP server.
FWIW, I rebuilt 4.1.1 sogo and sope packages from bullseye modified slightly to link against OpenSSL instead of GnuTLS, installed on a production buster system, success! Thank you Adi Kriegisch for pointing this out. -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#934170: smokeping: Alert edgetrigger functionality is broken)
Replying to minor mistake in the sample Perl in my previous email: On Mon, Aug 12 2019, Gerald Turner wrote: > if ($edgetrigger and ($prevmatch_bool == 0 ? 0 : 1) != $match) { Should be: if ($edgetrigger and ($prevmatch == 0 ? 0 : 1) != $match) { -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#934170: smokeping: Alert edgetrigger functionality is broken)
Hi Gabriel, On Mon, Aug 12 2019, Gabriel Filion wrote: > On 2019-08-12 10:43 a.m., Gabriel Filion wrote: >> It seems to me that some folks reported in this issue being able to >> stop the influx of emails by chaning the "format" option where >> edgetrigger is set. Did you try applying this solution? > > woops! sorry for the imprecision. it's actually the "pattern" > option. (I read the upstream issue this week-end but couldn't reply > until today so there was a mix bowl of salad in my head instead of a > brain) Sorry for not being clear, but I when I wrote "I have too many Alerts defined ... with edgetrigger to reorganize and double the Alerts into separate ==0%,==0%,==100% + ==100%,==0%,==0% [pattern] non-edgetrigger variants", I was writing about the proposed work-around using the "pattern" option. I didn't try it. It would probably work. At one installation I have 20 alerts defined using edgetrigger (connected to 120 targets), this would turn into 40 if I were to use the alternating patterns instead (and having to update the 120 targets to use the new pairs). I could do that, however I'd also lose the lovely raised/cleared subject text which I have IMAP sieve filters parsing. Perhaps another way to patch this bug is to sort of cast $prevmatch into a boolean in the alert checking logic: sub check_alerts { ... if ($edgetrigger and $prevmatch != $match) { $what = ($prevmatch == 0 ? "was raised" : "was cleared"); } Something like: sub check_alerts { ... if ($edgetrigger and ($prevmatch_bool == 0 ? 0 : 1) != $match) { $what = ($prevmatch_bool == 0 ? "was raised" : "was cleared"); } I didn't try it because I have a sense that restoring edgetrigger functionality isn't going to be that simple (i.e. those thousands of emails were all mistakenly all labeled "was cleared" without any initial "was raised"). If it would make upstreaming the patch easier, I'll work at it. Thanks! -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#932081: sogo: Unable to connect to a remote IMAP server.
Control: found -1 4.0.8-1 FYI, bug still exists in 4.0.8-1 (bullseye version). -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#934170: smokeping: Alert edgetrigger functionality is broken)
Control: tags -1 + patch I've created a patch which restores "prevmatch" to being a boolean, fixing the edgetrigger alerts. I built and tested the package with this patch. The only side-effect is the aformentioned syslog message change is marginally affected: smokeping[6642]: Alert full-loss was cleared for dns.ns6-gandi-net loss: 0%%, 0%%, 0%%, 0%%, 0%%, 0%%, 0%%, 100%%, 100%%, 100%%, 100%%, 0%%(0/5) rtt: 153ms, 155ms, 156ms, 155ms, 155ms, 156ms, 155ms, U, U, U, U, 155ms prevmatch: 1 comment: 100%% packet loss ^ with the patch, the substring "prevmatch: 1", will always be one. -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D Fix edgetrigger alerts as discussed in: https://github.com/oetiker/SmokePing/issues/183 Problem caused by patch which added information to log output: https://github.com/oetiker/SmokePing/pull/52 Index: smokeping-2.7.3/lib/Smokeping.pm === --- smokeping-2.7.3.orig/lib/Smokeping.pm +++ smokeping-2.7.3/lib/Smokeping.pm @@ -2017,11 +2017,7 @@ ALERT } else { do_debuglog("Alert \"$_\": no match for target $name\n"); } -if ($match == 0) { -$tree->{'prevmatch'.$s}{$_} = $match; -} else { -$tree->{'prevmatch'.$s}{$_} += $match; -} +$tree->{'prevmatch'.$s}{$_} = $match; } } # end alerts return $gotalert; signature.asc Description: PGP signature
Bug#934170: smokeping: Alert edgetrigger functionality is broken
Package: smokeping Version: 2.7.3-2 Severity: normal Dear Maintainer, I've been running a few small and medium sized smokeping installations on Debian for a decade. It's been a great tool diagnosing network outages. Upon upgrading from stretch to buster (2.6.11-3 -> 2.7.3-2), hundreds of alert emails begun firing every poll. All the Alerts are configured with "edgetrigger = yes". For example, here's one, among thousands (notice "was cleared"): Subject: [SmokeAlert] full-loss was cleared on ipv6.sites.mikrovps-hu Alert "full-loss" was cleared for https://smokeping.unzane.com/smokeping/smokeping.cgi?target=ipv6.sites.mikrovps-hu Pattern --- ==100%,==100%,==100% Data (old --> now) -- loss: 100%, 100%, 100%, 100%, 100%, 100%, 100%, 100%, 100%, 100%, 100%, 100% rtt: U, U, U, U, U, U, U, U, U, U, U, U Comment --- 100% packet loss Initially I discovered this was a problem with my FPing6 probe in combination with a change introduced in the fping package upgrade (explanation in fping NEWS.Debian.gz entry). However, after fixing my Probes, some Targets which really were down, continued to send emails each polling cycle, defying the edgetrigger setting, and incorrectly inverting "cleared" vs. "raised". There is an issue¹ filed upstream that explains the bug, wherein Tobias Oetiker (author) lackadaisically writes "edge trigger was not in the original design". The apparent abandonment of the edgetrigger feature was merely in support of a patch² which increased syslog message verbosity ("prevmatch" state, instead of being boolean, is now an incremented number, breaking edgetrigger, merely so some log out put can express how many times the alert matched). IMHO, I have too many Alerts defined (not just some-loss/full-loss, but also many flavors of rtt-50ms, etc.), with edgetrigger to reorganize and double the Alerts into separate ==0%,==0%,==100% + ==100%,==0%,==0% non-edgetrigger variants, than is worth the added syslog verbosity. Besides, the edgetrigger parameter is well documented in four different man pages. As well as the loss of raised/cleared verbiage in the email subjects which I have been accustomed to (and have sieve filters which color the mail green or red via IMAP flags). If the edgetriger feature can't be fixed, then it's probably be best to remove it from the documentation and have a NEWS.Debian entry warning of the breakage. ¹ https://github.com/oetiker/SmokePing/issues/183 ² https://github.com/oetiker/SmokePing/pull/52 -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (701, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-cloud-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages smokeping depends on: ii adduser 3.118 ii debianutils 4.8.6.1 ii fping 4.2-1 ii libcgi-fast-perl1:2.13-1 ii libconfig-grammar-perl 1.12-2 ii libdigest-hmac-perl 1.03+dfsg-2 ii libjs-cropper 1.2.2-1 ii libjs-prototype 1.7.1-3 ii libjs-scriptaculous 1.9.0-2 ii librrds-perl1.7.1-2 ii libsnmp-session-perl1.14~git20130523.186a005-4 ii liburi-perl 1.76-1 ii libwww-perl 6.36-2 ii lsb-base10.2019051400 ii perl5.28.1-6 ii postfix [mail-transport-agent] 3.4.5-1 ii ucf 3.0038+nmu1 Versions of packages smokeping recommends: ii apache2 [httpd-cgi] 2.4.38-3 ii dnsutils 1:9.11.5.P4+dfsg-5.1 ii echoping 6.0.2-10 ii libsocket6-perl 0.29-1+b1 Versions of packages smokeping suggests: ii curl 7.64.0-4 pn libauthen-radius-perl ii libio-socket-ssl-perl 2.060-3 ii libnet-dns-perl1.19-1 ii libnet-ldap-perl 1:0.6500+dfsg-1 ii libnet-telnet-perl 3.04-1 ii openssh-client 1:7.9p1-10 -- Configuration Files: /etc/smokeping/config.d/Alerts changed [not included] /etc/smokeping/config.d/Database changed [not included] /etc/smokeping/config.d/General changed [not included] /etc/smokeping/config.d/Probes changed [not included] /etc/smokeping/config.d/Slaves changed [not included] /etc/smokeping/config.d/Targets changed [not included] /etc/smokeping/smokeping_secrets [Errno 13] Permission denied: '/etc/smokeping/smokeping_secrets' -- no debconf information -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#933665: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes
On Thu, Aug 01 2019, Colin Watson wrote: > This is the scenario explained in the entry in > /usr/share/doc/openssh-server/NEWS.Debian.gz for version 1:7.8p1-1, > which was reproduced from upstream's release notes for OpenSSH 7.8: > >* sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar > HostbasedAcceptedKeyTypes options have changed. These now > specify signature algorithms that are accepted for their > respective authentication mechanism, where previously they > specified accepted key types. This distinction matters when > using the RSA/SHA2 signature algorithms "rsa-sha2-256", > "rsa-sha2-512" and their certificate counterparts. > Configurations that override these options but omit these > algorithm names may cause unexpected authentication failures (no > action is required for configurations that accept the default for > these options). Oh shame on me - I thought I read the NEWS items (with apt-listchanges helpfully emailing them to me), but not carefully enough. Sorry for the bogus bug report. Long ago (during stretch) I adopted the OpenSSH certifcate/CA model: PubkeyAcceptedKeyTypes ssh-ed25519-cert-...@openssh.com ...which I believe is SHA-256, yet the configuration was unaffected by the change in 7.8, otherwise I would've noticed a long while back on personal workstations running Debian testing. > I regret the inconvenience of the change, but given that it seems to > have been a deliberate change upstream (mentioned in their release > notes), I think it would be best to adapt to it. > > The debug output you quote is indeed a bit misleading (I think I'll > take that up with upstream), but there's a clue hiding in the > successful debug output: > > sshd[20199]: debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA > SHA256:cN6+RJMBj25zximZ28B/CanFpjupWf/ABGrRGprS1LU [preauth] > > Note that the default for PubkeyAcceptedKeyTypes now ends with > "rsa-sha2-512,rsa-sha2-256,ssh-rsa" rather than just "ssh-rsa". > Therefore, things should work again if you set "PubkeyAcceptedKeyTypes > rsa-sha2-512,rsa-sha2-256,ssh-rsa". Let me know if that works? Yep it makes sense. BTW, if you take the debug output up with upstream, maybe also consider that there's no "ssh -Q key" or similar command that'll reveal the values that can be supplied to PubkeyAcceptedKeyTypes. $ ssh -Q key ssh-ed25519 ssh-ed25519-cert-...@openssh.com ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-rsa-cert-...@openssh.com ssh-dss-cert-...@openssh.com ecdsa-sha2-nistp256-cert-...@openssh.com ecdsa-sha2-nistp384-cert-...@openssh.com ecdsa-sha2-nistp521-cert-...@openssh.com ...that's one of the first things I checked when dealing with the issue. Thanks for the clarification! -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#933040: ejabberd: certificates created with GnuTLS no longer compatible with ejabberd
On Thu, Aug 01 2019, Philipp Huebner wrote: > your issue was fixed upstream, could you please try > https://apt.debalance.de/pool/main/e/erlang-p1-pkix/erlang-p1-pkix_1.0.0-3+deb10u1_amd64.deb > > and report back if this solves your problem? Awesome! Problem solved. My temporary OpenSSL-signed certificate has now been thrown out, yay! -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#933665: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes
Package: openssh-server Version: 1:7.9p1-10 Severity: normal Dear Maintainer, I've been running several servers, upgraded across many Debian stable releases, with sshd_config that had been tightened down in various ways (example attached) including explicit PubkeyAcceptedKeyTypes (containing ssh-rsa). After upgrading to buster a user reported that he could no longer login with his RSA key. sshd[17025]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth] I tested and found that explicitly defining PubkeyAcceptedKeyTypes in sshd_config breaks RSA pubkey auth, even when the line merely states: PubkeyAcceptedKeyTypes ssh-rsa However when PubkeyAcceptedKeyTypes is removed from the config, the implicit defaults allow RSA to work. I've attached sshd debug logs for the two scenarios. My guess is there's some sort of config parsing glitch within ssh. -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (601, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-cloud-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openssh-server depends on: ii adduser3.118 ii debconf [debconf-2.0] 1.5.71 ii dpkg 1.19.7 ii libaudit1 1:2.8.4-3 ii libc6 2.28-10 ii libcom-err21.44.5-1 ii libgssapi-krb5-2 1.17-3 ii libkrb5-3 1.17-3 ii libpam-modules 1.3.1-5 ii libpam-runtime 1.3.1-5 ii libpam0g 1.3.1-5 ii libselinux12.8-1+b1 ii libssl1.1 1.1.1c-1 ii libsystemd0241-5 ii libwrap0 7.6.q-28 ii lsb-base 10.2019051400 ii openssh-client 1:7.9p1-10 ii openssh-sftp-server1:7.9p1-10 ii procps 2:3.3.15-2 ii ucf3.0038+nmu1 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages openssh-server recommends: ii libpam-systemd 241-5 ii ncurses-term6.1+20181013-2 ii xauth 1:1.0.10-1 Versions of packages openssh-server suggests: pn molly-guard pn monkeysphere pn rssh pn ssh-askpass pn ufw -- debconf information: openssh-server/permit-root-login: true * ssh/use_old_init_script: true ssh/encrypted_host_key_but_no_keygen: ssh/disable_cr_auth: false ssh/vulnerable_host_keys: openssh-server/password-authentication: true -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D AllowAgentForwarding no AllowStreamLocalForwarding no AllowTcpForwarding no AllowUsers REDACTED AuthenticationMethods publickey password ChallengeResponseAuthentication no Ciphers chacha20-poly1...@openssh.com,aes256-...@openssh.com ClientAliveCountMax 2 ClientAliveInterval 30 Compression no DebianBanner no DisableForwarding yes HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key HostKeyAlgorithms ssh-ed25519-cert-...@openssh.com,ssh-ed25519,ssh-rsa KexAlgorithms diffie-hellman-group18-sha512,ecdh-sha2-nistp521,curve25519-sha256,curve25519-sha...@libssh.org LoginGraceTime 10 LogLevel VERBOSE MACs hmac-sha2-512-...@openssh.com MaxAuthTries 3 MaxStartups 2:50:10 PermitOpen none PermitRootLogin no PermitUserRC no Port 50022 PrintMotd no PubkeyAcceptedKeyTypes ssh-ed25519-cert-...@openssh.com,ssh-ed25519,ssh-rsa RekeyLimit 1280M 53m59s Subsystem sftp /usr/lib/openssh/sftp-server TCPKeepAlive no UseDNS yes UsePAM yes # Rejected RSA pubkey login. # ssh running with explicit "PubkeyAcceptedKeyTypes ssh-rsa" in sshd_config Aug 1 08:18:25 zoth-ommog sshd[20165]: debug1: Forked child 20167. Aug 1 08:18:25 zoth-ommog sshd[20167]: debug1: Set /proc/self/oom_score_adj to 0 Aug 1 08:18:25 zoth-ommog sshd[20167]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8 Aug 1 08:18:25 zoth-ommog sshd[20167]: debug1: inetd sockets after dupping: 3, 3 Aug 1 08:18:25 zoth-ommog sshd[20167]: Connection from REDACTED port 35260 on REDACTED port 50022 Aug 1 08:18:25 zoth-ommog sshd[20167]: debug1: Client protocol version 2.0; client software version OpenSSH_7.9p1 Debian-10 Aug 1 08:18:25 zoth-ommog sshd[20167]: debug1: match: OpenSSH_7.9p1 Debian-10 pat OpenSSH* compat 0x0400 Aug 1 08:18:25 zoth-ommog sshd[20167]: debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Aug 1 08:18:25 zoth-ommog sshd[20167]: debug1: permanently_set_uid: 103/65534 [preauth] Aug 1 08:18:25 zoth-ommog sshd[20167]: debug1: list_hostkey_types: ssh-ed25519,ssh-ed25519-cert-...@openssh.com,ssh-rsa [preauth] Aug 1 08:18:25 zoth-ommog sshd[20167]: debug1: SSH2_MSG_KEXINIT sent [preauth] Aug 1 08:18:25 zoth-ommog sshd[20167]: debug1: SSH2_MSG_KEXINIT received [preauth] Aug
Bug#933107: ruby-rubymail: Deprecation warnings with Ruby 2.4 (constant ::Fixnum is deprecated)
Control: tags -1 patch Attached is a trivial patch which s/Fixnum/Integer/. I've tested it with the feed2imap program (from feed2imap package). -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D Ruby 2.4 emits deprecation warnings for use of Fixnum (see https://bugs.ruby-lang.org/issues/12739) Index: ruby-rubymail-1.1.3/lib/rmail/header.rb === --- ruby-rubymail-1.1.3.orig/lib/rmail/header.rb +++ ruby-rubymail-1.1.3/lib/rmail/header.rb @@ -136,10 +136,10 @@ module RMail end # Return the value of the first matching field of a field name, or -# nil if none found. If passed a Fixnum, returns the header +# nil if none found. If passed a Integer, returns the header # indexed by the number. def [](name_or_index) - if name_or_index.kind_of? Fixnum + if name_or_index.kind_of? Integer temp = @fields[name_or_index] temp = temp.value unless temp.nil? else Index: ruby-rubymail-1.1.3/lib/rmail/parser/pushbackreader.rb === --- ruby-rubymail-1.1.3.orig/lib/rmail/parser/pushbackreader.rb +++ ruby-rubymail-1.1.3/lib/rmail/parser/pushbackreader.rb @@ -81,11 +81,11 @@ module RMail end end chunk -when Fixnum +when Integer read_chunk(size) else raise ArgumentError, -"Read size (#{size.inspect}) must be a Fixnum or nil." +"Read size (#{size.inspect}) must be a Integer or nil." end end @@ -102,7 +102,7 @@ module RMail # convenient to call from derived classes when super() isn't # easy to use. def standard_read_chunk(size) -unless size.is_a?(Fixnum) && size > 0 +unless size.is_a?(Integer) && size > 0 raise ArgumentError, "Read size (#{size.inspect}) must be greater than 0." end @@ -133,10 +133,10 @@ module RMail # Set the chunk size of this reader in bytes. This is useful # mainly for testing, though perhaps some operations could be # optimized by tweaking this value. The chunk size must be a - # Fixnum greater than 0. + # Integer greater than 0. def chunk_size=(size) -unless size.is_a?(Fixnum) - raise ArgumentError, "chunk size must be a Fixnum" +unless size.is_a?(Integer) + raise ArgumentError, "chunk size must be a Integer" end unless size >= 1 raise ArgumentError, "invalid size #{size.inspect} given" signature.asc Description: PGP signature
Bug#933107: ruby-rubymail: Deprecation warnings with Ruby 2.4 (constant ::Fixnum is deprecated)
Package: ruby-rubymail Version: 1.1.3-3 Severity: minor Dear Maintainer, Executing feed2imap (feed2imap package) produces the following error output: /usr/lib/ruby/vendor_ruby/rmail/header.rb:142: warning: constant ::Fixnum is deprecated Ruby 2.4 added a deprecation warning for the constant "Fixnum", see: https://bugs.ruby-lang.org/issues/12739 Evidently Fixnum can be replaced by Integer throughout the rubymail source. Warning: I am not a Ruby programmer, so I may be interpreting this wrong. -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (701, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-cloud-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ruby-rubymail depends on: ii ruby 1:2.5.1 ruby-rubymail recommends no packages. ruby-rubymail suggests no packages. -- no debconf information -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#933040: ejabberd: certificates created with GnuTLS no longer compatible with ejabberd
On Fri, Jul 26 2019, Philipp Huebner wrote: > Hi, > > thank you very much for this detailed bugreport! > > I have contacted upstream, and they requested sample certificates > (PEMs) for ejabberd (cert+key) and CA (without key). Great! Did they really want the host key PEM file? Otherwise I'd send the real-world certificates I'm using. Instead I've attached all of the fictitious certificates and keys generated with the script from the previous mail (four files: root CA cert, intermediate CA cert, and host cert and key). On a random machine running Debian buster that hadn't been running ejabberd before, I've been able to reproduce this bug with the following steps: 1. apt install ejabberd (debconf questions won't matter). 2. Copy the four attached certs/keys to /etc/ejabberd. 3. Edit ejabberd.yml with: hosts: - "jabber.example.com" certfiles: - "/etc/ejabberd/ejabberd-cert.pem" - "/etc/ejabberd/ejabberd-key.pem" - "/etc/ejabberd/private-int-cert.pem" - "/etc/ejabberd/private-ca-cert.pem" 4. systemctl restart ejabberd 5. Examine output of the following commands: gnutls-cli -V \ --x509cafile=/etc/ejabberd/private-ca-cert.pem \ --verify-hostname=jabber.example.com \ -p 5223 \ localhost:5223 < /dev/null certtool --certificate-info \ --load-certificate /etc/ejabberd/ejabberd-cert.pem The gnutls-cli command reports: Status: The certificate is NOT trusted. The signature in the certificate is invalid. Earlier in the gnutls-cli output is the signature received on the wire: sha1:647fe53a3b279f605d2ec7a572c54724f0765285 The certtool command shows a different signature: sha1:9789b39f3b5bde6a8c5b7dd2c11c25c901199edf So somehow ejabberd is recomputing the signature when it should match what's in the PEM file verbatim. > I tried running your script on Buster, but it fails: > $ ./gen > Password: test > Generating private-int-key.pem... > Assuming PKCS #8 format... > ** Note: You may use '--sec-param High' instead of '--bits 4096' > Generating a 4096 bit RSA private key... > Generating private-int-req.pem... > Generating a PKCS #10 certificate request... > Generating private-int-cert.pem > Generating a signed certificate... > error importing CA certificate: public/private-ca-cert.pem: Base64 > unexpected header error. Oops! I see, I tried this again on buster too. The newer version of certtool seems to require that serial numbers are not zero (change "serial = 1" in private-ca.template, and change "crl_number = 1" in private-ca-crl.template). Another problem with the script is that if a certtool command fails, it still touches a file with zero bytes, so the next run doesn't retry generation (i.e. just "rm -rf private public", or rm the specific zero byte PEM file, and try again). > With sample PEMs I'll forward this to an issue at > https://github.com/processone/pkix, you're welcome to do it yourself > if you like. Thanks. I do not have a GH account and would appreciate this very much. > FWIW, upstream also suspects this to be a bug in Erlang itself rather > than ejabberd, hence I'm CCing the Erlang maintainer(s). Interesting. The following is a bit of an anecdote (TL;DR I'm willing to rebuild newer versions and test if that'll help): while chasing down another problem (Debian BTS #933042, after having resorted to using a temporary OpenSSL signed cert, bypassing this bug, and then could not get ejabberd to accept TLSv1.0 client connections), I happened to notice that the erlang-p1-tls repository on salsa had already been prepared for the latest release (which has some commits mentioning more OpenSSL wrapper code has moved into the C binding). I built erlang-p1-tls 1.1.1 but didn't have any luck with the issue at hand, so I reverted to the buster released versions. Perhaps it's worth another try with the newer erlang-p1-tls package and looking at this certificate issue? -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D -BEGIN CERTIFICATE- MIIJxDCCBaygAwIBAgIBADANBgkqhkiG9w0BAQsFADA6MSYwJAYDVQQDEx1Qcml2 YXRlIENlcnRpZmljYXRlIEF1dGhvcml0eTEQMA4GA1UEChMHRXhhbXBsZTAeFw0x NDA0MDcxNzI3MDBaFw0zODAxMTkwMzE0MDdaMDoxJjAkBgNVBAMTHVByaXZhdGUg Q2VydGlmaWNhdGUgQXV0aG9yaXR5MRAwDgYDVQQKEwdFeGFtcGxlMIIEIjANBgkq hkiG9w0BAQEFAAOCBA8AMIIECgKCBAEA4lsl67c6lIsHKJ+KK+w5FgmGy1Hf5VVp Yx/RWfJPz8pCzdEiiDKB/KWqbQcwHrcSlzhEMQEDcC9fJDwnvWEtiQejg+qq8qIh /XWLNP95Jm9tqudgPphGI0nHwbAokk6famVDLJtntAvFfhBAjgXICjExhPSSwhSS LjLIw5DCl0sm/l6hpn4eB6SUMOZDsRcrOmTWqjjVpMbVGdc1EqudQx/rd4NPmorE a4qW71LEHRwwoKv1mpWd7l4ZThl6plg3QSS+CfwtdHfiJ2fnhQo10m7WH0Ju9QKr wmJtbeBGcoXMK0Fzo8jfcLRpvg6zhu6vh5Y2gi9MtEzHNxxPGddPnWEm4ggE0rWD 6JX2P9b6X3ephb9rAiMOSEyR6jQhIbNVLQojh2E
Bug#933042: python3-sleekxmpp: TLSv1.0-only is incompatible with modern servers
Control: tags -1 patch Attached is a trivial patch. -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D Fix bug #933042 allowing TLS to interoperate with modern servers Index: sleekxmpp-1.3.3/sleekxmpp/xmlstream/xmlstream.py === --- sleekxmpp-1.3.3.orig/sleekxmpp/xmlstream/xmlstream.py +++ sleekxmpp-1.3.3/sleekxmpp/xmlstream/xmlstream.py @@ -122,7 +122,7 @@ class XMLStream(object): #: #: import ssl #: xmpp.ssl_version = ssl.PROTOCOL_SSLv23 -self.ssl_version = ssl.PROTOCOL_TLSv1 +self.ssl_version = ssl.PROTOCOL_TLS #: The list of accepted ciphers, in OpenSSL Format. #: It might be useful to override it for improved security signature.asc Description: PGP signature
Bug#933042: python3-sleekxmpp: TLSv1.0-only is incompatible with modern servers
Package: python3-sleekxmpp Version: 1.3.3-4 Severity: normal Dear Maintainer, After having upgraded an XMPP server (ejabberd on Debian buster) connections from python3-sleekxmpp are failing. ejabberd.log: 2019-07-25 16:23:06.078 [warning] <0.627.0>@ejabberd_c2s:process_terminated:285 (tls|<0.627.0>) Failed to secure c2s connection: TLS failed: SSL_do_handshake failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol Code within the sleekxmpp is explicitly setting TLS parameters: xmlstream.py line 119: #: Most XMPP servers support TLSv1, but OpenFire in particular #: does not work well with it. For OpenFire, set #: :attr:`ssl_version` to use ``SSLv23``:: #: #: import ssl #: xmpp.ssl_version = ssl.PROTOCOL_SSLv23 self.ssl_version = ssl.PROTOCOL_TLSv1 According to Python documentation, this probably ought to be set to ssl.PROTOCOL_TLS (sans -v1) for widest range of compatibility, see table at: https://docs.python.org/3/library/ssl.html#ssl.SSLContext Initially I had thought about opening a bug with ejabberd since I cannot seem to coerce it into allowing TLSv1.0 connections anymore. However I suppose that since it's 2019, it's time to heed these deprecation warnings in the Python docs ;-) -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (601, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-cloud-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages python3-sleekxmpp depends on: ii libjs-sphinxdoc 1.8.4-1 ii python3 3.7.3-1 ii python3-dnspython 1.16.0-1 ii python3-pyasn1 0.4.2-3 ii python3-pyasn1-modules 0.2.1-0.2 Versions of packages python3-sleekxmpp recommends: ii python3-dateutil 2.7.3-3 pn python3-gnupg pn python3-socks | python3-socksipy python3-sleekxmpp suggests no packages. -- no debconf information -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#933040: ejabberd: certificates created with GnuTLS no longer compatible with ejabberd
1.0.26-1 pn erlang-redis-client ii imagemagick 8:6.9.10.23+dfsg-2.1 ii imagemagick-6.q16 [imagemagick] 8:6.9.10.23+dfsg-2.1 pn libunix-syslog-perl pn yamllint -- Configuration Files: /etc/apparmor.d/usr.sbin.ejabberdctl changed [not included] /etc/default/ejabberd changed [not included] /etc/ejabberd/inetrc [Errno 13] Permission denied: '/etc/ejabberd/inetrc' /etc/ejabberd/modules.d/README.modules [Errno 13] Permission denied: '/etc/ejabberd/modules.d/README.modules' -- debconf information: ejabberd/invalidpreseed: ejabberd/invaliduser: ejabberd/invalidhostname: * ejabberd/erlangopts: -env ERL_CRASH_DUMP_BYTES 0 * ejabberd/nodenamechanges: * ejabberd/user: ejabberd/nomatch: * ejabberd/hostname: unzane.com -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D #!/bin/sh set -e read -p "Password: " password export GNUTLS_PIN="${password}" export GNUTLS_SO_PIN="${password}" certtool="certtool --verbose --sec-param=ultra" certtool_pw="${certtool} --password=${password}" if [ ! -d public ] ; then mkdir -m 755 public fi if [ ! -d private ] ; then mkdir -m 750 private fi gen_serial () { local current rand next if [ -e serial.template ] ; then current=$(sed 's/^serial = //' serial.template) else current=$(hexdump -n 3 -e '/2 "%u"' /dev/urandom) fi rand=$(hexdump -n 2 -e '/2 "%u"' /dev/urandom) next=$((${current} + ${rand})) echo "serial = ${next}" >| serial.template } gen_priv () { local name type bits hash pw name=$1 type=$2 bits=$3 hash=$4 pw=$5 if [ ! -e private/${name}-key.pem ] ; then echo Generating ${name}-key.pem... if [ $pw -eq 1 ] ; then ${certtool_pw} --generate-privkey \ --outfile private/${name}-key.pem \ --${type} \ --bits ${bits} \ --hash ${hash} else ${certtool} --generate-privkey \ --outfile private/${name}-key.pem \ --${type} \ --bits ${bits} \ --hash ${hash} fi chmod 440 private/${name}-key.pem fi } gen_self () { local name type bits hash pw name=$1 type=$2 bits=$3 hash=$4 pw=$5 if [ ! -e public/${name}-cert.pem ] ; then gen_priv ${name} ${type} ${bits} ${hash} ${pw} echo Generating ${name}-cert.pem... ${certtool_pw} --generate-self-signed \ --load-privkey private/${name}-key.pem \ --template ${name}.template \ --outfile public/${name}-cert.pem \ --hash ${hash} chmod 444 public/${name}-cert.pem fi } gen_crl () { local name type bits hash pw name=$1 type=$2 bits=$3 hash=$4 pw=$5 if [ ! -e public/${name}-crl.pem ] ; then gen_self ${name} ${type} ${bits} ${hash} ${pw} echo Generating ${name}-crl.pem... ${certtool_pw} --generate-crl \ --load-ca-privkey private/${name}-key.pem \ --load-ca-certificate public/${name}-cert.pem \ --template ${name}-crl.template \ --outfile public/${name}-crl.pem \ --hash ${hash} chmod 444 public/${name}-crl.pem fi } gen_req () { local name type bits hash pw template name=$1 type=$2 bits=$3 hash=$4 pw=$5 if [ ! -e private/${name}-req.pem ] ; then gen_priv ${name} ${type} ${bits} ${hash} ${pw} echo Generating ${name}-req.pem... template=${name}.template if [ ! -e ${template} ] ; then template=${name%-*}.template fi gen_serial cp serial.template ${template}.tmp cat ${template} >> ${template}.tmp ${certtool_pw} --generate-request \ --load-privkey private/${name}-key.pem \ --template ${template}.tmp \ --outfile private/${name}-req.pem \ --hash ${hash} chmod 444 private/${name}-req.pem rm ${template}.tmp fi } gen_cert () { local name type bits hash pw ca_name template name=$1 type=$2 bits=$3 hash=$4 pw=$5 ca_name=$6 if [ ! -e public/${name}-cert.pem ] ; then gen_req ${name} ${type} ${bits} ${hash} ${pw} echo Generating ${name}-cert.pem template=${name}.template if [ ! -e ${template} ] ; then template=${name%-*}.template fi gen_serial cp serial.template ${template}.tmp cat ${template} >> ${template}.tmp ${certtool_pw} --generate-certificate \ --load-request private/${name}-req.pem \ --load-ca-certificate public/${ca_name}-cert.pem \ --load-ca-privkey private/${ca_name}-key.pem \ --template ${template}.tmp \ --outfile public/${name}-cert.pem \ --hash ${hash} chmod 444 public/${name}-cert.pem rm ${template}.tmp fi } gen_crl private-ca rsa 8192 SHA256 1 gen_cert private-int rsa 4096 SHA256 1 private-ca gen_cert ejabberd rsa 4096 SHA256 0 private-int crl_number = 0 crl_next_update = -1 serial = 0 organization = "Example" cn = &
Bug#932081: sogo: Unable to connect to a remote IMAP server.
Package: sogo Version: 4.0.7-1 Followup-For: Bug #932081 I encountered the same problem. I'm in the process of upgrading several servers from Debian stretch to Debian buster. SOGo is installed on a separate server which I upgraded first. Initiallly all was well after the upgrade, although it took me a moment to discover that /usr/share/doc/sogo/sql-update-3.2.10_to_4.0.0.sh needed to be run in order for Address Book to work correctly. Later I upgraded the server which runs dovecot-imapd. Now SOGo can't display Mail, but Address Book and Calendar still work. Logs look very similar to Koichi MATSUMOTO's report. -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (701, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-cloud-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages sogo depends on: ii adduser 3.118 ii gnustep-base-runtime 1.26.0-4 ii libc6 2.28-10 ii libcurl3-gnutls 7.64.0-4 ii libgcc1 1:8.3.0-6 ii libglib2.0-0 2.58.3-2 ii libgnustep-base1.26 1.26.0-4 ii libgnutls30 3.6.7-4 ii liblasso3 2.6.0-2+b2 ii libmemcached111.0.18-4.2 ii libobjc4 8.3.0-6 ii libsbjson2.3 2.3.2-4+b1 ii libsope1 4.0.7-1 ii lsb-base 10.2019051400 ii memcached 1.5.6-1.1 ii sogo-common 4.0.7-1 ii systemd 241-5 ii tmpreaper 1.6.14 ii zip 3.0-11+b1 sogo recommends no packages. Versions of packages sogo suggests: ii postgresql 11+200+deb10u1 -- Configuration Files: /etc/cron.d/sogo [Errno 13] Permission denied: '/etc/cron.d/sogo' /etc/default/sogo changed: PREFORK=4 /etc/sogo/sogo.conf [Errno 13] Permission denied: '/etc/sogo/sogo.conf' -- no debconf information -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D Jul 24 08:28:00 sogod [22882]: localhost "GET /SOGo/ HTTP/1.1" 200 2442/0 0.004 - - 0 2019-07-24 08:28:19.923 sogod[22882:22882] ERROR(-[NSException(NGMiscellaneous) initWithFormat:]): missing format! Jul 24 08:28:19 sogod [22882]: <0x0x559fabd1d5d0[NGImap4Client]> ERROR(-[NGImap4Client _processUnknownCommandParserException:]): catched non-IMAP4 parsing exception UnexpectedEndOfStream: the parsed stream ended unexpectedly Jul 24 08:28:19 sogod [22882]: [ERROR] <0x0x559fabd8a1b0[NGImap4ConnectionManager]> IMAP4 login failed: host=mail.unzane.com, user=gturner, pwd=yes url=imaps://gtur...@mail.unzane.com/ base=(null) base-class=(null)) = <0x0x559fabd1d5d0[NGImap4Client]: login=gturner(pwd) socket= connectedTo=<0x0x559fabd3c7f0[NGInternetSocketAddress]: host=mail.unzane.com port=993>>> Jul 24 08:28:19 sogod [22882]: <0x559fabedc620[SOGoMailAccount]:0> renewing imap4 password 2019-07-24 08:28:19.969 sogod[22882:22882] ERROR(-[NSException(NGMiscellaneous) initWithFormat:]): missing format! Jul 24 08:28:19 sogod [22882]: <0x0x559fabec4dd0[NGImap4Client]> ERROR(-[NGImap4Client _processUnknownCommandParserException:]): catched non-IMAP4 parsing exception UnexpectedEndOfStream: the parsed stream ended unexpectedly Jul 24 08:28:19 sogod [22882]: [ERROR] <0x0x559fabd8a1b0[NGImap4ConnectionManager]> IMAP4 login failed: host=mail.unzane.com, user=gturner, pwd=yes url=imaps://gtur...@mail.unzane.com/ base=(null) base-class=(null)) = <0x0x559fabec4dd0[NGImap4Client]: login=gturner(pwd) socket= connectedTo=<0x0x559fabd1a940[NGInternetSocketAddress]: host=mail.unzane.com port=993>>> Jul 24 08:28:19 sogod [22882]: [ERROR] <0x559fabedc620[SOGoMailAccount]:0> Could not connect IMAP4 Jul 24 08:28:19 sogod [22882]: 127.0.0.1 "POST /SOGo/so/gturner/Mail/unseenCount HTTP/1.1" 200 21/31 0.135 - - 0 Jul 24 08:28:19 azathoth dovecot[655]: imap-login: Login: user=, method=PLAIN, rip=184.105.220.22, lip=184.105.220.20, mpid=26318, TLS, session= Jul 24 08:28:19 azathoth dovecot[655]: imap(gturner)<26318>: Connection closed (No commands sent) in=0 out=373 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 Jul 24 08:28:19 azathoth dovecot[655]: imap-login: Login: user=, method=PLAIN, rip=184.105.220.22, lip=184.105.220.20, mpid=26319, TLS: read(size=530) failed: Connection reset by peer, session= Jul 24 08:28:19 azathoth dovecot[655]: imap(gturner)<26319>: Connection closed (No commands sent) in=0 out=373 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 signature.asc Description: PGP signature
Bug#932081: sogo: Unable to connect to a remote IMAP server.
FYI, there had been a short thread on the SOGo mailing list two months ago, with no solution. https://lists.inverse.ca/sogo/arc/users/2019-06/msg5.html Looks like the bug has been reported upstream, with no update: https://sogo.nu/bugs/view.php?id=4783 -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#928211: munin-plugins-core: open_files max is 18 quintillion (since systemd 240), obscuring graph
Control: tags -1 + patch Attached patch that removes the insanely large ‘max' value. Note that calculated warning/critical for ‘used' are still absurdly large. Perhaps it would be useful if the plugin would read configuration environment variables so that an admin could override them with meaningful values (tens of thousands rather than quintillions). -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D --- /usr/share/munin/plugins/open_files 2019-03-11 02:13:29.0 -0700 +++ /etc/munin/plugins/open_files 2019-04-29 14:37:54.760383923 -0700 @@ -53,11 +53,7 @@ p_critical=$(print_critical used) [ -z "$p_warning" ] && echo "used.warning $computed_warning" || echo "$p_warning" [ -z "$p_critical" ] && echo "used.critical $computed_critical" || echo "$p_critical" - echo 'max.label max open files' - echo 'max.info The maximum supported number of open files. Tune by modifying /proc/sys/fs/file-max.' - print_warning max - print_critical max exit 0 fi -awk '{print "used.value " $1-$2 "\nmax.value " $3}' < /proc/sys/fs/file-nr +awk '{print "used.value " $1-$2}' < /proc/sys/fs/file-nr signature.asc Description: PGP signature
Bug#928211: munin-plugins-core: open_files max is 18 quintillion (since systemd 240), obscuring graph
Package: munin-plugins-core Version: 2.0.47-1~bpo9+1 Severity: wishlist Sequence of events: 1. systemd version >= 240 now bumps fs.nr_open and fs.file-max sysctls to maximum value 18 quintillion. 2. Had been using open_files plugin in munin-plugins-c, however it cannot handle integers this large (bug #923191). 3. Switched to using open_files plugin from munin-plugins-core to work-around bug #923191. Graph is now obscured by having such huge max value. -- System Information: Debian Release: 9.9 APT prefers stable APT policy: (601, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-0.bpo.4-cloud-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages munin-plugins-core depends on: ii munin-common 2.0.47-1~bpo9+1 ii perl 5.24.1-3+deb9u5 Versions of packages munin-plugins-core recommends: ii libnet-snmp-perl 6.0.1-2 Versions of packages munin-plugins-core suggests: pn acpi | lm-sensors pn conntrack pn default-mysql-client ii ethtool 1:4.8-1+b1 pn hdparm pn libcache-cache-perl pn libdbd-mysql-perl pn libdbd-pg-perl ii libhttp-date-perl 6.02-1 pn liblwp-useragent-determined-perl ii libnet-dns-perl 1.07-1 ii libnet-ip-perl1.26-1 pn libnet-irc-perl ii libnet-ldap-perl 1:0.6500+dfsg-1 pn libnet-netmask-perl ii libnet-telnet-perl3.04-1 ii libxml-parser-perl2.44-2+b1 ii libxml-simple-perl2.22-1 ii logtail 1.3.18 ii net-tools 1.60+git20161116.90da8a0-1 ii python3 3.5.3-1 ii ruby 1:2.3.3 pn smartmontools -- no debconf information -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#928197: libmp3-tag-perl: Perl 5.28 warning: Unescaped left brace in regex is deprecated here (and will be fatal in Perl 5.32)
Control: tags -1 + patch Patch attached. -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D Description: fix another "unescaped left brace" error Author: Gerald Turner Origin: vendor Bug-Debian: https://bugs.debian.org/928197 Forwarded: not-needed Applied-Upstream: fixed in 1.15 Last-Update: 2019-04-29 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ Index: libmp3-tag-perl-1.13/lib/MP3/Tag.pm === --- libmp3-tag-perl-1.13.orig/lib/MP3/Tag.pm +++ libmp3-tag-perl-1.13/lib/MP3/Tag.pm @@ -2941,7 +2941,7 @@ sub format_time { local $self->{ms} = int($time * 1000 + 0.5) if defined $time; my ($out, %have, $c) = ''; for my $f (@_) { -$have{$+}++ if $f =~ /^\??({([^{}]+)}|.)/; +$have{$+}++ if $f =~ /^\??(\{([^{}]+)}|.)/; } for my $f (@_) { if (!$c++ and $f =~ /^=>(\w)$/) { @@ -2953,7 +2953,7 @@ sub format_time { } my $ff = $f; # Modifiable my $opt = ($ff =~ s/^\?//); -$ff =~ s/^({[^{}]+}|\w)// or die "unexpected time format: <<$f>>"; +$ff =~ s/^(\{[^{}]+}|\w)// or die "unexpected time format: <<$f>>"; my ($what, $format) = ($1, ''); if ($opt) { if ($what eq 'H') { signature.asc Description: PGP signature
Bug#928197: libmp3-tag-perl: Perl 5.28 warning: Unescaped left brace in regex is deprecated here (and will be fatal in Perl 5.32)
Package: libmp3-tag-perl Version: 1.13-1.1 Severity: normal Dear Maintainer, Quite similar to bug #878504 and #809352, Perl 5.28 now complains about additional unescaped curly braces used in regular expressions. Fixed in upstream 1.15: https://metacpan.org/diff/file?target=ILYAZ/MP3-Tag-1.15/=ILYAZ%2FMP3-Tag-1.14#lib/MP3/Tag.pm -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (601, 'testing'), (500, 'testing-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_WARN Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libmp3-tag-perl depends on: ii perl 5.28.1-6 Versions of packages libmp3-tag-perl recommends: ii libimage-exiftool-perl 11.16-1 ii libmp3-info-perl1.24-1.2 Versions of packages libmp3-tag-perl suggests: ii texlive-latex-extra 2018.20190227-2 -- no debconf information -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#914738: painintheapt: Please append subject to XMPP message
Package: painintheapt Version: 0.20181120-1~bpo9+1 Severity: wishlist Dear Maintainer, Since version 0.20180212, in commit¹ 1660b436 which added XMPP pubsub support, among other things, changed the format of the message sent directly to XMPP recipients and MUC's. The older version used to send messages prepended with a string like: "1 package update(s) for hostname\n\n" However newer versions split this information into a separate 'subject' field, which my XMPP client (Pidgin usually) ignores. It's also absent from MUC group messages entirely. The effect is that I'm no longer able to discern what hosts have which updates. ¹ https://salsa.debian.org/xmpp-team/painintheapt/commit/1660b436be5faa02184ad398b406e917a4a416a8#9b7fd75f021b7dcd0fdc40caf24c403142d2195e_139_176 -- System Information: Debian Release: 9.6 APT prefers stable APT policy: (601, 'stable'), (500, 'stable-updates'), (500, 'stable-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages painintheapt depends on: ii init-system-helpers 1.48 ii python3 3.5.3-1 ii python3-apt 1.4.0~beta3 ii python3-prettytable 0.7.2-3 ii python3-sleekxmpp1.3.1-6.1 painintheapt recommends no packages. Versions of packages painintheapt suggests: ii cron [cron-daemon] 3.0pl1-128+deb9u1 -- Configuration Files: /etc/painintheapt.conf [Errno 13] Permission denied: '/etc/painintheapt.conf' -- no debconf information -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#914156: munin-plugins-extra: ipmi_sensor_ arbitrarily reverses min:max values in warnings/criticals for fans
Hello Lars, On Tue, Nov 20 2018, Lars Kruse wrote: > Indeed this change was not well understood at that point in time and > needed to be reversed. I just did this: > > https://github.com/munin-monitoring/munin/commit/087478ed7df023733e8b3efb37703eadd3305791 > The change will be released with munin 2.0.44. Awesome! > While testing this issue, I stumbled upon another minor issue, that I > fixed. Maybe you would like to test the new state of the ipmi_sensor_ > plugin? > > curl > https://github.com/munin-monitoring/munin/raw/0b70ebf5ff/plugins/node.d/ipmi_sensor_.in > \ > | sed 's#@@CONFDIR@@#/etc/munin#; s#@@PYTHON@@#/usr/bin/python3#' I tested it on a host that's monitoring various temperatures, voltages, and fans - works great. I don't have any hardware that is mising the "Assertions" output, so can't exactly test the code path in your change. -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#914157: munin-plugins-core: smart_ constantly warning about smartctl exit status 0
Control: tags -1 + fixed-upstream Control: forwarded -1 https://github.com/munin-monitoring/munin/issues/1100 Control: fixed -1 2.0.43-1 Sorry for the noise - while writing a patch I discovered that this bug was already identified and fixed upstream and included in Debian unstable (but not stretch-backports). -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#914157: munin-plugins-core: smart_ constantly warning about smartctl exit status 0
Package: munin-plugins-core Version: 2.0.42-5~bpo9+1 Severity: normal Dear Maintainer, A code change¹ made to munin plugin smart_ introduced a bug where smartctl exit status is triggering a warning. Before 2.0.40: # munin-run smart_sda config | grep status.warning smartctl_exit_status.warning 1 After 2.0.40: # munin-run smart_sda config | grep status.warning smartctl_exit_status.warning 1: ^ Looks like due to some refactoring, that the usual SMART critical values are specified as minimum's (e.g. "Reallocated_Sector_Ct.critical 010:"), a mistake was introduced that smartctl exit status treated the same way, when in fact it should be treated as a maximum range. ¹ https://github.com/munin-monitoring/munin/commit/7f755efb7325423d8df482be6a1234c9a14ccac3 -- System Information: Debian Release: 9.6 APT prefers stable APT policy: (601, 'stable'), (500, 'stable-updates'), (500, 'stable-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.18.0-0.bpo.1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages munin-plugins-core depends on: ii munin-common 2.0.42-5~bpo9+1 ii perl 5.24.1-3+deb9u4 Versions of packages munin-plugins-core recommends: ii libnet-snmp-perl 6.0.1-2 Versions of packages munin-plugins-core suggests: ii conntrack1:1.4.4+snapshot20161117-5 ii libcache-cache-perl 1.08-2 ii libdbd-mysql-perl4.041-2 ii libhttp-date-perl6.02-1 ii libnet-dns-perl 1.07-1 ii libnet-ip-perl 1.26-1 pn libnet-ldap-perl ii libnet-netmask-perl 1.9022-1 ii libnet-telnet-perl 3.04-1 ii libxml-parser-perl 2.44-2+b1 ii python3 3.5.3-1 ii ruby 1:2.3.3 -- no debconf information -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#914156: munin-plugins-extra: ipmi_sensor_ arbitrarily reverses min:max values in warnings/criticals for fans
Control: tags -1 + patch The attached patch fixes this bug. -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D From 387792ac15559f15c53322f2a685c30d55a21317 Mon Sep 17 00:00:00 2001 From: Gerald Turner Date: Mon, 19 Nov 2018 15:48:10 -0800 Subject: [PATCH] Fix Debian bug #914156: ipmi_sensor_ arbitrarily reverses min:max values in warnings/criticals for fans --- plugins/node.d/ipmi_sensor_.in | 9 ++--- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/plugins/node.d/ipmi_sensor_.in b/plugins/node.d/ipmi_sensor_.in index aebf5c72..0102d240 100644 --- a/plugins/node.d/ipmi_sensor_.in +++ b/plugins/node.d/ipmi_sensor_.in @@ -265,13 +265,8 @@ def config_unit(unit): if 'unc+' in assertions: warn_u = values['upper non-critical'].replace("na", "") -# TODO add 'fans' -if 'rpm' == unit: -warn = "%s:%s" % (warn_u, warn_l) -crit = "%s:%s" % (crit_u, crit_l) -else: -warn = "%s:%s" % (warn_l, warn_u) -crit = "%s:%s" % (crit_l, crit_u) +warn = "%s:%s" % (warn_l, warn_u) +crit = "%s:%s" % (crit_l, crit_u) if warn != ":": print("%s.warning %s" % (nname, warn)) -- 2.19.1 signature.asc Description: PGP signature
Bug#914138: munin-plugins-extra: ipmi_sensor_ python error: AttributeError: 'str' object has no attribute 'decode'
Control: tags -1 + patch The attached patch fixes this bug. -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D From 3ac419bc8402b790a42555adfeab44a5e60295ad Mon Sep 17 00:00:00 2001 From: Gerald Turner Date: Mon, 19 Nov 2018 15:44:37 -0800 Subject: [PATCH] Fix Debian bug #914138: ipmi_sensor_ python error: AttributeError: 'str' object has no attribute 'decode' --- plugins/node.d/ipmi_sensor_.in | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/node.d/ipmi_sensor_.in b/plugins/node.d/ipmi_sensor_.in index aebf5c72..e13dcca9 100644 --- a/plugins/node.d/ipmi_sensor_.in +++ b/plugins/node.d/ipmi_sensor_.in @@ -221,7 +221,6 @@ UNITS_TO_SENSORS = { if access(CONFIG, R_OK): for line in open(CONFIG): -line = line.decode() if line.strip().startswith('#'): continue data = line.split('=', 1) -- 2.19.1 signature.asc Description: PGP signature
Bug#914156: munin-plugins-extra: ipmi_sensor_ arbitrarily reverses min:max values in warnings/criticals for fans
Package: munin-plugins-extra Version: 2.0.42-5~bpo9+1 Severity: normal Dear Maintainer, There was an issue¹ reported to munin github which proposed a "fix" for one person's hardware, that broke on everyone elses hardware. Looking at two servers (both SuperMicro), showing ipmitool output and munin-run output with the version of ipmi_sensor_ in the 2.0.33-1 package: server1# ipmitool -I open sensor get "FAN 1" Locating sensor record... Sensor ID : FAN 1 (0x41) Entity ID : 29.1 Sensor Type (Threshold) : Fan Sensor Reading: 4800 (+/- 0) RPM Status: ok Lower Non-Recoverable : 300.000 Lower Critical: 450.000 Lower Non-Critical: 600.000 Upper Non-Critical: 18975.000 Upper Critical: 19050.000 Upper Non-Recoverable : 19125.000 Positive Hysteresis : 75.000 Negative Hysteresis : 75.000 Assertion Events : Assertions Enabled: lcr- lnr- unc+ ucr+ unr+ Deassertions Enabled : lcr- lnr- unc+ ucr+ unr+ server1# munin-run ipmi_sensor_u_rpm config | grep fan_1 fan_1.label FAN 1 fan_1.warning :18975.000 fan_1.critical 450.000:19050.000 server2# ipmitool -I open sensor get "FAN1" Locating sensor record... Sensor ID : FAN1 (0x41) Entity ID : 29.1 Sensor Type (Threshold) : Fan Sensor Reading: 800 (+/- 0) RPM Status: ok Lower Non-Recoverable : 300.000 Lower Critical: 500.000 Lower Non-Critical: 700.000 Upper Non-Critical: 25300.000 Upper Critical: 25400.000 Upper Non-Recoverable : 25500.000 Positive Hysteresis : 100.000 Negative Hysteresis : 100.000 Assertion Events : Assertions Enabled: lcr- lnr- ucr+ unr+ Deassertions Enabled : lcr- lnr- ucr+ unr+ server2# munin-run ipmi_sensor_u_rpm config | grep fan1 fan1.label FAN1 fan1.critical 500.000:25400.000 Compared to munin-run output with the version of ipmi_sensor_ in the 2.0.42-5~bpo9+1 package: server1# munin-run ipmi_sensor_u_rpm config | grep fan_1 fan_1.label FAN 1 fan_1.warning 18975.000: ^^ fan_1.critical 19050.000:450.000 ^ server2# munin-run ipmi_sensor_u_rpm config | grep fan1 fan1.label FAN1 fan1.critical 25400.000:500.000 ^ The Lower/Upper, Critical/Non-Critical values have been reversed. The following lines of code in the plugin are causing this reversal: 268: # TODO add 'fans' 269: if 'rpm' == unit: 270: warn = "%s:%s" % (warn_u, warn_l) 271: crit = "%s:%s" % (crit_u, crit_l) 272: else: 273: warn = "%s:%s" % (warn_l, warn_u) 274: crit = "%s:%s" % (crit_l, crit_u) Apologies for not commenting on the upstream github repository directly, as I do not have a github account. However another user had reported the same problem in the last comment² of the closed bug report. ¹ https://github.com/munin-monitoring/munin/issues/301 ² https://github.com/munin-monitoring/munin/issues/301#issuecomment-380997171 -- System Information: Debian Release: 9.6 APT prefers stable APT policy: (601, 'stable'), (500, 'stable-updates'), (500, 'stable-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.18.0-0.bpo.1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages munin-plugins-extra depends on: ii munin-common 2.0.42-5~bpo9+1 ii perl 5.24.1-3+deb9u4 munin-plugins-extra recommends no packages. Versions of packages munin-plugins-extra suggests: pn libcache-memcached-perl ii libnet-ip-perl 1.26-1 ii libnet-netmask-perl 1.9022-1 ii libnet-snmp-perl 6.0.1-2 ii libnet-telnet-perl 3.04-1 ii libtext-csv-xs-perl 1.26-1 ii libxml-libxml-perl 2.0128+dfsg-1+deb9u1 ii python3 3.5.3-1 -- Configuration Files: /etc/munin/plugin-conf.d/dhcpd3 [Errno 13] Permission denied: '/etc/munin/plugin-conf.d/dhcpd3' /etc/munin/plugin-conf.d/spamstats [Errno 13] Permission denied: '/etc/munin/plugin-conf.d/spamstats' -- no debconf information -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#914138: munin-plugins-extra: ipmi_sensor_ python error: AttributeError: 'str' object has no attribute 'decode'
Package: munin-plugins-extra Version: 2.0.42-5~bpo9+1 Severity: normal Dear Maintainer, I'm no Python expert, but it appears that a code change¹ made to munin plugin ipmi_sensor_ is broken on systems with Python 3.5.3. # munin-run ipmi_sensor_u_rpm Traceback (most recent call last): File "/etc/munin/plugins/ipmi_sensor_u_rpm", line 224, in line = line.decode() AttributeError: 'str' object has no attribute 'decode' The code in question is: 75: CONFIG = '/etc/munin/ipmi' … 222: if access(CONFIG, R_OK): 223:for line in open(CONFIG): 224:line = line.decode() The built-in open()² function is reading the file in text-mode with platform default encoding, and the 'line' variable is a 'str' object, not a 'bytes' object that needs to be decoded. Perhaps some variant of Python 3 has a decode method on str objects, or open() returns bytes objects by default? Otherwise my guess is nobody ever executed this plugin since the 2.0.38 release. ¹ https://github.com/munin-monitoring/munin/commit/8637ee5244c20f4432dea5fa15ad234f98b23d1d ² https://docs.python.org/3.5/library/functions.html#open -- System Information: Debian Release: 9.6 APT prefers stable APT policy: (601, 'stable'), (500, 'stable-updates'), (500, 'stable-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.18.0-0.bpo.1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages munin-plugins-extra depends on: ii munin-common 2.0.42-5~bpo9+1 ii perl 5.24.1-3+deb9u4 munin-plugins-extra recommends no packages. Versions of packages munin-plugins-extra suggests: pn libcache-memcached-perl ii libnet-ip-perl 1.26-1 ii libnet-netmask-perl 1.9022-1 ii libnet-snmp-perl 6.0.1-2 ii libnet-telnet-perl 3.04-1 ii libtext-csv-xs-perl 1.26-1 ii libxml-libxml-perl 2.0128+dfsg-1+deb9u1 ii python3 3.5.3-1 -- Configuration Files: /etc/munin/plugin-conf.d/dhcpd3 [Errno 13] Permission denied: '/etc/munin/plugin-conf.d/dhcpd3' /etc/munin/plugin-conf.d/spamstats [Errno 13] Permission denied: '/etc/munin/plugin-conf.d/spamstats' -- no debconf information -- Gerald Turner Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#848890: [Pkg-swan-devel] Bug#848890: polished remaining delta for re-review
Hi Christian, I don't want to distract from the purpose of this bug report, but I have a question regarding one particular piece... On Thu, Nov 30 2017, Christian Ehrhardt wrote: > The TL;DR of the remaining changes are: > - some fixes (like the stroke apparmor profile) Do the Ubuntu packages install AppArmor profiles for charon-systemd and swanctl as well? FYI, earlier this year I copied the existing usr.lib.ipsec.charon profile to usr.sbin.charon-systemd, and created a usr.sbin.swanctl from scratch (although it's similar to usr.lib.ipsec.stroke). Filed bug #866327. Yves-Alexis applied changes in 5.6.0-1. I suppose that if there are usr.lib.ipsec.charon or usr.lib.ipsec.stroke specific changes coming from Ubuntu, that these should be synchronized with the usr.sbin.charon-systemd or usr.sbin.swanctl variants in Debian. -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#882431: [Pkg-swan-devel] Bug#882431: Bug#882431: strongswan-starter: counters plugin should be visible to strongswan-swanctl package
On Thu, Nov 23 2017, Yves-Alexis Perez wrote: > Actually I was a bit confused too: it's a libcharon plugin which > should then be loaded by a relevant charon process. For stroke plugin, > this is /usr/lib/ipsec/charon, in your case, for strongswan-swanctl, > it is /usr/sbin/charon-systemd from the charon-systemd package. > > The swanctl command is just talking (via vici) to the charon-systemd > binary. And charon-systemd packages already depends on > strongswan-libcharon, so it should be fine to move the counters plugin > there, I think. > > Does that make sense to you? Sounds perfect. Want me to recreate a patch? -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#882431: [Pkg-swan-devel] Bug#882431: strongswan-starter: counters plugin should be visible to strongswan-swanctl package
On Thu, Nov 23 2017, Yves-Alexis Perez wrote: > In any case your later patch is wrong (doesn't move, just copy, and > doesn't handle conflicts/replace etc.). Do you mean Conflicts, Breaks, etc. in debian/control? I overlooked that completely, figuring the 5.6.1-1 package hasn't migrated out of sid yet. -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#882431: strongswan-starter: counters plugin should be visible to strongswan-swanctl package
Control: tags -1 + patch I've built a private package with the attached patch, and tested that "swanctl -C" works, however I haven't tested strongswan-starter/stroke (but the move looks trivial, couldn't possibly break?) -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D From 50cc42baf5d5c0815a483caae250711a2334de12 Mon Sep 17 00:00:00 2001 From: Gerald Turner <gtur...@unzane.com> Date: Tue, 21 Nov 2017 14:30:23 -0800 Subject: [PATCH] Move counters plugin from strongswan-starter package to libstrongswan package so that it may be used by swanctl as well --- debian/control| 1 + debian/libstrongswan.install | 3 +++ debian/strongswan-starter.install | 4 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/debian/control b/debian/control index f0c6dcd8..571257a6 100644 --- a/debian/control +++ b/debian/control @@ -71,6 +71,7 @@ Description: strongSwan utility and crypto library For libstrongswan (cryptographic backends, URI fetchers and database layers): - aes (AES-128/192/256 cipher software implementation) - constraints (X.509 certificate advanced constraint checking) + - counters (Provides IKE performance counters) - dnskey (Parse RFC 4034 public keys) - fips-prf (PRF specified by FIPS, used by EAP-SIM/AKA algorithms) - gmp (RSA/DH crypto backend based on libgmp) diff --git a/debian/libstrongswan.install b/debian/libstrongswan.install index 072ff7e0..c44318f5 100644 --- a/debian/libstrongswan.install +++ b/debian/libstrongswan.install @@ -2,6 +2,7 @@ usr/lib/ipsec/libstrongswan.so* usr/lib/ipsec/plugins/libstrongswan-aes.so usr/lib/ipsec/plugins/libstrongswan-constraints.so +usr/lib/ipsec/plugins/libstrongswan-counters.so usr/lib/ipsec/plugins/libstrongswan-dnskey.so usr/lib/ipsec/plugins/libstrongswan-fips-prf.so usr/lib/ipsec/plugins/libstrongswan-gmp.so @@ -27,6 +28,7 @@ usr/lib/ipsec/plugins/libstrongswan-xcbc.so # config files usr/share/strongswan/templates/config/plugins/aes.conf usr/share/strongswan/templates/config/plugins/constraints.conf +usr/share/strongswan/templates/config/plugins/counters.conf usr/share/strongswan/templates/config/plugins/dnskey.conf usr/share/strongswan/templates/config/plugins/fips-prf.conf usr/share/strongswan/templates/config/plugins/gmp.conf @@ -51,6 +53,7 @@ usr/share/strongswan/templates/config/plugins/x509.conf usr/share/strongswan/templates/config/plugins/xcbc.conf etc/strongswan.d/charon/aes.conf etc/strongswan.d/charon/constraints.conf +etc/strongswan.d/charon/counters.conf etc/strongswan.d/charon/dnskey.conf etc/strongswan.d/charon/fips-prf.conf etc/strongswan.d/charon/gmp.conf diff --git a/debian/strongswan-starter.install b/debian/strongswan-starter.install index 7eebe6be..7b02b0a8 100644 --- a/debian/strongswan-starter.install +++ b/debian/strongswan-starter.install @@ -21,7 +21,3 @@ usr/lib/ipsec/plugins/libstrongswan-stroke.so usr/share/strongswan/templates/config/plugins/stroke.conf etc/strongswan.d/charon/stroke.conf debian/usr.lib.ipsec.stroke /etc/apparmor.d/ -#counters -usr/lib/ipsec/plugins/libstrongswan-counters.so -usr/share/strongswan/templates/config/plugins/counters.conf -etc/strongswan.d/charon/counters.conf -- 2.14.2 signature.asc Description: PGP signature
Bug#882431: strongswan-starter: counters plugin should be visible to strongswan-swanctl package
Package: strongswan-starter Version: 5.6.1-1 Severity: normal Dear Maintainer, Upstream strongSwan 5.6.1 introduced the counters plugin, which moved from being stroke-specific, to being shared with swanctl. FWICT Alioth commit d14d4c17 added the counters plugin to the strongswan-starter package where stroke resides. Perhaps in reaction to the upstream change - perhaps because stroke would fail without the plugin being available? Sorry for my ignorance, I no longer use strongswan-starter/stroke anywhere, and instead rely solely on charon-systemd/swanctl. As you can see from the documentation, this plugin was intended to be accessible to the strongswan-swanctl package as well. https://wiki.strongswan.org/versions/67 “The IKE event counters, previously only available via ipsec listcounters command, may now also be queried and reset via vici and the new swanctl --counters command. They are collected and provided by the optional counters plugin (enabled by default for backwards compatibility if the stroke plugin is built).” https://wiki.strongswan.org/projects/strongswan/wiki/Swanctl “The --counters command was added with 5.6.1." It would seem appropriate to move the counters plugin to the libstrongswan package (although I always get confused about libcharon vs. libstrongswan). I'd like to use this feature of swanctl to create a munin-node statistics collection script. -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (601, 'stable'), (500, 'stable-updates'), (500, 'stable-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.13.0-0.bpo.1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages strongswan-starter depends on: ii adduser3.115 ii debconf [debconf-2.0] 1.5.61 ii init-system-helpers1.48 ii libc6 2.24-11+deb9u1 ii libstrongswan 5.6.1-1.1 ii lsb-base 9.20161125 Versions of packages strongswan-starter recommends: pn strongswan-charon strongswan-starter suggests no packages. -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#878172: tor_bug_occurred_(): Bug: ../src/common/compress.c:576: tor_compress_process: Non-fatal assertion !((rv == TOR_COMPRESS_OK)...
Package: tor Version: 0.3.1.7-1~bpo9+1 Severity: normal Dear Maintainer, I run a tor relay/exit running on stretch and I upgraded to the stretch-backports 0.3.1.7-1~bpo9+1 version that recently became available. About every two hours the following is logged: Oct 10 09:30:20 ghatanothoa Tor[30872]: tor_bug_occurred_(): Bug: ../src/common/compress.c:576: tor_compress_process: Non-fatal assertion !((rv == TOR_COMPRESS_OK) && *in_len == in_len_orig && *out_len == out_len_orig) failed. (on Tor 0.3.1.7 ) Oct 10 09:30:20 ghatanothoa Tor[30872]: Bug: Non-fatal assertion !((rv == TOR_COMPRESS_OK) && *in_len == in_len_orig && *out_len == out_len_orig) failed in tor_compress_process at ../src/common/compress.c:576. Stack trace: (on Tor 0.3.1.7 ) Oct 10 09:30:20 ghatanothoa Tor[30872]: Bug: /usr/bin/tor(log_backtrace+0x44) [0x5571c1ed4194] (on Tor 0.3.1.7 ) Oct 10 09:30:20 ghatanothoa Tor[30872]: Bug: /usr/bin/tor(tor_bug_occurred_+0xb9) [0x5571c1eed029] (on Tor 0.3.1.7 ) Oct 10 09:30:20 ghatanothoa Tor[30872]: Bug: /usr/bin/tor(tor_compress_process+0x135) [0x5571c1ef5fa5] (on Tor 0.3.1.7 ) Oct 10 09:30:20 ghatanothoa Tor[30872]: Bug: /usr/bin/tor(+0x18e171) [0x5571c1ef6171] (on Tor 0.3.1.7 ) Oct 10 09:30:20 ghatanothoa Tor[30872]: Bug: /usr/bin/tor(tor_uncompress+0x31) [0x5571c1ef6631] (on Tor 0.3.1.7 ) Oct 10 09:30:20 ghatanothoa Tor[30872]: Bug: /usr/bin/tor(connection_dir_reached_eof+0x118c) [0x5571c1e9866c] (on Tor 0.3.1.7 ) Oct 10 09:30:20 ghatanothoa Tor[30872]: Bug: /usr/bin/tor(+0x1089bc) [0x5571c1e709bc] (on Tor 0.3.1.7 ) Oct 10 09:30:20 ghatanothoa Tor[30872]: Bug: /usr/bin/tor(+0x4d85e) [0x5571c1db585e] (on Tor 0.3.1.7 ) Oct 10 09:30:20 ghatanothoa Tor[30872]: Bug: /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5(event_base_loop+0x6a0) [0x7f5d4ca3a5a0] (on Tor 0.3.1.7 ) Oct 10 09:30:20 ghatanothoa Tor[30872]: Bug: /usr/bin/tor(do_main_loop+0x29d) [0x5571c1db698d] (on Tor 0.3.1.7 ) Oct 10 09:30:20 ghatanothoa Tor[30872]: Bug: /usr/bin/tor(tor_main+0x1c35) [0x5571c1dba4d5] (on Tor 0.3.1.7 ) Oct 10 09:30:20 ghatanothoa Tor[30872]: Bug: /usr/bin/tor(main+0x19) [0x5571c1db2189] (on Tor 0.3.1.7 ) Oct 10 09:30:20 ghatanothoa Tor[30872]: Bug: /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1) [0x7f5d4b49c2b1] (on Tor 0.3.1.7 ) Oct 10 09:30:20 ghatanothoa Tor[30872]: Bug: /usr/bin/tor(_start+0x2a) [0x5571c1db21da] (on Tor 0.3.1.7 ) Oct 10 09:37:27 ghatanothoa Tor[30872]: Tried to establish rendezvous on non-OR circuit with purpose Acting as rendevous (pending) It looks like upstream bug 22719: https://trac.torproject.org/projects/tor/ticket/22719 I have the same package running on several other hosts that are not relays that never see this error. -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (701, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages tor depends on: ii adduser 3.115 ii init-system-helpers 1.48 ii libc62.24-11+deb9u1 ii libevent-2.0-5 2.0.21-stable-3 ii liblzma5 5.2.2-1.2+b1 ii libseccomp2 2.3.1-2.1 ii libssl1.11.1.0f-3 ii libsystemd0 232-25+deb9u1 ii libzstd1 1.1.2-1 ii lsb-base 9.20161125 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages tor recommends: ii logrotate3.11.0-0.1 ii tor-geoipdb 0.2.9.12-1 ii torsocks 2.2.0-1+deb9u1 Versions of packages tor suggests: pn apparmor-utils pn mixmaster pn obfs4proxy pn obfsproxy pn socat ii tor-arm 1.4.5.0-1.1 pn torbrowser-launcher -- Configuration Files: /etc/tor/torrc changed [not included] -- no debconf information -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#866326: strongswan-swanctl: Include ‘/etc/swanctl/conf.d/*.conf’ from ‘/etc/swanctl/swanctl.conf’
On Fri, Jun 30 2017, Yves-Alexis Perez wrote: > On Fri, 2017-06-30 at 13:26 +0200, Yves-Alexis Perez wrote: >> On Wed, 2017-06-28 at 13:54 -0700, Gerald Turner wrote: >> > Attached is a patch which installs this directory and the include >> > statement via quilt patch suitable for upstreaming. >> >> Can you push that upstream directly? > Sorry, ignore this mail, I didn't see you already did that, thanks! Yes it was accepted (well rewritten actually), yay! I believe the Debian package would still need a line added to debian/strongswan-swanctl.dirs so the conf.d directory is installed: diff --git a/debian/strongswan-swanctl.dirs b/debian/strongswan-swanctl.dirs index 77d36958..b5d1f323 100644 --- a/debian/strongswan-swanctl.dirs +++ b/debian/strongswan-swanctl.dirs @@ -5,6 +5,7 @@ /etc/swanctl/private /etc/swanctl/pubkey /etc/swanctl/rsa +/etc/swanctl/conf.d /etc/swanctl/x509 /etc/swanctl/x509aa /etc/swanctl/x509ac -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#866327: charon-systemd: Create AppArmor profiles for /usr/sbin/swanctl and /usr/sbin/charon-systemd
On Fri, Jun 30 2017, Yves-Alexis Perez wrote: > Thanks! I've integrated your changes locally and will test a few days, > but I have a quite simple setup too. Great! > Once thing I noticed: > > juin 30 15:35:03 scapa kernel: audit: type=1400 > audit(1498829703.597:80): apparmor="DENIED" operation="open" > profile="/usr/sbin/charon-systemd" name="/proc/8865/fd/" pid=8865 > comm="charon-systemd" requested_mask="r" denied_mask="r" fsuid=0 > ouid=0 > > But it doesn't seem to prevent it to work correctly. Perhaps that originates from the function "closefrom(lowfd)" in src/libstrongswan/utils/utils.c, invoked by the function "process_start(...)" in src/libstrongswan/utils/process.c, invoked by updown, resolve, ext_auth, and eap_sim plugins. I'm not using any of those plugins. My guess is the following AppArmor profile entry would suffice: @{PROC}/@{pid}/fd/ r, -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#866325: charon-systemd: Install charon-systemd.conf
On Wed, Jun 28 2017, Gerald Turner wrote: > FYI, I opened a bug with strongSwan upstream that included the inner > quilt patch. My patch was accepted upstream verbatim and should be part of 5.5.4. So this BTS bug can be mostly ignored *except* that the Debian packaging would still need to have the two lines added to debian/charon-systemd.install: diff --git a/debian/charon-systemd.install b/debian/charon-systemd.install index 3b62aade..6ab3af8f 100644 --- a/debian/charon-systemd.install +++ b/debian/charon-systemd.install @@ -1,2 +1,4 @@ +etc/strongswan.d/charon-systemd.conf lib/systemd/system/strongswan-swanctl.service usr/sbin/charon-systemd +usr/share/strongswan/templates/config/strongswan.d/charon-systemd.conf -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#866326: strongswan-swanctl: Include ‘/etc/swanctl/conf.d/*.conf’ from ‘/etc/swanctl/swanctl.conf’
Control: forwarded -1 https://wiki.strongswan.org/issues/2371 FYI, I opened a bug with strongSwan upstream that included the inner quilt patch. -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#866325: charon-systemd: Install charon-systemd.conf
Control: forwarded -1 https://wiki.strongswan.org/issues/2370 FYI, I opened a bug with strongSwan upstream that included the inner quilt patch. -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#866324: [Pkg-swan-devel] Bug#866324: strongswan-swanctl: Install empty directories that ‘swanctl --load-all’ expects
On Wed, Jun 28 2017, Gerald Turner wrote: > On Wed, Jun 28 2017, Yves-Alexis Perez wrote: >> I don't have those logs message, because the folders actually exist >> here, so I somehow have the feeling that strongSwan actually created >> the directories itself. > > I'm not sure... I made the conversion to VICI in April, I had these > errors in my test environment for days until I wrote that patch, > unfortunately my persistent journald logs don't go back that far. I > do distinctly remember taking the time to grok the source code in > order to determine the correctness of this patch - and I don't recall > seeing any code which creates these directories. I just tested by stopping strongswan-swanctl, rmdir /etc/swanctl/ecdsa (I'm not using ECDSA certificates), and started strongswan-swanctl. The directory wasn't created. Inspecting my commit message I see that I had written “… subsystem ‘lib’, log level 1”, so you'd have to turn up charon-systemd.journal logging to see these messages. Apologies for the nearly frivilous patch, but having mode 0700 set on directories potentially containing private keys is kind of nifty ;-) (and consistent with the strongswan-starter package) -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#866324: [Pkg-swan-devel] Bug#866324: strongswan-swanctl: Install empty directories that ‘swanctl --load-all’ expects
On Wed, Jun 28 2017, Yves-Alexis Perez wrote: > On Wed, 2017-06-28 at 13:42 -0700, Gerald Turner wrote: >> Whenever strongswan-swanctl.service is started, it logs warnings like: >> >> “opening directory '/etc/swanctl/x509' failed: No such file or directory” >> >> I believe that, similar to how the strongswan-starter package >> installs empty directores that are scanned by the charon daemon >> (‘/etc/ipsec.d/cacerts’, etc.), that the strongswan-swanctl package >> should also have it's dependent directores installed. >> >> This would eliminate the [harmless] log messages and also aid in >> discovery for and admins setting up strongswan-swanctl for the first >> time. > > I don't have those logs message, because the folders actually exist > here, so I somehow have the feeling that strongSwan actually created > the directories itself. I'm not sure... I made the conversion to VICI in April, I had these errors in my test environment for days until I wrote that patch, unfortunately my persistent journald logs don't go back that far. I do distinctly remember taking the time to grok the source code in order to determine the correctness of this patch - and I don't recall seeing any code which creates these directories. -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#866327: charon-systemd: Create AppArmor profiles for /usr/sbin/swanctl and /usr/sbin/charon-systemd
Control: tags -1 + patch Attached is a patch adapts the work Canonical had done for /usr/lib/ipsec/charon policy for /usr/sbin/charon-systemd. I've tested the swanctl (client) profile thoroughly, however the charon-systemd (daemon) profile had only been tested with relatively few plugins. -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D commit b1ca98314847ef5db77983122ab855be5b6ff8b7 Author: Gerald Turner <gtur...@unzane.com> Date: Thu May 11 17:15:09 2017 -0700 Install AppArmor profiles for /usr/sbin/swanctl and /usr/sbin/charon-systemd. The AppArmor profile for charon-systemd was copied from the existing profile for /usr/lib/ipsec/charon without much scrutiny other than testing basic IPsec tunnels (no fancy plugin options were tested). It appears that the team at Canonical that had written the /usr/lib/ipsec/charon policy had done extensive testing with several plugins, and it seems likely that applying the same profile to charon-systemd will allow those plugins to continue to work. The AppArmor profile for swanctl was written from scratch and well tested. It turns out that swanctl unnecessarily loads plugins by default, so a bit of frivolous access has been granted. diff --git a/debian/charon-systemd.install b/debian/charon-systemd.install index 6ab3af8f..a1424ab8 100644 --- a/debian/charon-systemd.install +++ b/debian/charon-systemd.install @@ -2,3 +2,4 @@ etc/strongswan.d/charon-systemd.conf lib/systemd/system/strongswan-swanctl.service usr/sbin/charon-systemd usr/share/strongswan/templates/config/strongswan.d/charon-systemd.conf +debian/usr.sbin.charon-systemd /etc/apparmor.d/ diff --git a/debian/rules b/debian/rules index dacdb645..184abc7c 100755 --- a/debian/rules +++ b/debian/rules @@ -195,6 +195,8 @@ endif dh_apparmor --profile-name=usr.lib.ipsec.charon -p strongswan-charon dh_apparmor --profile-name=usr.lib.ipsec.lookip -p libcharon-extra-plugins dh_apparmor --profile-name=usr.lib.ipsec.stroke -p strongswan-starter + dh_apparmor --profile-name=usr.sbin.swanctl -p strongswan-swanctl + dh_apparmor --profile-name=usr.sbin.charon-systemd -p charon-systemd # add additional files not covered by upstream makefile... install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets diff --git a/debian/strongswan-swanctl.install b/debian/strongswan-swanctl.install index 483b0385..561b9d5b 100644 --- a/debian/strongswan-swanctl.install +++ b/debian/strongswan-swanctl.install @@ -8,3 +8,4 @@ usr/share/man/man8/swanctl.8 usr/sbin/swanctl usr/lib/ipsec/libvici.so* usr/lib/ipsec/plugins/libstrongswan-vici.so +debian/usr.sbin.swanctl /etc/apparmor.d/ diff --git a/debian/usr.sbin.charon-systemd b/debian/usr.sbin.charon-systemd new file mode 100644 index ..e1769f29 --- /dev/null +++ b/debian/usr.sbin.charon-systemd @@ -0,0 +1,76 @@ +# -- +# +# Copyright (C) 2016 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# Author: Jonathan Davies <jonathan.dav...@canonical.com> +# Ryan Harper <ryan.har...@canonical.com> +# +# -- + +#include + +/usr/sbin/charon-systemd flags=(complain,attach_disconnected) { + #include + #include + #include + #include + #include + + capability ipc_lock, + capability net_admin, + capability net_raw, + + # allow priv dropping (LP: #1333655) + capability chown, + capability setgid, + capability setuid, + + # libcharon-extra-plugins: xauth-pam + capability audit_write, + + # libstrongswan-standard-plugins: agent + capability dac_override, + + capability net_admin, + capability net_raw, + + network, + network raw, + + /bin/dash rmPUx, + + # libchron-extra-plugins: kernel-libipsec + /dev/net/tun rw, + + /etc/ipsec.conf r, + /etc/ipsec.secretsr, + /etc/ipsec.*.secrets r, + /etc/ipsec.d/ r, + /etc/ipsec.d/** r, + /etc/ipsec.d/crls/* rw, + /etc/opensc/opensc.conf r, + /etc/strongswan.conf r, + /etc/strongswan.d/r, + /etc/strongswan.d/** r, + /etc/tnc_config r, + + /proc/sys/net/core/xfrm_acq_expires w, + + /run/charon.* rw, + /run/pcscd/pcscd.comm rw, + + /usr/lib/ipsec/charon rmix, + /usr/lib/ipsec/imcvs/ r, + /usr/lib/ipsec/imcvs/** rm, + + /usr/lib/*/opensc-pkcs11.so rm, + + /var/lib/strongswan/* r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/debian/usr.sbin.swanctl b/debian/usr.sbin.swanctl new file mo
Bug#866326: strongswan-swanctl: Include ‘/etc/swanctl/conf.d/*.conf’ from ‘/etc/swanctl/swanctl.conf’
Control: tags -1 + patch Attached is a patch which installs this directory and the include statement via quilt patch suitable for upstreaming. -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D commit fc945ec8953c853d83994a88df2ea665b2a0d700 Author: Gerald Turner <gtur...@unzane.com> Date: Wed May 10 20:42:25 2017 -0700 Include ‘/etc/swanctl/conf.d/*.conf’ from ‘/etc/swanctl/swanctl.conf’. Similar to how an administrator could create files like ‘/etc/strongswan.d/99-custom-logging.conf’ or ‘/etc/strongswan.d/charon/99-kernel-netlink.conf’ rather than customizing any of the dpkg-maintained conffiles, administrators can now create files like ‘/etc/swanctl/conf.d/99-vpn.conf’, while leaving ‘/etc/swanctl/swanctl.conf’ unaltered, so that package upgrades don't prompt when local modifications are detected. Added quilt patch 06_include-swanctl-conf-d-dir.patch. diff --git a/debian/patches/06_include-swanctl-conf-d-dir.patch b/debian/patches/06_include-swanctl-conf-d-dir.patch new file mode 100644 index ..fd348c23 --- /dev/null +++ b/debian/patches/06_include-swanctl-conf-d-dir.patch @@ -0,0 +1,18 @@ +Index: strongswan/src/swanctl/Makefile.am +=== +--- strongswan.orig/src/swanctl/Makefile.am strongswan/src/swanctl/Makefile.am +@@ -78,3 +78,4 @@ install-data-local: swanctl.conf + test -e "$(DESTDIR)$(swanctldir)/pkcs8" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs8" || true + test -e "$(DESTDIR)$(swanctldir)/pkcs12" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs12" || true + test -e "$(DESTDIR)$(swanctldir)/swanctl.conf" || $(INSTALL) -m 640 $(srcdir)/swanctl.conf $(DESTDIR)$(swanctldir)/swanctl.conf || true ++ test -e "$(DESTDIR)$(swanctldir)/conf.d" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/conf.d" || true +Index: strongswan/src/swanctl/swanctl.conf +=== +--- strongswan.orig/src/swanctl/swanctl.conf strongswan/src/swanctl/swanctl.conf +@@ -495,3 +495,4 @@ + + # } + ++include conf.d/*.conf diff --git a/debian/patches/series b/debian/patches/series index 949de693..d2cc0473 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ 03_systemd-service.patch 04_disable-libtls-tests.patch 05_install-charon-systemd-conf.patch +06_include-swanctl-conf-d-dir.patch diff --git a/debian/strongswan-swanctl.dirs b/debian/strongswan-swanctl.dirs index 77d36958..b5d1f323 100644 --- a/debian/strongswan-swanctl.dirs +++ b/debian/strongswan-swanctl.dirs @@ -5,6 +5,7 @@ /etc/swanctl/private /etc/swanctl/pubkey /etc/swanctl/rsa +/etc/swanctl/conf.d /etc/swanctl/x509 /etc/swanctl/x509aa /etc/swanctl/x509ac signature.asc Description: PGP signature
Bug#866325: charon-systemd: Install charon-systemd.conf
Control: tags -1 + patch On Wed, Jun 28 2017, Gerald Turner wrote: > Please install this file to /etc/strongswan.d/charon-systemd.conf. Attached is a patch which installs this file via quilt patch suitable for upstreaming. -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D commit f09f857f6c3fe9d4f648fbcd22603b14612b58ab Author: Gerald Turner <gtur...@unzane.com> Date: Wed May 10 16:07:00 2017 -0700 Install ‘/etc/strongswan.d/charon-systemd.conf’ with charon-systemd package. Upstream contains source ‘conf/options/charon-systemd.conf’ which is like ‘conf/options/charon-logging.conf’, however there is a bug with configure that it is not included in the install target. Added quilt patch 05_install-charon-systemd-conf.patch which fixes configure. diff --git a/debian/charon-systemd.install b/debian/charon-systemd.install index 3b62aade..6ab3af8f 100644 --- a/debian/charon-systemd.install +++ b/debian/charon-systemd.install @@ -1,2 +1,4 @@ +etc/strongswan.d/charon-systemd.conf lib/systemd/system/strongswan-swanctl.service usr/sbin/charon-systemd +usr/share/strongswan/templates/config/strongswan.d/charon-systemd.conf diff --git a/debian/patches/05_install-charon-systemd-conf.patch b/debian/patches/05_install-charon-systemd-conf.patch new file mode 100644 index ..67eb976f --- /dev/null +++ b/debian/patches/05_install-charon-systemd-conf.patch @@ -0,0 +1,10 @@ +--- a/configure.ac b/configure.ac +@@ -1724,6 +1724,7 @@ AM_COND_IF([USE_MEDSRV], [strongswan_options=${strongswan_options}" medsrv"]) + AM_COND_IF([USE_SCEPCLIENT], [strongswan_options=${strongswan_options}" scepclient"]) + AM_COND_IF([USE_PKI], [strongswan_options=${strongswan_options}" pki"]) + AM_COND_IF([USE_SWANCTL], [strongswan_options=${strongswan_options}" swanctl"]) ++AM_COND_IF([USE_SYSTEMD], [strongswan_options=${strongswan_options}" charon-systemd"]) + + AC_SUBST(strongswan_options) + diff --git a/debian/patches/series b/debian/patches/series index 6d7cc1df..949de693 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ 01_fix-manpages.patch 03_systemd-service.patch 04_disable-libtls-tests.patch +05_install-charon-systemd-conf.patch signature.asc Description: PGP signature
Bug#866324: strongswan-swanctl: Install empty directories that ‘swanctl --load-all’ expects
Control: tags -1 + patch Attached is a patch installs these directories. -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D commit 43103f99391a5683cba327174e53986b2c8d0981 Author: Gerald Turner <gtur...@unzane.com> Date: Wed May 10 14:44:49 2017 -0700 Install empty directories that ‘swanctl --load-all’ expects. Furthermore some of these directories exist to hold private keys (read by ‘swanctl --load-creds’) and need tighter permissions (0700 instead of 0755). There is no harm if these directories do not exist, however swanctl will emit log messages (e.g. “opening directory '/etc/swanctl/x509' failed: No such file or directory” under subsystem ‘lib’, log level 1). diff --git a/debian/rules b/debian/rules index 724b684e..dacdb645 100755 --- a/debian/rules +++ b/debian/rules @@ -205,10 +205,15 @@ endif sed -r 's/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf - # set permissions on ipsec.secrets + # set permissions on ipsec.secrets and private key directories chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets chmod 700 -R $(CURDIR)/debian/strongswan-starter/etc/ipsec.d/private/ chmod 700 -R $(CURDIR)/debian/strongswan-starter/var/lib/strongswan/ + chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/bliss/ + chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/ecdsa/ + chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/pkcs8/ + chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/private/ + chmod 700 -R $(CURDIR)/debian/strongswan-swanctl/etc/swanctl/rsa/ # this is handled by update-rc.d rm -rf $(CURDIR)/debian/strongswan-starter/etc/rc?.d @@ -231,7 +236,15 @@ override_dh_strip: dh_strip --dbgsym-migration='strongswan-dbg (<< 5.3.5-2~)' override_dh_fixperms: - dh_fixperms -X etc/ipsec.secrets -X etc/ipsec.d -X var/lib/strongswan + dh_fixperms \ + -X etc/ipsec.d \ + -X etc/ipsec.secrets \ + -X etc/swanctl/bliss \ + -X etc/swanctl/ecdsa \ + -X etc/swanctl/pkcs8 \ + -X etc/swanctl/private \ + -X etc/swanctl/rsa \ + -X var/lib/strongswan override_dh_makeshlibs: dh_makeshlibs -n -X usr/lib/ipsec/plugins diff --git a/debian/strongswan-swanctl.dirs b/debian/strongswan-swanctl.dirs new file mode 100644 index ..77d36958 --- /dev/null +++ b/debian/strongswan-swanctl.dirs @@ -0,0 +1,13 @@ +/etc/swanctl/bliss +/etc/swanctl/ecdsa +/etc/swanctl/pkcs12 +/etc/swanctl/pkcs8 +/etc/swanctl/private +/etc/swanctl/pubkey +/etc/swanctl/rsa +/etc/swanctl/x509 +/etc/swanctl/x509aa +/etc/swanctl/x509ac +/etc/swanctl/x509ca +/etc/swanctl/x509crl +/etc/swanctl/x509ocsp diff --git a/debian/strongswan-swanctl.lintian-overrides b/debian/strongswan-swanctl.lintian-overrides new file mode 100644 index ..0b0dad9e --- /dev/null +++ b/debian/strongswan-swanctl.lintian-overrides @@ -0,0 +1,7 @@ +# Directories containing private keys which are read by ‘swanctl --load-creds’ +# need tighter permissions +strongswan-swanctl: non-standard-dir-perm etc/swanctl/bliss/ 0700 != 0755 +strongswan-swanctl: non-standard-dir-perm etc/swanctl/ecdsa/ 0700 != 0755 +strongswan-swanctl: non-standard-dir-perm etc/swanctl/pkcs8/ 0700 != 0755 +strongswan-swanctl: non-standard-dir-perm etc/swanctl/private/ 0700 != 0755 +strongswan-swanctl: non-standard-dir-perm etc/swanctl/rsa/ 0700 != 0755 signature.asc Description: PGP signature
Bug#866325: charon-systemd: Install charon-systemd.conf
Package: charon-systemd Version: 5.5.1-4 Severity: normal Dear Maintainer, Upstream contains source ‘conf/options/charon-systemd.conf’ which is like ‘conf/options/charon-logging.conf’. Like the discoverability of strongswan-starter logging configuration that charon-logging.conf provides, this charon-systemd.conf file documents the ‘charon-systemd.journal’ configuration prefix. Please install this file to /etc/strongswan.d/charon-systemd.conf. -- System Information: Debian Release: 9.0 APT prefers stable APT policy: (601, 'stable'), (500, 'stable-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages charon-systemd depends on: ii init-system-helpers 1.48 ii libc6 2.24-11+deb9u1 ii libstrongswan 5.5.1-4 ii libsystemd0 232-25 ii strongswan-libcharon 5.5.1-4 ii strongswan-swanctl5.5.1-4 charon-systemd recommends no packages. charon-systemd suggests no packages. -- no debconf information -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#866326: strongswan-swanctl: Include ‘/etc/swanctl/conf.d/*.conf’ from ‘/etc/swanctl/swanctl.conf’
Package: strongswan-swanctl Version: 5.5.1-4 Severity: normal Dear Maintainer, Similar to how an administrator could create files like ‘/etc/strongswan.d/99-custom-logging.conf’ or ‘/etc/strongswan.d/charon/99-kernel-netlink.conf’ rather than customizing any of the dpkg-maintained conffiles, administrators should be able to create files like ‘/etc/swanctl/conf.d/99-vpn.conf’, while leaving ‘/etc/swanctl/swanctl.conf’ unaltered, so that package upgrades don't prompt when local modifications are detected. -- System Information: Debian Release: 9.0 APT prefers stable APT policy: (601, 'stable'), (500, 'stable-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages strongswan-swanctl depends on: ii libc6 2.24-11+deb9u1 ii libstrongswan 5.5.1-4 strongswan-swanctl recommends no packages. strongswan-swanctl suggests no packages. -- no debconf information -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#866327: charon-systemd: Create AppArmor profiles for /usr/sbin/swanctl and /usr/sbin/charon-systemd
Package: charon-systemd Version: 5.5.1-4 Severity: normal Dear Maintainer, Similar to how strongswan-charon and strongswan-starter have AppArmor profiles for /usr/lib/ipsec/charon and /usr/lib/ipsec/stroke, the charon-systemd and strongswan-charon packages should have AppArmor profiles as well. -- System Information: Debian Release: 9.0 APT prefers stable APT policy: (601, 'stable'), (500, 'stable-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages charon-systemd depends on: ii init-system-helpers 1.48 ii libc6 2.24-11+deb9u1 ii libstrongswan 5.5.1-4 ii libsystemd0 232-25 ii strongswan-libcharon 5.5.1-4 ii strongswan-swanctl5.5.1-4 charon-systemd recommends no packages. charon-systemd suggests no packages. -- no debconf information -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#866324: strongswan-swanctl: Install empty directories that ‘swanctl --load-all’ expects
Package: strongswan-swanctl Version: 5.5.1-4 Severity: normal Dear Maintainer, Whenever strongswan-swanctl.service is started, it logs warnings like: “opening directory '/etc/swanctl/x509' failed: No such file or directory” I believe that, similar to how the strongswan-starter package installs empty directores that are scanned by the charon daemon (‘/etc/ipsec.d/cacerts’, etc.), that the strongswan-swanctl package should also have it's dependent directores installed. This would eliminate the [harmless] log messages and also aid in discovery for and admins setting up strongswan-swanctl for the first time. -- System Information: Debian Release: 9.0 APT prefers stable APT policy: (601, 'stable'), (500, 'stable-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages strongswan-swanctl depends on: ii libc6 2.24-11+deb9u1 ii libstrongswan 5.5.1-4 strongswan-swanctl recommends no packages. strongswan-swanctl suggests no packages. -- no debconf information -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#865924: spamassassin: Use of uninitialized value in lc at /usr/share/perl5/Mail/SpamAssassin/Plugin/PDFInfo.pm line 418
Control: found -1 3.4.1-7 Control: forwarded -1 https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7303 Control: tags -1 + patch This bug had been reported upstream last year. Attached is a trivial patch which fixes the bug. -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D Index: lib/Mail/SpamAssassin/Plugin/PDFInfo.pm === --- lib/Mail/SpamAssassin/Plugin/PDFInfo.pm (revision 1799831) +++ lib/Mail/SpamAssassin/Plugin/PDFInfo.pm (working copy) @@ -415,7 +415,7 @@ my $type = $p->{'type'} =~ m@/([\w\-]+)$@; my $name = $p->{'name'}; -my $cte = lc $p->get_header('content-transfer-encoding') || ''; +my $cte = lc($p->get_header('content-transfer-encoding') || ''); dbg("pdfinfo: found part, type=".($type ? $type : '')." file=".($name ? $name : '')." cte=".($cte ? $cte : '').""); signature.asc Description: PGP signature
Bug#865924: spamassassin: Use of uninitialized value in lc at /usr/share/perl5/Mail/SpamAssassin/Plugin/PDFInfo.pm line 418
Package: spamassassin Version: 3.4.1-6 Severity: minor Dear Maintainer, After upgrading from 3.4.0-6 to 3.4.1-6 (jessie to stretch) and having enabled the new PDFInfo plugin in /etc/spamassassin/v341.pre: # PDFInfo - Use several methods to detect a PDF file's ham/spam traits loadplugin Mail::SpamAssassin::Plugin::PDFInfo spammassassin now emits the following warning a few times per day: spamd[19929]: Use of uninitialized value in lc at /usr/share/perl5/Mail/SpamAssassin/Plugin/PDFInfo.pm line 418. -- System Information: Debian Release: 9.0 APT prefers stable APT policy: (701, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages spamassassin depends on: ii adduser 3.115 ii curl 7.52.1-5 ii init-system-helpers 1.48 ii libhtml-parser-perl 3.72-3 ii libhttp-date-perl6.02-1 ii libmail-dkim-perl0.40-1 ii libnet-dns-perl 1.07-1 ii libnetaddr-ip-perl 4.079+dfsg-1+b1 ii libsocket6-perl 0.27-1+b1 ii libsys-hostname-long-perl1.5-1 ii libwww-perl 6.15-1 ii lsb-base 9.20161125 ii perl 5.24.1-3 ii perl-modules-5.24 [libarchive-tar-perl] 5.24.1-3 Versions of packages spamassassin recommends: ii gnupg 2.1.18-6 ii libio-socket-inet6-perl 2.72-2 ii libmail-spf-perl 2.9.0-4 ii libperl5.24 [libsys-syslog-perl] 5.24.1-3 ii sa-compile3.4.1-6 ii spamc 3.4.1-6 Versions of packages spamassassin suggests: ii libdbi-perl 1.636-1+b1 ii libencode-detect-perl1.01-4+b3 ii libgeo-ip-perl 1.50-1+b1 ii libio-socket-ssl-perl2.044-1 ii libnet-patricia-perl 1.22-1+b3 ii libperl5.24 [libcompress-zlib-perl] 5.24.1-3 ii pyzor1:1.0.0-2 ii razor1:2.85-4.2+b2 -- Configuration Files: /etc/default/spamassassin changed [not included] /etc/spamassassin/init.pre changed [not included] /etc/spamassassin/local.cf changed [not included] /etc/spamassassin/v310.pre changed [not included] /etc/spamassassin/v320.pre changed [not included] /etc/spamassassin/v341.pre changed [not included] -- no debconf information -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#864956: sogo: Please provide co-installable SOGo 2 packages
Package: sogo Version: 3.2.6-2 Severity: wishlist Dear Maintainer, Inverse seems to be committed to maintaining parallel SOGo 2 and SOGo 3 releases. Their initial v3.0.0 release announcement¹ contained the statement: “Version 2 will continue to be maintained and it is possible to run both versions 2 and 3 concurrently on the same data set to ease the transition.” For the past year and a half, just about every 3.x release had an accompanying 2.x release. The upstream code repository (now moved to github) has a v2 branch, and their build tools, and installed files, haven't diverged much. The SOPE library dependency can be shared between both versions. I attempted to create a 'sogo2' package myself, however I hit a wall with installation paths like: /usr/lib/GNUstep/WOxElemBuilders-4.9/SOGoElements.wox/SOGoElements /usr/lib/sogo/libNGCards.so.4.9.0 I've considered pursuing this further, possibly hacking on the SOGo configure script to rename some of these paths, but first I wanted to get an idea if this is at all feasible by opening this bug report. ¹ https://sogo.nu/news/2016/article/sogo-v300-released.html -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (701, 'testing'), (500, 'testing-updates') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages sogo depends on: ii adduser 3.115 ii init-system-helpers 1.48 ii libc62.24-11 ii libcurl3-gnutls 7.52.1-5 ii libgcc1 1:6.3.0-18 ii libglib2.0-0 2.50.3-2 ii libgnustep-base1.24 1.24.9-3.1 ii libgnutls30 3.5.8-5+deb9u1 ii liblasso32.5.0-5+b1 ii libmemcached11 1.0.18-4.1 ii libobjc4 6.3.0-18 ii libsbjson2.3 2.3.2-3 ii libsope1 3.2.6-1 ii lsb-base 9.20161125 ii sogo-common 3.2.6-2 ii systemd 232-25 ii tmpreaper1.6.13+nmu1+b2 ii zip 3.0-11+b1 Versions of packages sogo recommends: ii memcached 1.4.33-1 Versions of packages sogo suggests: ii postgresql 9.6+181 -- Configuration Files: /etc/cron.d/sogo [Errno 13] Permission denied: '/etc/cron.d/sogo' /etc/default/sogo changed [not included] /etc/sogo/sogo.conf [Errno 13] Permission denied: '/etc/sogo/sogo.conf' -- no debconf information -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#834015: phpldapadmin: fails to install: ln: failed to create symbolic link '/etc/apache2/conf-available/phpldapadmin.conf': No such file or directory
Control: tags -1 + patch Dear Maintainer, In preparation for upgrading several hosts from jessie to stretch, my colleague and I discovered that phpldapadmin was removed from stretch due to this bug. Attached is a trivial one-line patch that solves the piuparts postisnt failure by ensuring path /etc/apache2/mods-available is installed by the package. I verified that this is what other 'a2enconf' style packages are doing. I've also verified that piuparts is successful (but there's a caveat¹). ¹ Caveat: piuparts now fails for another reason, but I believe it's a problem with php7.0. I ran piuparts on phpmyadmin and had the same results. Output: 0m55.8s ERROR: FAIL: Package purging left files on system: /var/lib/php/ owned by: php-common /var/lib/php/modules/owned by: php-common /var/lib/php/modules/7.0/ not owned /var/lib/php/modules/7.0/apache2/not owned /var/lib/php/modules/7.0/apache2/enabled_by_maint/ not owned /var/lib/php/modules/7.0/apache2/enabled_by_maint/calendar not owned ... -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D From 5baf2008b598c929be011d4f4b76698583f8a72a Mon Sep 17 00:00:00 2001 From: Gerald Turner <gtur...@unzane.com> Date: Thu, 15 Jun 2017 10:53:14 -0700 Subject: [PATCH] Install /etc/apache2/conf-available directory so postinst does not fail (Closes: #834015) --- debian/dirs | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/dirs b/debian/dirs index 55fe3fb..5d3ea56 100644 --- a/debian/dirs +++ b/debian/dirs @@ -5,3 +5,4 @@ etc/phpldapadmin etc/phpldapadmin/templates etc/phpldapadmin/templates/creation etc/phpldapadmin/templates/modification +etc/apache2/conf-available -- 2.11.0 signature.asc Description: PGP signature
Bug#859179: thunderbird: Merge gpg and gpg2 AppArmor subprofiles
Control: reopen -1 Control: found -1 1:52.1.1-1 On Tue, Jun 13 2017, Gerald Turner wrote: > Was this bug really fixed in 1:52.1.1-1? > > The debian/changelog mentions: > > * [5d5392b] apparmor/usr.bin.thunderbird: update for version 52 > (cherry-picked from upstream) > (Closes: #859179) > > However commit 5d5392b doesn't have anything to do with enigmail/gnupg > (although it does indeed update the apparmor profile). > > The debian/apparmor/usr.bin.thunderbird file in the debian/sid > (9ebc11d) branch and debian/1%52.1.1-1 tag still have the old/broken > gpg/gpg2 split. In addition to checking the gbp repository, I had a look at the thunderbird_52.1.1-1_amd64.deb package in experimental, and it's not fixed. -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#859179: thunderbird: Merge gpg and gpg2 AppArmor subprofiles
Package: thunderbird Version: 1:45.8.0-3 Followup-For: Bug #859179 Was this bug really fixed in 1:52.1.1-1? The debian/changelog mentions: * [5d5392b] apparmor/usr.bin.thunderbird: update for version 52 (cherry-picked from upstream) (Closes: #859179) However commit 5d5392b doesn't have anything to do with enigmail/gnupg (although it does indeed update the apparmor profile). The debian/apparmor/usr.bin.thunderbird file in the debian/sid (9ebc11d) branch and debian/1%52.1.1-1 tag still have the old/broken gpg/gpg2 split. FWIW today I upgraded a system from jessie to stretch, this system has apparmor enabled, and I use the enigmail add-on. Enigmail is no longer able to verify signatures, and apparmor denials are logged like: audit: type=1400 audit(1497376491.671:74): apparmor="DENIED" operation="open" profile="thunderbird//gpg" name="/tmp/data.sig" pid=18767 comm="gpg2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 I fixed it by locally modifying /etc/apparmor.d/usr.bin.thunderbird, but unlike Felix Geyer's suggestion of merging gpg/gpg2 sub-profiles, I simply mapped /usr/bin/gpg to "gpg2" sub-profile, and mapped /usr/bin/gpg1 to [renamed] "gpg1" sub-profile. Then I discovered another denial about gpg2 trying to map /usr/bin/gpgconf: audit: type=1400 audit(1497389311.854:178): apparmor="DENIED" operation="file_mmap" profile="thunderbird//gpg2" name="/usr/bin/gpgconf" pid=3820 comm="gpgconf" requested_mask="mr" denied_mask="mr" fsuid=1000 ouid=0 So I added an additional "/usr/bin/gpgconf mr," rule to the "gpg2" profile. I believe Felix's patch is missing this last piece. After getting thunderbird/enigmail/gnupg to work locally, I gbp cloned https://anonscm.debian.org/cgit/pkg-mozilla/icedove.git and prepared the attached patch. Luckily I found this existing bug while running reportbug :) -- Gerald Turner <gtur...@unzane.com> Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D From 6f5f9f3bcf01e304092f07210e4ca437545de2aa Mon Sep 17 00:00:00 2001 From: Gerald Turner <gtur...@unzane.com> Date: Tue, 13 Jun 2017 16:11:21 -0700 Subject: [PATCH] Modify thunderbird apparmor profile so that enigmail add-on may work with gnupg since the transition to "modern" GnuPG (gnupg 2.1.11-7+exp1): /usr/bin/gpg is part of thunderbird's "gpg2" profile, /usr/bin/gpg1 is part of [renamed] "gpg1" profile, and allow execution of /usr/bin/gpgconf by "gpg2" profile; --- debian/apparmor/usr.bin.thunderbird | 12 +++- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/debian/apparmor/usr.bin.thunderbird b/debian/apparmor/usr.bin.thunderbird index 7cd064717b..272b54b8de 100644 --- a/debian/apparmor/usr.bin.thunderbird +++ b/debian/apparmor/usr.bin.thunderbird @@ -191,9 +191,9 @@ profile thunderbird /usr/lib/thunderbird/thunderbird { /bin/uname Uxr, /usr/bin/locale Uxr, - /usr/bin/gpg Cx -> gpg, + /usr/bin/gpg1 Cx -> gpg1, - profile gpg { + profile gpg1 { #include # Required to import keys from keyservers @@ -210,7 +210,7 @@ profile thunderbird /usr/lib/thunderbird/thunderbird { # LDAP key servers /etc/ldap/ldap.conf r, -/usr/bin/gpg mr, +/usr/bin/gpg1 mr, /usr/lib/gnupg/gpgkeys_* ix, owner @{HOME}/.gnupg r, owner @{HOME}/.gnupg/gpg.conf r, @@ -232,7 +232,7 @@ profile thunderbird /usr/lib/thunderbird/thunderbird { /usr/share/sounds/** r, } - /usr/bin/gpg2 Cx -> gpg2, + /usr/bin/gpg Cx -> gpg2, /usr/bin/gpgconf Cx -> gpg2, /usr/bin/gpg-connect-agent Cx -> gpg2, @@ -268,7 +268,7 @@ profile thunderbird /usr/lib/thunderbird/thunderbird { owner @{HOME}/.gnupg/S.gpg-agent rw, owner @{HOME}/.gnupg/S.dirmngr rw, -/usr/bin/gpg2 mr, +/usr/bin/gpg mr, owner @{HOME}/.gnupg/ rw, owner @{HOME}/.gnupg/gpg.conf r, owner @{HOME}/.gnupg/random_seed rwk, @@ -283,6 +283,8 @@ profile thunderbird /usr/lib/thunderbird/thunderbird { owner @{HOME}/** r, owner @{PROC}/@{pids}/mountinfo r, +/usr/bin/gpgconf mr, + # for inline pgp owner /tmp/encfile rw, owner /tmp/encfile-[0-9]* rw, -- 2.11.0 signature.asc Description: PGP signature
Bug#864257: python3-sleekxmpp: TLS certificate verification fails
Control: tags -1 + patch Attached is a patch that adds quilt patch 003-fix_tls_date_check.patch which removes two-digit-year variants from certificate validity date decoding. -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D commit 90189c8c64a6e7ccd967b244b2d5639600f4edc8 Author: Gerald Turner <gtur...@unzane.com> Date: Mon Jun 5 12:22:29 2017 -0700 Added patch 003-fix_tls_date_check.patch which removes two-digit-year variants from certificate validity date decoding (Closes: #864257) diff --git a/debian/patches/003-fix_tls_date_check.patch b/debian/patches/003-fix_tls_date_check.patch new file mode 100644 index 000..2f873d1 --- /dev/null +++ b/debian/patches/003-fix_tls_date_check.patch @@ -0,0 +1,32 @@ +Description: Remove two-digit-year variants from certificate validity date + decoding. +Author: Gerald Turner <gtur...@unzane.com> +Bug-Debian: https://bugs.debian.org/864257 +Forwarded: no +Last-Update: 2017-06-05 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/sleekxmpp/xmlstream/cert.py b/sleekxmpp/xmlstream/cert.py +@@ -108,19 +108,11 @@ def extract_dates(raw_cert): + + not_before = validity.getComponentByName('notBefore') + not_before = str(not_before.getComponent()) ++not_before = datetime.strptime(not_before, '%Y%m%d%H%M%SZ') + + not_after = validity.getComponentByName('notAfter') + not_after = str(not_after.getComponent()) +- +-if isinstance(not_before, GeneralizedTime): +-not_before = datetime.strptime(not_before, '%Y%m%d%H%M%SZ') +-else: +-not_before = datetime.strptime(not_before, '%y%m%d%H%M%SZ') +- +-if isinstance(not_after, GeneralizedTime): +-not_after = datetime.strptime(not_after, '%Y%m%d%H%M%SZ') +-else: +-not_after = datetime.strptime(not_after, '%y%m%d%H%M%SZ') ++not_after = datetime.strptime(not_after, '%Y%m%d%H%M%SZ') + + return not_before, not_after + diff --git a/debian/patches/series b/debian/patches/series index 37acb6c..840f2a1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ CVE-2017-5591.patch 0001-get-rid-of-embedded-copies-dateutil-gnupg-ordereddic.patch 002-fix_tls_version_check.patch +003-fix_tls_date_check.patch signature.asc Description: PGP signature
Bug#864257: python3-sleekxmpp: TLS certificate verification fails
fy(self._expected_server_name, self._der_cert) File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/cert.py", line 141, in verify not_before, not_after = extract_dates(raw_cert) File "/usr/lib/python3/dist-packages/sleekxmpp/xmlstream/cert.py", line 118, in extract_dates not_before = datetime.strptime(not_before, '%y%m%d%H%M%SZ') File "/usr/lib/python3.5/_strptime.py", line 510, in _strptime_datetime tt, fraction = _strptime(data_string, format) File "/usr/lib/python3.5/_strptime.py", line 343, in _strptime (data_string, format)) ValueError: time data '20140407172700Z' does not match format '%y%m%d%H%M%SZ' DEBUGreconnecting... DEBUGEvent triggered: session_end DEBUGSEND (IMMED): INFO Waiting for from server DEBUGEvent triggered: disconnected DEBUG TRANSITION connected -> disconnected DEBUGconnecting... DEBUGWaiting 2.238069225097097 seconds before connecting. ... The "ValueError: time data '20140407172700Z' does not match format '%y%m%d%H%M%SZ'" exception shows that sleekxmpp is expecting a two digit year rather than a four digit year. Further inspection of the extract_dates function in xmlstream/cert.py reveals some programming mistakes: def extract_dates(raw_cert): if not HAVE_PYASN1: log.warning("Could not find pyasn1 and pyasn1_modules. " + \ "SSL certificate expiration COULD NOT BE VERIFIED.") return None, None cert = decoder.decode(raw_cert, asn1Spec=Certificate())[0] tbs = cert.getComponentByName('tbsCertificate') validity = tbs.getComponentByName('validity') not_before = validity.getComponentByName('notBefore') ① not_before = str(not_before.getComponent()) not_after = validity.getComponentByName('notAfter') ① not_after = str(not_after.getComponent()) ② if isinstance(not_before, GeneralizedTime): not_before = datetime.strptime(not_before, '%Y%m%d%H%M%SZ') else: ③ not_before = datetime.strptime(not_before, '%y%m%d%H%M%SZ') ② if isinstance(not_after, GeneralizedTime): not_after = datetime.strptime(not_after, '%Y%m%d%H%M%SZ') else: ③ not_after = datetime.strptime(not_after, '%y%m%d%H%M%SZ') return not_before, not_after At ①, the use of str() causes the isinstance() test at ② always be False resulting in strptime() calls at ③ which use %y instead of %Y and throw ValueError. It looks like this was for some compatibility with ancient versions of pyasn1. -- System Information: Debian Release: 9.0 APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages python3-sleekxmpp depends on: ii python3 3.5.3-1 ii python3-dnspython 1.15.0-1 ii python3-pyasn1 0.1.9-2 ii python3-pyasn1-modules 0.0.7-0.1 Versions of packages python3-sleekxmpp recommends: ii python3-dateutil 2.5.3-2 ii python3-gnupg 0.3.9-1 ii python3-socks 1.6.5-1 python3-sleekxmpp suggests no packages. -- no debconf information -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#826883: stunnel4: Please provide systemd unit file
For quite some time I've had a laptop, running stretch, with stunnel4 installed, with a single /etc/stunnel/foo.conf file, and after network changes (switch WiFi network, fix broken DNS, etc.), I've found that 'systemctl restart stunnel4.service' doesn't actually restart the stunnel4 process, and that I have to resort to manual 'killall -9 stunnel4'. Today I decided to look at the state of stunnel and systemd, and I am now running a setup that works quite well, utilizing systemd socket activation introduced in stunnel 5.05. Server is running jessie, with stunnel4 3:5.30-1~bpo8+1 jessie-backports package, and systemd 215-17+deb8u6 jessie packages. Clients are running stretch, with stunnel4 3:5.39-2 and systemd 232-22. Each host has two services defined in /etc/stunnel/stunnel.conf, thus the stunnel4.socket unit has two ListenStream= directives that match the the 'accept' parameters in the stunnel.conf. Initially I had thought this setup wouldn't work, I had been worried that stunnel's systemd socket activation would behave exactly like inetd activation, wherein the stunnel manual explains that INETD MODE is basically one-stunnel-daemon-per-port and cannot distinguish multiple services in a single configuration. However after review of the source code and some experimentation I found this is not the case. The stunnel daemon will enumerate the services defined in it's config and verify that an equal number of FD's have been passed via sd_listen_fds. However there is a caveat that the order of service declaration has to match the order of ListenStream= directives, but luckily according to sd_listen_fds(3) "If a daemon receives more than one file descriptor, they will be passed in the same order as configured in the systemd socket unit file". I love it! stunnel now starts on-demand, rather than at boot up, and should the need to restart ever arise, 'systemctl stop stunnel4.service' is reliable. Furthermore, I added various systemd hardening directives. Attached are the socket and service files. -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D [Unit] Description=TLS tunnel for network daemons server socket [Socket] ListenStream=53128 ListenStream=58118 NoDelay=yes [Install] WantedBy=sockets.target [Unit] Description=TLS tunnel for network daemons After=network.target syslog.target [Service] Type=forking ExecStart=/usr/bin/stunnel4 /etc/stunnel/stunnel.conf CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SYS_CHROOT PrivateTmp=yes PrivateDevices=yes ProtectSystem=full ProtectHome=yes ProtectKernelTunables=yes ProtectControlGroups=yes NoNewPrivileges=yes RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictNamespaces=yes ProtectKernelModules=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes [Install] WantedBy=multi-user.target Also=stunnel4.socket signature.asc Description: PGP signature
Bug#861037: [Pkg-swan-devel] Bug#861037: [PATCH 00/12] New upstream release 5.5.2
On Fri, Apr 28 2017, Yves-Alexis Perez wrote: > On Sun, 2017-04-23 at 15:34 -0700, Gerald Turner wrote: >> Let me know if it would be at all helpful to run a publicly >> accessible git repository (pull request rather than patches), I've >> been using gitolite3 with private SSH access, but attaching some >> read-only HTTPS front-end has been on my TODO list forever. > > Thanks for your patch serie but actually I already did this not that > long ago, I just didn't push the work yet. Great! This shall be interesting - rebasing my private gbp repo with your changes at alioth - looking forward to learning new git workflow ;-) Among the flurry of BTS mail I triggered last Sunday, did you happen to catch my offers to: 1. Work on debian/copyright until it's near-perfect (I'm confident the work on I did on 5.5.1->5.5.2 delta is correct, but while working on that I noticed inconsistencies since older releases, which I mostly ignored). I had done something similar with hostapd/ wpa_supplicant a few years ago with guidance from Stefan Lippers-Hollmann. 2. Create separate packages per plugin (with extra attention paid to Depends, Recommends, Suggests fields), at a minimum create separate attr-sql/sqlite/mysql plugin packages (bug #718302), or maximally create a separate package for every plugin, or something in between. Ultimately enabling additional plugins that myself and several other users have been requesting. BTW, the BTS seems to have dropped PATCH 01/12, not that this matters anymore, but I'm curious about what the limitations BTS has on message size, etc. (it was the giant 'gbp import-orig' patch). -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#861037: [PATCH 10/12] Enabled newhope plugin and dependent sha3 plugin (closed: #861036)
--- debian/control | 2 ++ debian/libstrongswan-extra-plugins.install | 6 ++ debian/rules | 2 ++ 3 files changed, 10 insertions(+) diff --git a/debian/control b/debian/control index ac9324c1..b807870d 100644 --- a/debian/control +++ b/debian/control @@ -152,11 +152,13 @@ Description: strongSwan utility and crypto library (extra plugins) - ldap (LDAP fetching plugin based on libldap) - mgf1 (MGF1 mask generation function) - mysql (MySQL database backend based on libmysqlclient) + - newhope (Key exchange based on post-quantum computer New Hope algorithm) - ntru (Key exchange based on post-quantum computer NTRU encryption) - padlock (VIA padlock crypto backend, provides AES128/SHA1) - pkcs11 (PKCS#11 smartcard backend) - rdrand (High quality / high performance random source using the Intel rdrand instruction found on Ivy Bridge processors) + - sha3 (SHA3_224/SHA3_256/SHA3_384/SHA3_512 hasher software implementation) - sqlite (SQLite database backend based on libsqlite3) - test-vectors (Set of test vectors for various algorithms) diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install index 591b3c1d..ca6d4374 100644 --- a/debian/libstrongswan-extra-plugins.install +++ b/debian/libstrongswan-extra-plugins.install @@ -9,8 +9,10 @@ usr/lib/ipsec/plugins/libstrongswan-gcrypt.so usr/lib/ipsec/plugins/libstrongswan-ldap.so usr/lib/ipsec/plugins/libstrongswan-mgf1.so usr/lib/ipsec/plugins/libstrongswan-mysql.so +usr/lib/ipsec/plugins/libstrongswan-newhope.so usr/lib/ipsec/plugins/libstrongswan-ntru.so usr/lib/ipsec/plugins/libstrongswan-pkcs11.so +usr/lib/ipsec/plugins/libstrongswan-sha3.so usr/lib/ipsec/plugins/libstrongswan-sqlite.so usr/lib/ipsec/plugins/libstrongswan-test-vectors.so usr/lib/ipsec/plugins/libstrongswan-unbound.so @@ -25,8 +27,10 @@ usr/share/strongswan/templates/config/plugins/gcrypt.conf usr/share/strongswan/templates/config/plugins/ldap.conf usr/share/strongswan/templates/config/plugins/mgf1.conf usr/share/strongswan/templates/config/plugins/mysql.conf +usr/share/strongswan/templates/config/plugins/newhope.conf usr/share/strongswan/templates/config/plugins/ntru.conf usr/share/strongswan/templates/config/plugins/pkcs11.conf +usr/share/strongswan/templates/config/plugins/sha3.conf usr/share/strongswan/templates/config/plugins/sqlite.conf usr/share/strongswan/templates/config/plugins/test-vectors.conf usr/share/strongswan/templates/config/plugins/unbound.conf @@ -42,8 +46,10 @@ etc/strongswan.d/charon/gcrypt.conf etc/strongswan.d/charon/ldap.conf etc/strongswan.d/charon/mgf1.conf etc/strongswan.d/charon/mysql.conf +etc/strongswan.d/charon/newhope.conf etc/strongswan.d/charon/ntru.conf etc/strongswan.d/charon/pkcs11.conf +etc/strongswan.d/charon/sha3.conf etc/strongswan.d/charon/sqlite.conf etc/strongswan.d/charon/test-vectors.conf etc/strongswan.d/charon/unbound.conf diff --git a/debian/rules b/debian/rules index ec0860e8..8c712d87 100755 --- a/debian/rules +++ b/debian/rules @@ -34,9 +34,11 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-lookip \ --enable-mediation \ --enable-mysql \ + --enable-newhope \ --enable-ntru \ --enable-openssl \ --enable-pkcs11 \ + --enable-sha3 \ --enable-sqlite \ --enable-test-vectors \ --enable-unbound \ -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#861037: [PATCH 12/12] Release strongSwan 5.5.2-0.1
--- debian/changelog | 24 1 file changed, 24 insertions(+) diff --git a/debian/changelog b/debian/changelog index 19b136fc..1ad38a74 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,27 @@ +strongswan (5.5.2-0.1) unstable; urgency=medium + + * New upstream version 5.5.2 + * Refresh 03_systemd-service.patch against 5.5.2 release + * Updated debian/copyright by manually inspecting the diff between +upstream 5.5.1 and 5.5.2 releases and additionally fixed a few cases +where the copyright data had been incorrect since package version +5.5.1-3 and earlier + * Upstream 5.5.2 introduced libtpmtss.so support library which is built +by default and required by the new tpm plugin, install with +libcharon-extra-plugins package, note however that the tpm plugin is +not being built. + * Upstream 5.5.2 introduced curve25519 which is being built by default, +install with libstrongswan package. + * Enable dnscert, ipseckey, and unbound plugins (closes: #718298) + * Enabled attr-sql, mysql, and sqlite plugins (closes: #718302) + * Enabled bliss and ntru plugins and dependent mgf1 plugin +(closes: #803787) + * Enabled chapoly plugin (closes: #814927) + * Enabled newhope plugin and dependent sha3 plugin + * Enabled bypass-lan, files, and forecast plugins + + -- Gerald Turner <gtur...@unzane.com> Thu, 20 Apr 2017 11:24:03 -0700 + strongswan (5.5.1-3) unstable; urgency=medium [ Christian Ehrhardt ] -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#861037: [PATCH 09/12] Enabled chapoly plugin (closed #814927)
--- debian/control | 1 + debian/libstrongswan-extra-plugins.install | 3 +++ debian/rules | 1 + 3 files changed, 5 insertions(+) diff --git a/debian/control b/debian/control index a7d84fd7..ac9324c1 100644 --- a/debian/control +++ b/debian/control @@ -143,6 +143,7 @@ Description: strongSwan utility and crypto library (extra plugins) - bliss (Bimodal Lattice Signature Scheme (BLISS) post-quantum computer signature scheme) - ccm (CCM cipher mode wrapper) + - chapoly (ChaCha20/Poly1305 AEAD implementation) - cmac (CMAC cipher mode wrapper) - ctr (CTR cipher mode wrapper) - curl (libcurl based HTTP/FTP fetcher) diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install index 6bd32976..591b3c1d 100644 --- a/debian/libstrongswan-extra-plugins.install +++ b/debian/libstrongswan-extra-plugins.install @@ -1,6 +1,7 @@ # libstrongswan plugins usr/lib/ipsec/plugins/libstrongswan-bliss.so usr/lib/ipsec/plugins/libstrongswan-ccm.so +usr/lib/ipsec/plugins/libstrongswan-chapoly.so usr/lib/ipsec/plugins/libstrongswan-cmac.so usr/lib/ipsec/plugins/libstrongswan-ctr.so usr/lib/ipsec/plugins/libstrongswan-curl.so @@ -16,6 +17,7 @@ usr/lib/ipsec/plugins/libstrongswan-unbound.so # default configuration files usr/share/strongswan/templates/config/plugins/bliss.conf usr/share/strongswan/templates/config/plugins/ccm.conf +usr/share/strongswan/templates/config/plugins/chapoly.conf usr/share/strongswan/templates/config/plugins/cmac.conf usr/share/strongswan/templates/config/plugins/ctr.conf usr/share/strongswan/templates/config/plugins/curl.conf @@ -32,6 +34,7 @@ usr/share/strongswan/templates/database/sql/mysql.sql usr/share/strongswan/templates/database/sql/sqlite.sql etc/strongswan.d/charon/bliss.conf etc/strongswan.d/charon/ccm.conf +etc/strongswan.d/charon/chapoly.conf etc/strongswan.d/charon/cmac.conf etc/strongswan.d/charon/ctr.conf etc/strongswan.d/charon/curl.conf diff --git a/debian/rules b/debian/rules index d99b21c6..ec0860e8 100755 --- a/debian/rules +++ b/debian/rules @@ -10,6 +10,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-bliss \ --enable-ccm \ --enable-certexpire \ + --enable-chapoly \ --enable-cmd \ --enable-ctr \ --enable-curl \ -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#861037: [PATCH 11/12] Enabled bypass-lan, files, and forecast plugins
@@ etc/strongswan.d/charon/chapoly.conf etc/strongswan.d/charon/cmac.conf etc/strongswan.d/charon/ctr.conf etc/strongswan.d/charon/curl.conf +etc/strongswan.d/charon/files.conf etc/strongswan.d/charon/gcrypt.conf etc/strongswan.d/charon/ldap.conf etc/strongswan.d/charon/mgf1.conf diff --git a/debian/rules b/debian/rules index 8c712d87..724b684e 100755 --- a/debian/rules +++ b/debian/rules @@ -8,6 +8,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-agent \ --enable-attr-sql \ --enable-bliss \ + --enable-bypass-lan \ --enable-ccm \ --enable-certexpire \ --enable-chapoly \ @@ -25,6 +26,8 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-eap-tnc \ --enable-eap-ttls \ --enable-error-notify \ + --enable-files \ + --enable-forecast \ --enable-gcm \ --enable-gcrypt \ --enable-ha \ -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#861037: [PATCH 08/12] Enabled bliss and ntru plugins and dependent mgf1 plugin (closes #803787)
--- debian/control | 4 debian/libstrongswan-extra-plugins.install | 11 +++ debian/rules | 2 ++ 3 files changed, 17 insertions(+) diff --git a/debian/control b/debian/control index 59e08ce9..a7d84fd7 100644 --- a/debian/control +++ b/debian/control @@ -140,6 +140,8 @@ Description: strongSwan utility and crypto library (extra plugins) Included plugins are: - af-alg [linux] (AF_ALG Linux crypto API interface, provides ciphers/hashers/hmac/xcbc) + - bliss (Bimodal Lattice Signature Scheme (BLISS) post-quantum computer +signature scheme) - ccm (CCM cipher mode wrapper) - cmac (CMAC cipher mode wrapper) - ctr (CTR cipher mode wrapper) @@ -147,7 +149,9 @@ Description: strongSwan utility and crypto library (extra plugins) - gcrypt (Crypto backend based on libgcrypt, provides RSA/DH/ciphers/hashers/rng) - ldap (LDAP fetching plugin based on libldap) + - mgf1 (MGF1 mask generation function) - mysql (MySQL database backend based on libmysqlclient) + - ntru (Key exchange based on post-quantum computer NTRU encryption) - padlock (VIA padlock crypto backend, provides AES128/SHA1) - pkcs11 (PKCS#11 smartcard backend) - rdrand (High quality / high performance random source using the Intel diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install index e5f8baac..6bd32976 100644 --- a/debian/libstrongswan-extra-plugins.install +++ b/debian/libstrongswan-extra-plugins.install @@ -1,37 +1,48 @@ # libstrongswan plugins +usr/lib/ipsec/plugins/libstrongswan-bliss.so usr/lib/ipsec/plugins/libstrongswan-ccm.so usr/lib/ipsec/plugins/libstrongswan-cmac.so usr/lib/ipsec/plugins/libstrongswan-ctr.so usr/lib/ipsec/plugins/libstrongswan-curl.so usr/lib/ipsec/plugins/libstrongswan-gcrypt.so usr/lib/ipsec/plugins/libstrongswan-ldap.so +usr/lib/ipsec/plugins/libstrongswan-mgf1.so usr/lib/ipsec/plugins/libstrongswan-mysql.so +usr/lib/ipsec/plugins/libstrongswan-ntru.so usr/lib/ipsec/plugins/libstrongswan-pkcs11.so usr/lib/ipsec/plugins/libstrongswan-sqlite.so usr/lib/ipsec/plugins/libstrongswan-test-vectors.so usr/lib/ipsec/plugins/libstrongswan-unbound.so # default configuration files +usr/share/strongswan/templates/config/plugins/bliss.conf usr/share/strongswan/templates/config/plugins/ccm.conf usr/share/strongswan/templates/config/plugins/cmac.conf usr/share/strongswan/templates/config/plugins/ctr.conf usr/share/strongswan/templates/config/plugins/curl.conf usr/share/strongswan/templates/config/plugins/gcrypt.conf usr/share/strongswan/templates/config/plugins/ldap.conf +usr/share/strongswan/templates/config/plugins/mgf1.conf usr/share/strongswan/templates/config/plugins/mysql.conf +usr/share/strongswan/templates/config/plugins/ntru.conf usr/share/strongswan/templates/config/plugins/pkcs11.conf usr/share/strongswan/templates/config/plugins/sqlite.conf usr/share/strongswan/templates/config/plugins/test-vectors.conf usr/share/strongswan/templates/config/plugins/unbound.conf usr/share/strongswan/templates/database/sql/mysql.sql usr/share/strongswan/templates/database/sql/sqlite.sql +etc/strongswan.d/charon/bliss.conf etc/strongswan.d/charon/ccm.conf etc/strongswan.d/charon/cmac.conf etc/strongswan.d/charon/ctr.conf etc/strongswan.d/charon/curl.conf etc/strongswan.d/charon/gcrypt.conf etc/strongswan.d/charon/ldap.conf +etc/strongswan.d/charon/mgf1.conf etc/strongswan.d/charon/mysql.conf +etc/strongswan.d/charon/ntru.conf etc/strongswan.d/charon/pkcs11.conf etc/strongswan.d/charon/sqlite.conf etc/strongswan.d/charon/test-vectors.conf etc/strongswan.d/charon/unbound.conf +# support libs +usr/lib/ipsec/libnttfft.so* diff --git a/debian/rules b/debian/rules index 08c8aa09..d99b21c6 100755 --- a/debian/rules +++ b/debian/rules @@ -7,6 +7,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-addrblock \ --enable-agent \ --enable-attr-sql \ + --enable-bliss \ --enable-ccm \ --enable-certexpire \ --enable-cmd \ @@ -32,6 +33,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-lookip \ --enable-mediation \ --enable-mysql \ + --enable-ntru \ --enable-openssl \ --enable-pkcs11 \ --enable-sqlite \ -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#861037: [PATCH 06/12] Enable dnscert, ipseckey, and unbound plugins (closes #718298)
-16,6 +17,7 @@ usr/share/strongswan/templates/config/plugins/gcrypt.conf usr/share/strongswan/templates/config/plugins/ldap.conf usr/share/strongswan/templates/config/plugins/pkcs11.conf usr/share/strongswan/templates/config/plugins/test-vectors.conf +usr/share/strongswan/templates/config/plugins/unbound.conf etc/strongswan.d/charon/ccm.conf etc/strongswan.d/charon/cmac.conf etc/strongswan.d/charon/ctr.conf @@ -24,3 +26,4 @@ etc/strongswan.d/charon/gcrypt.conf etc/strongswan.d/charon/ldap.conf etc/strongswan.d/charon/pkcs11.conf etc/strongswan.d/charon/test-vectors.conf +etc/strongswan.d/charon/unbound.conf diff --git a/debian/rules b/debian/rules index ad984684..e687018a 100755 --- a/debian/rules +++ b/debian/rules @@ -11,6 +11,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-cmd \ --enable-ctr \ --enable-curl \ + --enable-dnscert \ --enable-eap-aka \ --enable-eap-gtc \ --enable-eap-identity \ @@ -24,6 +25,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-gcm \ --enable-gcrypt \ --enable-ha \ + --enable-ipseckey \ --enable-ldap \ --enable-led \ --enable-lookip \ @@ -31,6 +33,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-openssl \ --enable-pkcs11 \ --enable-test-vectors \ + --enable-unbound \ --enable-unity \ --enable-xauth-eap \ --enable-xauth-pam \ -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#861037: [PATCH 07/12] Enabled attr-sql, mysql, and sqlite plugins (closes #718302)
m.conf etc/strongswan.d/charon/cmac.conf etc/strongswan.d/charon/ctr.conf etc/strongswan.d/charon/curl.conf etc/strongswan.d/charon/gcrypt.conf etc/strongswan.d/charon/ldap.conf +etc/strongswan.d/charon/mysql.conf etc/strongswan.d/charon/pkcs11.conf +etc/strongswan.d/charon/sqlite.conf etc/strongswan.d/charon/test-vectors.conf etc/strongswan.d/charon/unbound.conf diff --git a/debian/rules b/debian/rules index e687018a..08c8aa09 100755 --- a/debian/rules +++ b/debian/rules @@ -6,6 +6,7 @@ export DEB_BUILD_MAINT_OPTIONS=hardening=+all CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-addrblock \ --enable-agent \ + --enable-attr-sql \ --enable-ccm \ --enable-certexpire \ --enable-cmd \ @@ -30,8 +31,10 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-led \ --enable-lookip \ --enable-mediation \ + --enable-mysql \ --enable-openssl \ --enable-pkcs11 \ + --enable-sqlite \ --enable-test-vectors \ --enable-unbound \ --enable-unity \ -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#861037: [PATCH 02/12] Refresh 03_systemd-service.patch against 5.5.2 release
--- debian/patches/03_systemd-service.patch | 14 ++ 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/debian/patches/03_systemd-service.patch b/debian/patches/03_systemd-service.patch index e18867ec..91406b3a 100644 --- a/debian/patches/03_systemd-service.patch +++ b/debian/patches/03_systemd-service.patch @@ -1,14 +1,12 @@ a/init/systemd/strongswan.service.in -+++ b/init/systemd/strongswan.service.in -@@ -1,9 +1,10 @@ - [Unit] - Description=strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf --After=syslog.target network.target -+After=network.target +Index: strongswan/init/systemd/strongswan.service.in +=== +--- strongswan.orig/init/systemd/strongswan.service.in strongswan/init/systemd/strongswan.service.in +@@ -4,6 +4,7 @@ After=syslog.target network-online.targe [Service] ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork +ExecReload=@SBINDIR@/@IPSEC_SCRIPT@ reload StandardOutput=syslog + Restart=on-abnormal - [Install] -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#861037: [PATCH 04/12] Upstream 5.5.2 introduced libtpmtss.so support library which is built by default and required by the new tpm plugin, install with libcharon-extra-plugins package, note howeve
--- debian/libcharon-extra-plugins.install | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install index 7b0bd2be..23415665 100644 --- a/debian/libcharon-extra-plugins.install +++ b/debian/libcharon-extra-plugins.install @@ -44,8 +44,9 @@ debian/usr.lib.ipsec.lookip /etc/apparmor.d/ usr/lib/ipsec/libpttls.so* usr/lib/ipsec/libradius.so* usr/lib/ipsec/libsimaka.so* -usr/lib/ipsec/libtnccs.so* usr/lib/ipsec/libtls.so* +usr/lib/ipsec/libtnccs.so* +usr/lib/ipsec/libtpmtss.so* # binaries usr/lib/ipsec/error-notify usr/lib/ipsec/lookip -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#861037: [PATCH 03/12] Updated debian/copyright by manually inspecting the diff between upstream 5.5.1 and 5.5.2 releases and additionally fixed a few cases where the copyright data had been incorr
/curve25519_private_key.* + src/libstrongswan/plugins/curve25519/curve25519_public_key.* + src/libstrongswan/plugins/curve25519/ref10/* +Copyright: 2016, Andreas Steffen +License: GPL-2+ + +Files: src/libstrongswan/plugins/curve25519/curve25519_plugin.c +Copyright: 2014, Martin Willi + 2014, revosec AG + 2016, Andreas Steffen +License: GPL-2+ + +Files: src/libstrongswan/plugins/curve25519/curve25519_plugin.h +Copyright: 2014, Martin Willi + 2014, revosec AG +License: GPL-2+ + Files: src/libstrongswan/plugins/des/des_crypter.c Copyright: 2009, Tobias Brunner 2006, Martin Willi @@ -1856,8 +2041,11 @@ Copyright: 2007-2015, Tobias Brunner License: GPL-2+ Files: src/libstrongswan/plugins/pem/pem_encoder.c - src/libstrongswan/plugins/pem/pem_encoder.h -Copyright: 2001-2015, Andreas Steffen +Copyright: 2010-2016, Andreas Steffen +License: GPL-2+ + +Files: src/libstrongswan/plugins/pem/pem_encoder.h +Copyright: 2010, Andreas Steffen License: GPL-2+ Files: src/libstrongswan/plugins/pgp/pgp_builder.c @@ -2035,6 +2223,11 @@ Copyright: 2009, Martin Willi , JuanJo Ciarlante <jjo-ip...@mendoza.gov.ar> License: GPL +Files: src/libstrongswan/plugins/test_vectors/test_vectors/curve25519.c +Copyright: 2015, Martin Willi + 2015, revosec AG +License: GPL-2+ + Files: src/libstrongswan/plugins/unbound/* Copyright: 2011, 2012, Reto Guadagnini License: GPL-2+ @@ -2137,8 +2330,14 @@ Copyright: 2007-2015, Tobias Brunner License: GPL-2+ Files: src/libstrongswan/selectors/traffic_selector.c -Copyright: 2007-2015, Tobias Brunner - 2005-2011, Martin Willi +Copyright: 2007-2017, Tobias Brunner + 2005-2007, Martin Willi + 2005, Jan Hutter +License: GPL-2+ + +Files: src/libstrongswan/selectors/traffic_selector.h +Copyright: 2007-2017, Tobias Brunner + 2005-2006, Martin Willi 2005, Jan Hutter License: GPL-2+ @@ -2201,6 +2400,10 @@ Copyright: 2007-2015, Tobias Brunner 2005-2013, Martin Willi License: GPL-2+ +Files: src/libstrongswan/tests/suites/test_ed25519.c +Copyright: 2016, Andreas Steffen +License: GPL-2+ + Files: src/libstrongswan/tests/test_runner.c src/libstrongswan/tests/test_suite.h Copyright: 2010-2014, revosec AG @@ -2411,6 +2614,14 @@ Files: src/libtncif/tncif_pa_subtypes.h Copyright: 2010, 2011, 2013, Andreas Steffen, HSR Hochschule fuer Technik Rapperswil License: GPL-2+ +Files: src/libtpmtss/* +Copyright: 2016, Andreas Steffen +License: GPL-2+ + +Files: src/libtpmtss/plugins/tpm/* +Copyright: 2017, Andreas Steffen +License: GPL-2+ + Files: src/manager/templates/* Copyright: *No copyright* License: GPL-2+ @@ -2434,8 +2645,25 @@ Copyright: 2009-2015, Andreas Steffen 2005-2009, Martin Willi License: GPL-2+ +Files: src/pki/commands/acert.c + src/pki/commands/issue.c + src/pki/commands/pub.c + src/pki/commands/self.c +Copyright: 2009, Martin Willi + 2015-2017, Andreas Steffen +License: GPL-2+ + +Files: src/pki/commands/gen.c +Copyright: 2009, Martin Willi + 2014-2016, Andreas Steffen +License: GPL-2+ + Files: src/pki/commands/keyid.c - src/pki/commands/verify.c +Copyright: 2009, Martin Willi + 2017, Andreas Steffen +License: GPL-2+ + +Files: src/pki/commands/verify.c Copyright: 2005-2011, Martin Willi License: GPL-2+ @@ -2444,12 +2672,28 @@ Copyright: 2007-2015, Tobias Brunner License: GPL-2+ Files: src/pki/commands/pkcs7.c - src/pki/commands/print.c src/pki/commands/signcrl.c Copyright: 2010-2015, revosec AG 2006-2015, Martin Willi License: GPL-2+ +Files: src/pki/commands/print.c +Copyright: 2010, Martin Willi + 2010, revosec AG + 2015-2016, Andreas Steffen +License: GPL-2+ + +Files: src/pki/commands/req.c +Copyright: 2009, Martin Willi + 2009-2017, Andreas Steffen +License: GPL-2+ + +Files: src/pki/commands/signcrl.c +Copyright: 2010, Martin Willi + 2010, revosec AG + 2017, Andreas Steffen +License: GPL-2+ + Files: src/pki/pki.c Copyright: 2007-2015, Tobias Brunner 2005-2013, Martin Willi @@ -2550,6 +2794,23 @@ Files: src/swanctl/command.c Copyright: 2005-2011, Martin Willi License: GPL-2+ +Files: src/swanctl/commands/list_pools.c +Copyright: 2015-2016, Tobias Brunner + 2014, Martin Willi + 2014, revosec AG +License: GPL-2+ + +Files: src/swanctl/commands/load_creds.c +Copyright: 2016, Tobias Brunner + 2015, Andreas Steffen + 2014, Martin Willi + 2014, revosec AG +License: GPL-2+ + +Files: src/swanctl/commands/rekey.c +Copyright: 2017, Tobias Brunner +License: GPL-2+ + Files: testing/* Copyright: Hochschule fuer Technik Rapperswil License: GPL-2+ -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#861037: [PATCH 05/12] Upstream 5.5.2 introduced curve25519 which is being built by default, install with libstrongswan package.
--- debian/control | 1 + debian/libstrongswan.install | 3 +++ 2 files changed, 4 insertions(+) diff --git a/debian/control b/debian/control index 391d6153..53a436b8 100644 --- a/debian/control +++ b/debian/control @@ -69,6 +69,7 @@ Description: strongSwan utility and crypto library For libstrongswan (cryptographic backends, URI fetchers and database layers): - aes (AES-128/192/256 cipher software implementation) - constraints (X.509 certificate advanced constraint checking) + - curve25519 (X25519 DH group and Ed25519 public key authentication) - dnskey (Parse RFC 4034 public keys) - fips-prf (PRF specified by FIPS, used by EAP-SIM/AKA algorithms) - gmp (RSA/DH crypto backend based on libgmp) diff --git a/debian/libstrongswan.install b/debian/libstrongswan.install index b3148670..30af5f89 100644 --- a/debian/libstrongswan.install +++ b/debian/libstrongswan.install @@ -2,6 +2,7 @@ usr/lib/ipsec/libstrongswan.so* usr/lib/ipsec/plugins/libstrongswan-aes.so usr/lib/ipsec/plugins/libstrongswan-constraints.so +usr/lib/ipsec/plugins/libstrongswan-curve25519.so usr/lib/ipsec/plugins/libstrongswan-dnskey.so usr/lib/ipsec/plugins/libstrongswan-fips-prf.so usr/lib/ipsec/plugins/libstrongswan-gmp.so @@ -26,6 +27,7 @@ usr/lib/ipsec/plugins/libstrongswan-xcbc.so # config files usr/share/strongswan/templates/config/plugins/aes.conf usr/share/strongswan/templates/config/plugins/constraints.conf +usr/share/strongswan/templates/config/plugins/curve25519.conf usr/share/strongswan/templates/config/plugins/dnskey.conf usr/share/strongswan/templates/config/plugins/fips-prf.conf usr/share/strongswan/templates/config/plugins/gmp.conf @@ -49,6 +51,7 @@ usr/share/strongswan/templates/config/plugins/x509.conf usr/share/strongswan/templates/config/plugins/xcbc.conf etc/strongswan.d/charon/aes.conf etc/strongswan.d/charon/constraints.conf +etc/strongswan.d/charon/curve25519.conf etc/strongswan.d/charon/dnskey.conf etc/strongswan.d/charon/fips-prf.conf etc/strongswan.d/charon/gmp.conf -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#861037: [PATCH 00/12] New upstream release 5.5.2
Control: tags -1 + patch Only the first 5 patches in this series pertains to the upstream 5.5.2 release, the rest are enabling various plugins which have bug their own reports. The first patch was simply running 'gbp import-orig --uscan'. The second patch (Refresh 03_systemd-service.patch) may warrant scrutiny or possibly upstreaming since https://wiki.strongswan.org/issues/2205 doesn't mention ExecReload. The third patch (Updated debian/copyright) took quite a bit of effort, and I only concentrated on the delta between 5.5.1 and 5.5.2, however it looks like debian/copyright file has been out of sync for quite a while. I could endeavor to audit the entire source if you like. The fourth patch (Upstream 5.5.2 introduced libtpmtss.so), I had not investigated whether there is any --disable flag to stop libtpmtss.so From building, but neither did I enable any additional plugin (like tpm) that activated it. The fifth patch (Upstream 5.5.2 introduced curve25519) may be contentious since I've come to the understanding that Yves-Alexis Perez does not accept enabling new plugins arbitrarily (803787#10), however upstream has chosen this plugin to be enabled by default, therefore I placed it in the core libstrongswan package, furthermore Curve25519 is specified in the RFC 8031 IKE standard (unfortunatley strongswan hadn't implemented the stronger Curve448), and is prevalent in other modern cryptosystems (TLS1.3, SSH). Let me know if it would be at all helpful to run a publicly accessible git repository (pull request rather than patches), I've been using gitolite3 with private SSH access, but attaching some read-only HTTPS front-end has been on my TODO list forever. Gerald Turner (12): New upstream version 5.5.2 Refresh 03_systemd-service.patch against 5.5.2 release Updated debian/copyright by manually inspecting the diff between upstream 5.5.1 and 5.5.2 releases and additionally fixed a few cases where the copyright data had been incorrect since package version 5.5.1-3 and earlier Upstream 5.5.2 introduced libtpmtss.so support library which is built by default and required by the new tpm plugin, install with libcharon-extra-plugins package, note however that the tpm plugin is not being built. Upstream 5.5.2 introduced curve25519 which is being built by default, install with libstrongswan package. Enable dnscert, ipseckey, and unbound plugins (closes #718298) Enabled attr-sql, mysql, and sqlite plugins (closes #718302) Enabled bliss and ntru plugins and dependent mgf1 plugin (closes #803787) Enabled chapoly plugin (closed #814927) Enabled newhope plugin and dependent sha3 plugin Enabled bypass-lan, files, and forecast plugins Release strongSwan 5.5.2-0.1 -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#861037: New upstream release 5.5.2
Source: strongswan Version: 5.5.1-3 Severity: wishlist Hello, I've recently been motivated by the demise of SixXS (an IPv6 tunnel broker) to tune up our strongSwan infrastructure to provide GUA's to NAT'd IPv4-only road-warriors. While the 5.5.2 release doesn't necessarily have anything to do with that, at a minimum I'd like to enable some additional plugins (e.g. attr-sql for managing pools, possibly bypass-lan, if it works with IPv6, etc.), so I've accepted that I'd diverge from official Debian packaging and host my own stretch and jessie-backports builds, and figured that I may as well import the new upstream release. -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#861036: [PATCH] Enabled newhope plugin and dependent sha3 plugin
Control: tags -1 + patch Note that this plugin also depends on mgf1, which I've enabled via the patch in bug #803787, as well as depends on chapoly, patched in bug #814927. --- debian/control | 2 ++ debian/libstrongswan-extra-plugins.install | 6 ++ debian/rules | 2 ++ 3 files changed, 10 insertions(+) diff --git a/debian/control b/debian/control index ac9324c1..b807870d 100644 --- a/debian/control +++ b/debian/control @@ -152,11 +152,13 @@ Description: strongSwan utility and crypto library (extra plugins) - ldap (LDAP fetching plugin based on libldap) - mgf1 (MGF1 mask generation function) - mysql (MySQL database backend based on libmysqlclient) + - newhope (Key exchange based on post-quantum computer New Hope algorithm) - ntru (Key exchange based on post-quantum computer NTRU encryption) - padlock (VIA padlock crypto backend, provides AES128/SHA1) - pkcs11 (PKCS#11 smartcard backend) - rdrand (High quality / high performance random source using the Intel rdrand instruction found on Ivy Bridge processors) + - sha3 (SHA3_224/SHA3_256/SHA3_384/SHA3_512 hasher software implementation) - sqlite (SQLite database backend based on libsqlite3) - test-vectors (Set of test vectors for various algorithms) diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install index 591b3c1d..ca6d4374 100644 --- a/debian/libstrongswan-extra-plugins.install +++ b/debian/libstrongswan-extra-plugins.install @@ -9,8 +9,10 @@ usr/lib/ipsec/plugins/libstrongswan-gcrypt.so usr/lib/ipsec/plugins/libstrongswan-ldap.so usr/lib/ipsec/plugins/libstrongswan-mgf1.so usr/lib/ipsec/plugins/libstrongswan-mysql.so +usr/lib/ipsec/plugins/libstrongswan-newhope.so usr/lib/ipsec/plugins/libstrongswan-ntru.so usr/lib/ipsec/plugins/libstrongswan-pkcs11.so +usr/lib/ipsec/plugins/libstrongswan-sha3.so usr/lib/ipsec/plugins/libstrongswan-sqlite.so usr/lib/ipsec/plugins/libstrongswan-test-vectors.so usr/lib/ipsec/plugins/libstrongswan-unbound.so @@ -25,8 +27,10 @@ usr/share/strongswan/templates/config/plugins/gcrypt.conf usr/share/strongswan/templates/config/plugins/ldap.conf usr/share/strongswan/templates/config/plugins/mgf1.conf usr/share/strongswan/templates/config/plugins/mysql.conf +usr/share/strongswan/templates/config/plugins/newhope.conf usr/share/strongswan/templates/config/plugins/ntru.conf usr/share/strongswan/templates/config/plugins/pkcs11.conf +usr/share/strongswan/templates/config/plugins/sha3.conf usr/share/strongswan/templates/config/plugins/sqlite.conf usr/share/strongswan/templates/config/plugins/test-vectors.conf usr/share/strongswan/templates/config/plugins/unbound.conf @@ -42,8 +46,10 @@ etc/strongswan.d/charon/gcrypt.conf etc/strongswan.d/charon/ldap.conf etc/strongswan.d/charon/mgf1.conf etc/strongswan.d/charon/mysql.conf +etc/strongswan.d/charon/newhope.conf etc/strongswan.d/charon/ntru.conf etc/strongswan.d/charon/pkcs11.conf +etc/strongswan.d/charon/sha3.conf etc/strongswan.d/charon/sqlite.conf etc/strongswan.d/charon/test-vectors.conf etc/strongswan.d/charon/unbound.conf diff --git a/debian/rules b/debian/rules index ec0860e8..8c712d87 100755 --- a/debian/rules +++ b/debian/rules @@ -34,9 +34,11 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-lookip \ --enable-mediation \ --enable-mysql \ + --enable-newhope \ --enable-ntru \ --enable-openssl \ --enable-pkcs11 \ + --enable-sha3 \ --enable-sqlite \ --enable-test-vectors \ --enable-unbound \ -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#861036: Enable newhope plugin
Source: strongswan Version: 5.5.1-3 Severity: wishlist Hello, I'd like to use the NewHope post-quantum key exchange algorithm introduced in strongSwan 5.5.1. https://wiki.strongswan.org/projects/strongswan/wiki/NewHope -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#849816: [Pkg-swan-devel] Bug#849816: Bug#849816: Enable AES hardware acceleration (AES-NI)
Control: fixed -1 5.3.5-2 On Sat, Dec 31 2016, Yves-Alexis Perez wrote: > On Sat, 2016-12-31 at 14:06 +0100, Dan Guido wrote: >> Please enable AESNI support via the --enable-aesni flag. > > We don't enable libipsec so it doesn't really matter actually, AES is > done in the kernel, which does suppor AES-NI. I think there may be some confusion. Dan Guido reported this bug against version 5.5.1-2, but perhaps he meant to report the bug against jessie or earlier versions (e.g. 5.2.1-6). Yves-Alexis Perez enabled aesni in alioth commit 8e32f50ac¹, package version 5.3.5-2, which entered sid² and stretch³ in March 2016, about eight months before the report. Also Yves-Alexis Perez mentions this plugin is ineffective without the libipsec backend, but I believe there may be some confusion here too. My understanding is that IKE is handled in userland by whatever plugins are loaded, whereas ESP is handled in kernel, ignoring plugins (essentially restricted to whatever af-alg supports). Particularly true if libstrongswan-standard-plugins is installed (containing aesni) and libstrongswan-extra-plugins is *not* installed (containing af-alg). ¹ https://anonscm.debian.org/cgit/pkg-swan/strongswan.git/commit/?id=8e32f50ac2c90358c14cd36753aa360e8d80ccab ² https://packages.qa.debian.org/s/strongswan/news/20160317T140101Z.html ³ https://packages.qa.debian.org/s/strongswan/news/20160323T163916Z.html -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#814927: [Pkg-swan-devel] Bug#814927: strongSwan misses ChaCha/POLY support
Control: tags -1 + patch --- debian/control | 1 + debian/libstrongswan-extra-plugins.install | 3 +++ debian/rules | 1 + 3 files changed, 5 insertions(+) diff --git a/debian/control b/debian/control index a7d84fd7..ac9324c1 100644 --- a/debian/control +++ b/debian/control @@ -143,6 +143,7 @@ Description: strongSwan utility and crypto library (extra plugins) - bliss (Bimodal Lattice Signature Scheme (BLISS) post-quantum computer signature scheme) - ccm (CCM cipher mode wrapper) + - chapoly (ChaCha20/Poly1305 AEAD implementation) - cmac (CMAC cipher mode wrapper) - ctr (CTR cipher mode wrapper) - curl (libcurl based HTTP/FTP fetcher) diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install index 6bd32976..591b3c1d 100644 --- a/debian/libstrongswan-extra-plugins.install +++ b/debian/libstrongswan-extra-plugins.install @@ -1,6 +1,7 @@ # libstrongswan plugins usr/lib/ipsec/plugins/libstrongswan-bliss.so usr/lib/ipsec/plugins/libstrongswan-ccm.so +usr/lib/ipsec/plugins/libstrongswan-chapoly.so usr/lib/ipsec/plugins/libstrongswan-cmac.so usr/lib/ipsec/plugins/libstrongswan-ctr.so usr/lib/ipsec/plugins/libstrongswan-curl.so @@ -16,6 +17,7 @@ usr/lib/ipsec/plugins/libstrongswan-unbound.so # default configuration files usr/share/strongswan/templates/config/plugins/bliss.conf usr/share/strongswan/templates/config/plugins/ccm.conf +usr/share/strongswan/templates/config/plugins/chapoly.conf usr/share/strongswan/templates/config/plugins/cmac.conf usr/share/strongswan/templates/config/plugins/ctr.conf usr/share/strongswan/templates/config/plugins/curl.conf @@ -32,6 +34,7 @@ usr/share/strongswan/templates/database/sql/mysql.sql usr/share/strongswan/templates/database/sql/sqlite.sql etc/strongswan.d/charon/bliss.conf etc/strongswan.d/charon/ccm.conf +etc/strongswan.d/charon/chapoly.conf etc/strongswan.d/charon/cmac.conf etc/strongswan.d/charon/ctr.conf etc/strongswan.d/charon/curl.conf diff --git a/debian/rules b/debian/rules index d99b21c6..ec0860e8 100755 --- a/debian/rules +++ b/debian/rules @@ -10,6 +10,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-bliss \ --enable-ccm \ --enable-certexpire \ + --enable-chapoly \ --enable-cmd \ --enable-ctr \ --enable-curl \ -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#803787: [Pkg-swan-devel] Bug#803787: [strongswan] Enable post-quantum algorithms
Control: tags -1 + patch Hi, this is a cleanup of the previously submitted patch. The mgf1 plugin was added in 5.5.1 and is a dependency of bliss (and newhope) plugins. I removed chapoly from the patch as it has it's own bug report (bug #814927). FYI newhope, another post-quantum key exchange algorithm, was added in 5.5.1, but I'll be opening a separate bug report/patch. --- debian/control | 4 debian/libstrongswan-extra-plugins.install | 11 +++ debian/rules | 2 ++ 3 files changed, 17 insertions(+) diff --git a/debian/control b/debian/control index 59e08ce9..a7d84fd7 100644 --- a/debian/control +++ b/debian/control @@ -140,6 +140,8 @@ Description: strongSwan utility and crypto library (extra plugins) Included plugins are: - af-alg [linux] (AF_ALG Linux crypto API interface, provides ciphers/hashers/hmac/xcbc) + - bliss (Bimodal Lattice Signature Scheme (BLISS) post-quantum computer +signature scheme) - ccm (CCM cipher mode wrapper) - cmac (CMAC cipher mode wrapper) - ctr (CTR cipher mode wrapper) @@ -147,7 +149,9 @@ Description: strongSwan utility and crypto library (extra plugins) - gcrypt (Crypto backend based on libgcrypt, provides RSA/DH/ciphers/hashers/rng) - ldap (LDAP fetching plugin based on libldap) + - mgf1 (MGF1 mask generation function) - mysql (MySQL database backend based on libmysqlclient) + - ntru (Key exchange based on post-quantum computer NTRU encryption) - padlock (VIA padlock crypto backend, provides AES128/SHA1) - pkcs11 (PKCS#11 smartcard backend) - rdrand (High quality / high performance random source using the Intel diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install index e5f8baac..6bd32976 100644 --- a/debian/libstrongswan-extra-plugins.install +++ b/debian/libstrongswan-extra-plugins.install @@ -1,37 +1,48 @@ # libstrongswan plugins +usr/lib/ipsec/plugins/libstrongswan-bliss.so usr/lib/ipsec/plugins/libstrongswan-ccm.so usr/lib/ipsec/plugins/libstrongswan-cmac.so usr/lib/ipsec/plugins/libstrongswan-ctr.so usr/lib/ipsec/plugins/libstrongswan-curl.so usr/lib/ipsec/plugins/libstrongswan-gcrypt.so usr/lib/ipsec/plugins/libstrongswan-ldap.so +usr/lib/ipsec/plugins/libstrongswan-mgf1.so usr/lib/ipsec/plugins/libstrongswan-mysql.so +usr/lib/ipsec/plugins/libstrongswan-ntru.so usr/lib/ipsec/plugins/libstrongswan-pkcs11.so usr/lib/ipsec/plugins/libstrongswan-sqlite.so usr/lib/ipsec/plugins/libstrongswan-test-vectors.so usr/lib/ipsec/plugins/libstrongswan-unbound.so # default configuration files +usr/share/strongswan/templates/config/plugins/bliss.conf usr/share/strongswan/templates/config/plugins/ccm.conf usr/share/strongswan/templates/config/plugins/cmac.conf usr/share/strongswan/templates/config/plugins/ctr.conf usr/share/strongswan/templates/config/plugins/curl.conf usr/share/strongswan/templates/config/plugins/gcrypt.conf usr/share/strongswan/templates/config/plugins/ldap.conf +usr/share/strongswan/templates/config/plugins/mgf1.conf usr/share/strongswan/templates/config/plugins/mysql.conf +usr/share/strongswan/templates/config/plugins/ntru.conf usr/share/strongswan/templates/config/plugins/pkcs11.conf usr/share/strongswan/templates/config/plugins/sqlite.conf usr/share/strongswan/templates/config/plugins/test-vectors.conf usr/share/strongswan/templates/config/plugins/unbound.conf usr/share/strongswan/templates/database/sql/mysql.sql usr/share/strongswan/templates/database/sql/sqlite.sql +etc/strongswan.d/charon/bliss.conf etc/strongswan.d/charon/ccm.conf etc/strongswan.d/charon/cmac.conf etc/strongswan.d/charon/ctr.conf etc/strongswan.d/charon/curl.conf etc/strongswan.d/charon/gcrypt.conf etc/strongswan.d/charon/ldap.conf +etc/strongswan.d/charon/mgf1.conf etc/strongswan.d/charon/mysql.conf +etc/strongswan.d/charon/ntru.conf etc/strongswan.d/charon/pkcs11.conf etc/strongswan.d/charon/sqlite.conf etc/strongswan.d/charon/test-vectors.conf etc/strongswan.d/charon/unbound.conf +# support libs +usr/lib/ipsec/libnttfft.so* diff --git a/debian/rules b/debian/rules index 08c8aa09..d99b21c6 100755 --- a/debian/rules +++ b/debian/rules @@ -7,6 +7,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-addrblock \ --enable-agent \ --enable-attr-sql \ + --enable-bliss \ --enable-ccm \ --enable-certexpire \ --enable-cmd \ @@ -32,6 +33,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-lookip \ --enable-mediation \ --enable-mysql \ + --enable-ntru \ --enable-openssl \ --enable-pkcs11 \ --enable-sqlite \ -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 385
Bug#718302: strongswan: Enable sqlite and mysql plugins
f +etc/strongswan.d/pool.conf etc/strongswan.d/tnc.conf etc/strongswan.d/charon/addrblock.conf +etc/strongswan.d/charon/attr-sql.conf etc/strongswan.d/charon/certexpire.conf etc/strongswan.d/charon/dnscert.conf etc/strongswan.d/charon/eap-*.conf @@ -56,4 +61,5 @@ usr/lib/ipsec/libtpmtss.so* # binaries usr/lib/ipsec/error-notify usr/lib/ipsec/lookip +usr/lib/ipsec/pool usr/lib/ipsec/pt-tls-client diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install index b922ea3b..e5f8baac 100644 --- a/debian/libstrongswan-extra-plugins.install +++ b/debian/libstrongswan-extra-plugins.install @@ -5,7 +5,9 @@ usr/lib/ipsec/plugins/libstrongswan-ctr.so usr/lib/ipsec/plugins/libstrongswan-curl.so usr/lib/ipsec/plugins/libstrongswan-gcrypt.so usr/lib/ipsec/plugins/libstrongswan-ldap.so +usr/lib/ipsec/plugins/libstrongswan-mysql.so usr/lib/ipsec/plugins/libstrongswan-pkcs11.so +usr/lib/ipsec/plugins/libstrongswan-sqlite.so usr/lib/ipsec/plugins/libstrongswan-test-vectors.so usr/lib/ipsec/plugins/libstrongswan-unbound.so # default configuration files @@ -15,15 +17,21 @@ usr/share/strongswan/templates/config/plugins/ctr.conf usr/share/strongswan/templates/config/plugins/curl.conf usr/share/strongswan/templates/config/plugins/gcrypt.conf usr/share/strongswan/templates/config/plugins/ldap.conf +usr/share/strongswan/templates/config/plugins/mysql.conf usr/share/strongswan/templates/config/plugins/pkcs11.conf +usr/share/strongswan/templates/config/plugins/sqlite.conf usr/share/strongswan/templates/config/plugins/test-vectors.conf usr/share/strongswan/templates/config/plugins/unbound.conf +usr/share/strongswan/templates/database/sql/mysql.sql +usr/share/strongswan/templates/database/sql/sqlite.sql etc/strongswan.d/charon/ccm.conf etc/strongswan.d/charon/cmac.conf etc/strongswan.d/charon/ctr.conf etc/strongswan.d/charon/curl.conf etc/strongswan.d/charon/gcrypt.conf etc/strongswan.d/charon/ldap.conf +etc/strongswan.d/charon/mysql.conf etc/strongswan.d/charon/pkcs11.conf +etc/strongswan.d/charon/sqlite.conf etc/strongswan.d/charon/test-vectors.conf etc/strongswan.d/charon/unbound.conf diff --git a/debian/rules b/debian/rules index e687018a..08c8aa09 100755 --- a/debian/rules +++ b/debian/rules @@ -6,6 +6,7 @@ export DEB_BUILD_MAINT_OPTIONS=hardening=+all CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-addrblock \ --enable-agent \ + --enable-attr-sql \ --enable-ccm \ --enable-certexpire \ --enable-cmd \ @@ -30,8 +31,10 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-led \ --enable-lookip \ --enable-mediation \ + --enable-mysql \ --enable-openssl \ --enable-pkcs11 \ + --enable-sqlite \ --enable-test-vectors \ --enable-unbound \ --enable-unity \ -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#718298: [PATCH] Enable dnscert, ipseckey, and unbound plugins (closes #718298)
nfig/plugins/cmac.conf @@ -16,6 +17,7 @@ usr/share/strongswan/templates/config/plugins/gcrypt.conf usr/share/strongswan/templates/config/plugins/ldap.conf usr/share/strongswan/templates/config/plugins/pkcs11.conf usr/share/strongswan/templates/config/plugins/test-vectors.conf +usr/share/strongswan/templates/config/plugins/unbound.conf etc/strongswan.d/charon/ccm.conf etc/strongswan.d/charon/cmac.conf etc/strongswan.d/charon/ctr.conf @@ -24,3 +26,4 @@ etc/strongswan.d/charon/gcrypt.conf etc/strongswan.d/charon/ldap.conf etc/strongswan.d/charon/pkcs11.conf etc/strongswan.d/charon/test-vectors.conf +etc/strongswan.d/charon/unbound.conf diff --git a/debian/rules b/debian/rules index ad984684..e687018a 100755 --- a/debian/rules +++ b/debian/rules @@ -11,6 +11,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-cmd \ --enable-ctr \ --enable-curl \ + --enable-dnscert \ --enable-eap-aka \ --enable-eap-gtc \ --enable-eap-identity \ @@ -24,6 +25,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-gcm \ --enable-gcrypt \ --enable-ha \ + --enable-ipseckey \ --enable-ldap \ --enable-led \ --enable-lookip \ @@ -31,6 +33,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-openssl \ --enable-pkcs11 \ --enable-test-vectors \ + --enable-unbound \ --enable-unity \ --enable-xauth-eap \ --enable-xauth-pam \ -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#858735: thunderbird: After migration Thunderbird fails to start due to AppArmor denials in ~/.icedove
On Sun, Mar 26 2017, Carsten Schoenert wrote: > On Sat, Mar 25, 2017 at 12:34:04PM -0700, Gerald Turner wrote: >> * The kernel logged many AppArmor denials, mainly for the lockfile >> in ~/.icedove (but also some peculiar PCI device access, log >> attached). > > this is happen because the AppArmor profile is only allowing access to > $HOME/.thunderbird/* and the real user profile is still using > ~/.icedove. Matthias reported the same issue with a probably solution > in #858737. I changed the profile with the adoptions Matthias is > suggesting. Can you please test the new profile? The new AppArmor profile works - I restored the .icedove directory and .thunderbird symlink, overwrote /etc/apparmor.d/usr.bin.thunderbird with your attachment, reloaded apparmor, started thunderbird - runs fine. Note however there are still those two /sys PCI device access denials mentioned earlier. The device Thunderbird is trying to access happens to be my video card. Previous icedove packages probably did the same thing but I had never noticed. Nevertheless Thunderbird works fine (and probably a good thing that it's WebGL-init or whatever is failing). -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#858735: thunderbird: After migration Thunderbird fails to start due to AppArmor denials in ~/.icedove
Package: thunderbird Version: 1:45.8.0-2 Severity: normal Dear Maintainer, On a laptop running Debian stretch, the following sequence of events occurred: * Upgraded icdeove package from 1:45.6.0-2 to 1:45.8.0-2 * Launched Thunderbird for the first time after package upgrade (log attached). * Migration completed successfully after a few minutes (lot's of disk I/O from 'find' subprocesses) * Then a window poped up saying "Thunderbird is already running, but is not responding" (screenshot attached). * The kernel logged many AppArmor denials, mainly for the lockfile in ~/.icedove (but also some peculiar PCI device access, log attached). I resolved the problem by executing: $ rm .thunderbird $ mv .icedove .thunderbird I suggest appending a message within the migration zenity popup message or in README.Debian.gz that reads something like: Users of AppArmor will need to manually delete the ~/.thunderbird symlink and move ~/.icedove to ~/.thunderbird due to the AppArmor policy installed by Thunderbird having prohibited access to the old directory. I thought about coming up with little bit of automation, perhaps conditiionally appending the above message, but there doesn't seem to be any good way to detect AppArmor, for instance "/usr/sbin/aa-status --enabled" fails unless run as root. BTW, I'm having a frustrating time post-migration: My profile is 49GB, Thunderbird decided it needs to re-download all that mail, and it has also fogotten my per-folder "Sort By > Threaded" preference, that I'll have to re-click hundreds of times, but only after waiting few days for that 49GB to be synchronized so that the UI is less frozen. I have two other installations of Thunderbird that will likely face the same fate. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages thunderbird depends on: ii debianutils 4.8.1 ii fontconfig2.11.0-6.7+b1 ii libasound21.1.3-5 ii libatk1.0-0 2.22.0-1 ii libc6 2.24-9 ii libcairo2 1.14.8-1 ii libdbus-1-3 1.10.16-1 ii libdbus-glib-1-2 0.108-2 ii libevent-2.0-52.0.21-stable-3 ii libffi6 3.2.1-6 ii libfontconfig12.11.0-6.7+b1 ii libfreetype6 2.6.3-3+b2 ii libgcc1 1:6.3.0-10 ii libgdk-pixbuf2.0-02.36.5-2 ii libglib2.0-0 2.50.3-1 ii libgtk2.0-0 2.24.31-2 ii libhunspell-1.4-0 1.4.1-2+b2 ii libicu57 57.1-5 ii libnspr4 2:4.12-6 ii libnss3 2:3.26.2-1 ii libpango-1.0-01.40.4-1 ii libpangocairo-1.0-0 1.40.4-1 ii libpangoft2-1.0-0 1.40.4-1 ii libpixman-1-0 0.34.0-1 ii libsqlite3-0 3.16.2-3 ii libstartup-notification0 0.12-4+b2 ii libstdc++66.3.0-10 ii libvpx4 1.6.1-2 ii libx11-6 2:1.6.4-3 ii libxcomposite11:0.4.4-2 ii libxdamage1 1:1.1.4-2+b3 ii libxext6 2:1.3.3-1+b2 ii libxfixes31:5.0.3-1 ii libxrender1 1:0.9.10-1 ii libxt61:1.1.5-1 ii psmisc22.21-2.1+b2 ii x11-utils 7.7+3+b1 ii zlib1g1:1.2.8.dfsg-5 Versions of packages thunderbird recommends: ii hunspell-en-us [hunspell-dictionary] 20070829-7 ii lightning 1:45.8.0-2 Versions of packages thunderbird suggests: ii apparmor 2.11.0-2 ii fonts-lyx 2.2.2-1 ii libgssapi-krb5-2 1.15-1 -- no debconf information -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D # Output from running "thunderbird --verbose" for the first time prior to # .icedove migration INFO -> [[ ... using verbose mode ... ]] DEBUG -> found folder '/home/gturner/.icedove' DEBUG -> not found folder or symlink '/home/gturner/.thunderbird' DEBUG -> Start Thunderbird profile adoptions, please be patient! Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged. DEBUG -> Try to symlink '/home/gturner/.thunderbird' to '/home/gturner/.icedove' DEBUG -> Success! # Migration stalled for several minutes at this point, heavy disk I/O with # "find" subprocess... INFO -> No fix up for /home/gturner/.thunderbird/default/mimeTypes.rdf needed. DEBUG -> No migration mark '/home/gturner/.thunderbird/.migrated' found, checking mimeap
Bug#856474: stap: include runtime_defines.h not found
I modified systemtap buildrun.cxx so that the Makefile it produces during Pass 3 doesn't have quotes around the include path, i.e.: Before: EXTRA_CFLAGS += -I"/usr/share/systemtap/runtime" After: EXTRA_CFLAGS += -I/usr/share/systemtap/runtime Then stap works fine against the Debian kernel, running 4.10-1~exp1 at the moment. I cannot fathom how Debian's linux-headers packages would affect this argument, but for the record, here's systemtap running gcc in Pass 3, elided: gcc-6 ... -I/usr/src/linux-headers-4.10.0-trunk-common/"/usr/share/systemtap/runtime" ... And with buildrun.cxx modified so that quotations are removed from the Makefile: gcc-6 ... -I/usr/share/systemtap/runtime ... How is /usr/src/linux-headers-4.10.0-trunk-common/ getting interpolated into that path argument? Attached a Makefile produced by stap - maybe somebody could guess why that interpolation occurs at line 125? Apologies if I'm adding more noise than signal to the bug report. Frank Ch. Eigler already addressed the quotation issue earlier in this bug report. -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D --- systemtap-3.1.orig/buildrun.cxx +++ systemtap-3.1/buildrun.cxx @@ -495,7 +495,7 @@ compile_pass (systemtap_session& s) #if CHECK_POINTER_ARITH_PR5947 o << "EXTRA_CFLAGS += -Wpointer-arith" << endl; #endif - o << "EXTRA_CFLAGS += -I\"" << s.runtime_path << "\"" << endl; + o << "EXTRA_CFLAGS += -I" << s.runtime_path << endl; // XXX: this may help ppc toc overflow // o << "CFLAGS := $(subst -Os,-O2,$(CFLAGS)) -fminimal-toc" << endl; o << "obj-m := " << s.module_name << ".o" << endl; _KBUILD_CFLAGS := $(call flags,KBUILD_CFLAGS) stap_check_gcc = $(shell set -x; if $(CC) $(1) -S -o /dev/null -xc /dev/null > /dev/null 2>&1; then echo "$(1)"; else echo "$(2)"; fi) CHECK_BUILD := $(CC) $(NOSTDINC_FLAGS) $(KBUILD_CPPFLAGS) $(CPPFLAGS) $(LINUXINCLUDE) $(_KBUILD_CFLAGS) $(CFLAGS_KERNEL) $(EXTRA_CFLAGS) $(CFLAGS) -DKBUILD_BASENAME=\"stap_1008\" -Werror -S -o /dev/null -xc stap_check_build = $(shell set -x; if $(CHECK_BUILD) $(1) > /dev/null 2>&1 ; then echo "$(2)"; else echo "$(3)"; fi) SYSTEMTAP_RUNTIME = "/usr/share/systemtap/runtime" CONFIG_MODULE_SIG := n EXTRA_CFLAGS := EXTRA_CFLAGS += -Iinclude2/asm/mach-default EXTRA_CFLAGS += -I/lib/modules/4.10.0-trunk-amd64/build STAPCONF_HEADER := /tmp/stapmZGYID/stapconf_0c48b85f89be3e4d6b5ccca7b814cb38_755.h $(STAPCONF_HEADER): @> $@ if $(CHECK_BUILD) $(SYSTEMTAP_RUNTIME)/linux/autoconf-hrtimer-rel.c > /dev/null 2>&1; then echo "#define STAPCONF_HRTIMER_REL 1"; fi >> $@ >> $@ if $(CHECK_BUILD) $(SYSTEMTAP_RUNTIME)/linux/autoconf-generated-compile.c > /dev/null 2>&1; then echo "#define STAPCONF_GENERATED_COMPILE 1"; fi >> $@ if $(CHECK_BUILD) $(SYSTEMTAP_RUNTIME)/linux/autoconf-hrtimer-getset-expires.c > /dev/null 2>&1; then echo "#define STAPCONF_HRTIMER_GETSET_EXPIRES 1"; fi >> $@ if $(CHECK_BUILD) $(SYSTEMTAP_RUNTIME)/linux/autoconf-inode-private.c > /dev/null 2>&1; then echo "#define STAPCONF_INODE_PRIVATE 1"; fi >> $@ if $(CHECK_BUILD) $(SYSTEMTAP_RUNTIME)/linux/autoconf-inode-rwsem.c > /dev/null 2>&1; then echo "#define STAPCONF_INODE_RWSEM 1"; fi >> $@ if $(CHECK_BUILD) $(SYSTEMTAP_RUNTIME)/linux/autoconf-constant-tsc.c > /dev/null 2>&1; then echo "#define STAPCONF_CONSTANT_TSC 1"; fi >> $@ if $(CHECK_BUILD) $(SYSTEMTAP_RUNTIME)/linux/autoconf-ktime-get-real.c > /dev/null 2>&1; then echo "#define STAPCONF_KTIME_GET_REAL 1"; fi >> $@ if $(CHECK_BUILD) $(SYSTEMTAP_RUNTIME)/linux/autoconf-x86-uniregs.c > /dev/null 2>&1; then echo "#define STAPCONF_X86_UNIREGS 1"; fi >> $@ if $(CHECK_BUILD) $(SYSTEMTAP_RUNTIME)/linux/autoconf-nameidata.c > /dev/null 2>&1; then echo "#define STAPCONF_NAMEIDATA_CLEANUP 1"; fi >> $@ echo "#define STAPCONF_UNREGISTER_KPROBES 1">> $@ if $(CHECK_BUILD) $(SYSTEMTAP_RUNTIME)/linux/autoconf-kprobe-symbol-name.c > /dev/null 2>&1; then echo "#define STAPCONF_KPROBE_SYMBOL_NAME 1"; fi >> $@ if $(CHECK_BUILD) $(SYSTEMTAP_RUNTIME)/linux/autoconf-real-parent.c > /dev/null 2>&1; then echo "#define STAPCONF_REAL_PARENT 1"; fi >> $@ if $(CHECK_BUILD) $(SYSTEMTAP_RUNTIME)/linux/autoconf-uaccess.c > /
Bug#856474: stap: include runtime_defines.h not found
FWIW, I attempted to kludge around the mangled include argument by running stap with "-B 'EXTRA_CFLAGS += -I/usr/share/systemtap/runtime'". This seems to work around the compilation failure of missing runtime_defines.h in include path, however compiliation then fails due to what appears to be API changes in Linux kernel 4.9. For example: In file included from /usr/share/systemtap/runtime/linux/runtime.h:209:0, from /usr/share/systemtap/runtime/runtime.h:26, from /tmp/stapqySw7o/stap_6ed5af627765aaab098e97da6b2931f0_2608_src.c:25: /usr/share/systemtap/runtime/linux/access_process_vm.h:50:13: error: too many arguments to function ‘get_user_pages’ ret = get_user_pages (tsk, mm, addr, 1, write, 1, , ); ^~ The prototype changed in Linux 4.9: long get_user_pages(unsigned long start, unsigned long nr_pages, int write, int force, struct page **pages, struct vm_area_struct **vmas); It looks like systemtap 3.1 is expecting the prototype in Linux versions prior to 4.6: long get_user_pages(struct task_struct *tsk, struct mm_struct *mm, unsigned long start, unsigned long nr_pages, int write, int force, struct page **pages, struct vm_area_struct **vmas); Log of systemtap 3.1 attached. -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D # stap -v -B 'EXTRA_CFLAGS += -I/usr/share/systemtap/runtime' -e 'probe vfs.read {printf("read performed\n"); exit()}' Pass 1: parsed user script and 465 library scripts using 113944virt/46692res/6452shr/40600data kb, in 110usr/20sys/132real ms. WARNING: cannot find module /root/.systemtap/cache/a5/typequery_a5e864b17cd7d295a3825fb1ec09b900_785.ko debuginfo: No DWARF information found [man warning::debuginfo] WARNING: cannot find module /root/.systemtap/cache/a5/typequery_a5e864b17cd7d295a3825fb1ec09b900_785.ko debuginfo: No DWARF information found [man warning::debuginfo] WARNING: cannot find module /root/.systemtap/cache/a5/typequery_a5e864b17cd7d295a3825fb1ec09b900_785.ko debuginfo: No DWARF information found [man warning::debuginfo] WARNING: cannot find module /root/.systemtap/cache/a5/typequery_a5e864b17cd7d295a3825fb1ec09b900_785.ko debuginfo: No DWARF information found [man warning::debuginfo] WARNING: cannot find module /root/.systemtap/cache/a5/typequery_a5e864b17cd7d295a3825fb1ec09b900_785.ko debuginfo: No DWARF information found [man warning::debuginfo] WARNING: cannot find module /root/.systemtap/cache/a5/typequery_a5e864b17cd7d295a3825fb1ec09b900_785.ko debuginfo: No DWARF information found [man warning::debuginfo] WARNING: cannot find module /root/.systemtap/cache/a5/typequery_a5e864b17cd7d295a3825fb1ec09b900_785.ko debuginfo: No DWARF information found [man warning::debuginfo] WARNING: cannot find module /root/.systemtap/cache/a5/typequery_a5e864b17cd7d295a3825fb1ec09b900_785.ko debuginfo: No DWARF information found [man warning::debuginfo] WARNING: cannot find module /root/.systemtap/cache/a5/typequery_a5e864b17cd7d295a3825fb1ec09b900_785.ko debuginfo: No DWARF information found [man warning::debuginfo] WARNING: cannot find module /root/.systemtap/cache/a5/typequery_a5e864b17cd7d295a3825fb1ec09b900_785.ko debuginfo: No DWARF information found [man warning::debuginfo] WARNING: cannot find module /root/.systemtap/cache/a5/typequery_a5e864b17cd7d295a3825fb1ec09b900_785.ko debuginfo: No DWARF information found [man warning::debuginfo] WARNING: cannot find module /root/.systemtap/cache/a5/typequery_a5e864b17cd7d295a3825fb1ec09b900_785.ko debuginfo: No DWARF information found [man warning::debuginfo] WARNING: cannot find module /root/.systemtap/cache/a5/typequery_a5e864b17cd7d295a3825fb1ec09b900_785.ko debuginfo: No DWARF information found [man warning::debuginfo] WARNING: cannot find module /root/.systemtap/cache/a5/typequery_a5e864b17cd7d295a3825fb1ec09b900_785.ko debuginfo: No DWARF information found [man warning::debuginfo] WARNING: cannot find module /root/.systemtap/cache/a5/typequery_a5e864b17cd7d295a3825fb1ec09b900_785.ko debuginfo: No DWARF information found [man warning::debuginfo] WARNING: cannot find module /root/.systemtap/cache/a5/typequery_a5e864b17cd7d295a3825fb1ec09b900_785.ko debuginfo: No DWARF information found [man warning::debuginfo] WARNING: cannot find module /root/.systemtap/cache/a5/typequery_a5e864b17cd7d295a3825fb1ec09b900_785.ko debuginfo: No DWARF information found [man warning::debuginfo] WARNING: cannot find module /root/.systemtap/cache/a5/typequery_a5e864b17cd7d295a3825fb1ec09b900_785.ko debuginfo: No DWARF information found [man warning::debuginfo] WARNING: cannot find module /root/.systemtap/cache/a5/typequery_a5e864b17cd7d295a3825fb1ec09b900_785.ko debuginfo: No DW
Bug#835268: hashrat: Please enable support for filesystem Extended Attributes
Package: hashrat Version: 1.8.1-2 Severity: wishlist Tags: patch Dear Maintainer, The configure script needs --enable-xattr in order to gain support for filesystem Extended Attributes. Attached is a patch which updates debian/rules to do just that. I'm uncertain whether compiling xattr is Linux-only, perhaps this change would cause FTBFS on other kernels, however a comment in configure describes this option being used on IRIX, so I'm guessing it's portable. Thanks! -- System Information: Debian Release: stretch/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.6.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages hashrat depends on: ii libc6 2.23-4 hashrat recommends no packages. hashrat suggests no packages. -- no debconf information -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D From 38434efe217b9e878b5f0378600e1d9cdcee47cb Mon Sep 17 00:00:00 2001 From: Gerald Turner <gtur...@unzane.com> Date: Tue, 23 Aug 2016 16:39:42 -0700 Subject: [PATCH] Configure with --enable-xattr, enabling filesystem Extended Attributes support. --- debian/rules | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/rules b/debian/rules index 6e24fef..46833af 100755 --- a/debian/rules +++ b/debian/rules @@ -6,5 +6,8 @@ export DEB_BUILD_MAINT_OPTIONS = hardening=+all %: dh $@ --with autoreconf +override_dh_auto_configure: + dh_auto_configure -- --enable-xattr + # Disable the tests temporarily. override_dh_auto_test: -- 2.8.1 signature.asc Description: PGP signature
Bug#832074: networking.service: Start operation timed out
On Fri, Jul 22 2016, Guus Sliepen wrote: > On Thu, Jul 21, 2016 at 06:43:15PM -0700, Gerald Turner wrote: >> I have a Linux router running jessie that has four ethernet ports and >> a pair of ath9k radios. >> >> Three of the ethernet interfaces (eth0, eth1, eth2) are statically >> configured LAN ports. The fourth ethernet interface (eth3) is >> connected to an ISP via cable modem and uses DHCP¹. The two wlan >> interfaces are also configured statically and have hostapd running. > [...] >> My vague understanding is that wlan0/wlan1 don't have "carrier" until >> hostapd's take control. I believe this is what's causing ifupdown >> networking.service to timeout. > > Hm, I don't think that can be the problem. First, the carrier has > nothing to do with hotplugging. Hotplugging is when udev detects that > a device is added or removed. This should happen early at boot for > your radios. Second, you are doing static configuration of those > interfaces. That means ifupdown just executes the equivalent of the > ifconfig command. It doesn't wait for anything here. So this cannot > be the problem. Last, allow-hotplug interfaces are configured > asynchronously wrt. the normal boot process, so even if something > would hang here, it should not interfere with the boot process. > > If anything, ifupdown waits for dhclient on the eth3 interface to exit > before continuing. But according to your syslog it seems it got an IP > address just fine: > >> Jul 21 17:02:09 headboard ifup[2426]: DHCPREQUEST on eth3 to 255.255.255.255 >> port 67 >> Jul 21 17:02:09 headboard ifup[2426]: DHCPACK from 69.252.80.75 >> Jul 21 17:02:30 headboard systemd[1]: networking.service: Start operation >> timed out. Terminating. > > Maybe there is something in the backported ifupdown that doesn't > interact well with dhclient or something else from jessie. Could you > try removing "auto eth3" from /etc/network/interfaces and see if that > fixes the timeout? If that doesn't change anything, try removing the > "allow-hotplug" lines. That would at least narrow things down. Yeah this is looking like a problem with ifupdown ↔ dhclient interaction. Removing "auto eth3" enabled networking.service to start without timeout. Using "allow-hotplug eth3" enabled networking.service to start without timeout, however network-online.target is reached too soon, so the brittle ordering of wide-dhcpv6-client and radvd is broken and various services have to be manually restarted. Also note that networking.service timesout during shutdown under any condition ("auto eth3", "allow-hotplug eth3", or manual ifup after boot), syslogs attached. I noticed that the "DHCPACK from 69.252.80.75" doesn't match the address in "DHCPRELEASE to 76.96.95.6", however examining /var/lib/dhcp/ dhclient.eth3.leases reveals that "option dhcp-server-identifier 76.96.95.6" so dhclient is probably just doing what it's told, however bizarre (crazy ISP). >> P.S. I noticed there's an /lib/systemd/system/ifup@.service file >> installed by ifupdown, however I don't see it used anywhere, no >> documentation, and only found a few meaningless results about it on >> the www. Would it be sensible to disable networking.service and >> enable ifup@eth0 et al services (perhaps with After=hostapd for >> ifup@wlan0/1)? > > I wouldn't disable networking.service, instead don't mark those > interfaces auto then. Okay, I discovered how ifup@.service are wired (spawned by ifupdown-hotplug). On a tangent, now that I've taken Bob's suggestion to hook hostapd to the allow-hotplug wlan's, I get proccesses contained like: / ├─system.slice │ ├─ifup@wlan1.service │ │ └─2477 /usr/sbin/hostapd -B -P /run/hostapd.wlan1.pid /etc/hostapd/hostapd-wlan1.conf ...but with either manual or "auto eth3" (with manual intervention after the timeout), dhclient resides in a user session: / └─user.slice └─user-1000.slice ├─user@1000.service │ └─init.scope │ ├─3660 /lib/systemd/systemd --user │ └─3700 (sd-pam) ├─session-2.scope │ └─4958 /sbin/dhclient -v -pf /run/dhclient.eth3.pid -lf /var/lib/dhcp/dhclient.eth3.leases -I -df /var/lib/dhcp/dhclient6.eth3.leases eth3 ...which makes me wonder if dhclient would get by killed by systemd if I hadn't already setup "loginctl enable-linger" on UID 1000. -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D Jul 23 08:47:50 headboard systemd[1]: Stopped target Network is Online. Jul 23 08:47:50 headboard systemd[1]: Stopped target Network. Jul 23 08:47:50 headboard systemd[1]: Stopping ifup for wlan
Bug#832074: networking.service: Start operation timed out
On Thu, Jul 21 2016, Bob Proulx wrote: > Note that I am not the maintainer but simply another user. Hi Bob. I lurk on debian-user, and thought about posting there rather than open this bug, either way - you came to the rescue, much appreciated! ;-) > Gerald Turner wrote: >> I have a Linux router running jessie that has four ethernet ports and >> a pair of ath9k radios. >> >> Three of the ethernet interfaces (eth0, eth1, eth2) are statically >> configured LAN ports. The fourth ethernet interface (eth3) is >> connected to an ISP via cable modem and uses DHCP¹. The two wlan >> interfaces are also configured statically and have hostapd running. > > It sounds like you and I have very similar environments. Therefore I > decided I would share what I am doing here. Since I am doing things > completely differently and it is working great for me. YMMV. Do you have the need for DHCPv6-PD from your ISP as well? I'd be interested in how your setup differs in that regard, offline from this BTS report. >> See attached /etc/network/interfaces and syslog files. > > One (trivial) comment is that you can simplify your config file by > using the more compact CIDR /23 netmask syntax rather than the full > line stating netmask 255.255.254.0 as needed many moons ago. > > auto eth0 > iface eth0 inet static > address 192.168.242.1/23 I like the CIDR notation and must have missed the memo so many moons ago, thanks! > Secondly I don't see where you are starting hostapd. Therefore I > assume you are starting it through systemd. In my case I am not using > systemd but am starting hostapd in an 'up' section of the interfaces > file. Here is a representative interfaces section. > > allow-hotplug wlan0 > iface wlan0 inet static > address 192.168.93.1/24 > hostapd /etc/hostapd/hostapd-wlan0.conf > up service isc-dhcp-server restart > > This way everything flows correctly in the correct order. The > interface is detected and the allow-hotplug invokes the event driven > flow. (As opposed to the init drive flow of auto.) The hostapd is > started via the hostapd configuration line. I have multiple radio > interfaces and therefore multiple configuration files. (I could > probably use /etc/hostapd/hostapd-$IFACE.conf using $IFACE but I > rather like the plain version.) This is the ifupdown method described > in the /usr/share/doc/hostapd/README.Debian file. This is a great impovement, thanks again. I must have been systemd- happy when I built this router a few years back, ignored the hostapd README, and crafted my own unit file. Occasionally a radio crashes (in hardware, nothing detected in kernel/userspace), and I have to do this silly restart dance. Having the event-based flow reduces some of that. > The interface being UP the dhcp server is restarted so that it binds > to the now available interface. I am not sure that is needed these > days, likely isn't, but at one time it was needed and not yet having > had any reason to change the configuration I haven't tested not having > it there. I did some testing without hooking "up service isc-dhcp-server restart" and the DHCP server seems to work fine as wlan interfaces are ifdown/ifup'd, however the IPv6 side of things are very broken: radvd segfaults (I should probably open a separate bug); wide-dhcpv6-client on eth3 exits without any messages (and systemd thinks it's LSB-based unit is still running); I've had these problems prior to the jessie-backports ifupdown upgrade, and they're outside the scope of this bug report, I'll deal with them separately. Jul 23 11:20:41 headboard radvd[5255]: attempting to reread config file Jul 23 11:20:41 headboard dhcpd[3635]: receive_packet failed on wlan1: Network is down Jul 23 11:20:41 headboard radvd[5255]: no auto-selected prefix on interface wlan1, disabling advertisements Jul 23 11:20:41 headboard radvd[5256]: Exiting, privsep_read_loop had readn return 0 bytes Jul 23 11:20:41 headboard kernel: radvd[5255]: segfault at 24 ip 564a02c87e92 sp 7fff04587420 error 6 in radvd[564a02c83000+13000] ... Jul 23 11:21:24 headboard dhcpd[3635]: DHCPREQUEST for 192.168.250.43 from fc:f8:ae:aa:bb:cc (p4xb3k) via wlan1 > You might consider something like this type of control flow. Reading > through your trials and tribulations of chasing through the systemd > dependencies makes me happy that I did not pursue that path. If systemd-networkd had an option to disable it's implicit DHCPv6 client, I'd probably still be hacking on getting networkd to work in this complex arrangement, however I am now realizing ifupdown really is the only solution, e.g. wide-dhcpv6-client already has the ifupdown hooks in place to dynamically configure interfaces (just need to figure out why the da
Bug#832074: networking.service: Start operation timed out
Package: ifupdown Version: 0.8.13~bpo8+1 Severity: normal Dear Maintainer, I have a Linux router running jessie that has four ethernet ports and a pair of ath9k radios. Three of the ethernet interfaces (eth0, eth1, eth2) are statically configured LAN ports. The fourth ethernet interface (eth3) is connected to an ISP via cable modem and uses DHCP¹. The two wlan interfaces are also configured statically and have hostapd running. Yesterday I upgraded to jessie-backports versions of ifupdown 0.8.13~bpo8+1 and systemd 230-7~bpo8+1, rebooted, and have been struggling for many hours to restore my network to sanity. Initially, after having prematurely given up on the timeout caused by networking.service, I switched to using systemd-networkd, however after many wasted hours combating a systemd anti-feature² which makes networkd incompatible with my ISP¹, I returned to ifupdown. However during that stint into systemd-networkd, I learned that systemd-networkd-wait-online times out unless I re-order dependencies so that the hostapd's are started earlier (network.target instead of network-online.target). My vague understanding is that wlan0/wlan1 don't have "carrier" until hostapd's take control. I believe this is what's causing ifupdown networking.service to timeout. So I found bug #831676³ and learned about auto vs. allow-hotplug, tried it, still times out. See attached /etc/network/interfaces and syslog files. P.S. I noticed there's an /lib/systemd/system/ifup@.service file installed by ifupdown, however I don't see it used anywhere, no documentation, and only found a few meaningless results about it on the www. Would it be sensible to disable networking.service and enable ifup@eth0 et al services (perhaps with After=hostapd for ifup@wlan0/1)? ¹ The eth3 WAN connection is actually quite a bit more complicated than the simple DHCP(v4) stanza that is handled by ifupdown: I also have sysctl net.ipv6.conf.eth3.accept_ra=2, and wide-dhcpv6-client configured to perform DHCPv6 Prefix Delegation which gets a /60, and assigns a /64 to each of the other five interfaces, and then runs radvd. Feels like an ugly hack, but it's the only way to route Comcast IPv6 over several LAN's, and it's been working for years =) ² https://github.com/systemd/systemd/issues/1982#issuecomment-160343730 ³ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831676#10 -- System Information: Debian Release: 8.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.6.0-0.bpo.1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ifupdown depends on: ii adduser 3.113+nmu3 ii init-system-helpers 1.22 ii iproute2 3.16.0-2 ii libc62.19-18+deb8u4 ii lsb-base 4.1+Debian13+nmu1 Versions of packages ifupdown recommends: ii isc-dhcp-client [dhcp-client] 4.3.1-6+deb8u2 Versions of packages ifupdown suggests: pn ppp pn rdnssd -- no debconf information -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.242.1 netmask 255.255.254.0 auto eth1 iface eth1 inet static address 192.168.244.1 netmask 255.255.254.0 auto eth2 iface eth2 inet static address 192.168.246.1 netmask 255.255.254.0 auto eth3 iface eth3 inet dhcp allow-hotplug wlan0 iface wlan0 inet static address 192.168.248.1 netmask 255.255.254.0 allow-hotplug wlan1 iface wlan1 inet static address 192.168.250.1 netmask 255.255.254.0 Jul 21 17:01:59 headboard systemd[1]: Reached target Local File Systems. Jul 21 17:01:59 headboard systemd[1]: Starting Create Volatile Files and Directories... Jul 21 17:01:59 headboard systemd[1]: Starting Raise network interfaces... Jul 21 17:01:59 headboard systemd[1]: Started ifup for wlan1. Jul 21 17:01:59 headboard systemd[1]: Started ifup for wlan0. Jul 21 17:01:59 headboard systemd[1]: Started Create Volatile Files and Directories. Jul 21 17:01:59 headboard systemd[1]: Starting Update UTMP about System Boot/Shutdown... Jul 21 17:01:59 headboard systemd[1]: Reached target System Time Synchronized. Jul 21 17:01:59 headboard systemd[1]: Started Update UTMP about System Boot/Shutdown. Jul 21 17:01:59 headboard kernel: IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready Jul 21 17:01:59 headboard kernel: IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready Jul 21 17:02:00 headboard systemd[1]: Reloading. Jul 21 17:02:00 headboard systemd[1]: Reloading. Jul 21 17:02:00 headboard systemd[1]: Reloading. Jul 21 17:02:00 headboard sh[2410]: wlan1=wlan1 Jul 21 17:02:00 headboard sh[2418]: wlan0=wlan0 Jul 21 17:02:00 headboard kernel: IPv6: ADDRCONF(NETDEV
Bug#822802: postfix: chroot installation of smtp_tls_CAfile has been broken since jessie
Package: postfix Version: 2.11.3-1 Severity: normal Tags: patch Dear Maintainer, I have been using the postfix package on mail servers since squeeze and upgraded through wheezy and jessie when they were released. Today I found a problem with /var/spool/postfix/etc/ssl/certs/ca-certificates.crt being severely out-of-date, in fact the file has a timestamp of the last time postfix had been restarted when the servers were running wheezy, April 2013. This bug does not seem severe since STARTTLS is opportunistic, unverified, and MitM-friendly, therefore it does not matter much that the copy of the Debian CA certificates bundle is three years old. However in my case, I was enalbing postfix LDAP TLS server certificate verification, and was struggling with obtuse error messages from postifx for hours until realizing the LDAP TLS server certificate is signed by a CA that is newer than what was in the wheezy-era of ca-certificates bundle found in the postfix chroot. Attached is a patch which fixes the init.d script to copy smtp_tls_CAfile to the correct destination. It appears the the bug exists in stretch/sid, however I have not tested the patch on any version other than 2.11.3-1. Thanks. -- System Information: Debian Release: 8.4 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.4.0-0.bpo.1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages postfix depends on: ii adduser3.113+nmu3 ii cpio 2.11+dfsg-4.1+deb8u1 ii debconf [debconf-2.0] 1.5.56 ii dpkg 1.17.26 ii libc6 2.19-18+deb8u4 ii libdb5.3 5.3.28-9 ii libsasl2-2 2.1.26.dfsg1-13+deb8u1 ii libsqlite3-0 3.8.7.1-1+deb8u1 ii libssl1.0.01.0.1k-3+deb8u4 ii lsb-base 4.1+Debian13+nmu1 ii netbase5.3 ii ssl-cert 1.0.35 Versions of packages postfix recommends: ii python 2.7.9-1 Versions of packages postfix suggests: pn dovecot-common ii emacs24-nox [mail-reader] 24.5+1-6~bpo8+1 ii heirloom-mailx [mail-reader] 12.5-4 ii libsasl2-modules 2.1.26.dfsg1-13+deb8u1 pn postfix-cdb pn postfix-doc ii postfix-ldap 2.11.3-1 pn postfix-mysql pn postfix-pcre pn postfix-pgsql pn procmail pn resolvconf pn sasl2-bin pn ufw -- debconf information excluded -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D commit b6dd96146c4e4ade7fdb841d887b67f3ed66b4e6 Author: Gerald Turner <gtur...@unzane.com> Date: Tue Apr 26 13:39:16 2016 -0700 Correct destination directory when copying smtp_tls_CAfile to chroot diff --git a/debian/init.d b/debian/init.d index b2114ce..63b6389 100644 --- a/debian/init.d +++ b/debian/init.d @@ -128,9 +128,8 @@ configure_instance() { ;; *) if test -f "$ca_file"; then - dest_dir="$queue_dir/${ca_path#/}" - mkdir --parent "$dest_dir" - cp -L "$ca_file" "$dest_dir" + mkdir --parent "$queue_dir/${ca_file%/*}" + cp -L "$ca_file" "$queue_dir/${ca_file%/*}" fi ;; esac signature.asc Description: PGP signature
Bug#801897: TypeError: Request path contains unescaped characters
Control: reassign -1 node-tunnel-agent 0.3.1-1 On Fri, Mar 25 2016, Gerald Turner wrote: > Sorry that I haven't found a solution, but I believe I'm onto > something, an API incompatibility perhaps? Looks like nodejs changed their internal API almost three years ago (see attached diff) which was released as 0.11.4. Looks like tunnel-agent fixed this API inconsistency two years ago (see attached diff) which was eventually released in version 0.4.2 a few months ago. -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D commit 49519f121787d51394f00c871f854794e409bdda Author: isaacs <i...@izs.me> Date: Wed May 22 18:44:24 2013 -0700 http: Reuse more http/https Agent code diff --git a/lib/_http_agent.js b/lib/_http_agent.js index 20fa1b6..07e8f4c 100644 --- a/lib/_http_agent.js +++ b/lib/_http_agent.js @@ -24,6 +24,7 @@ var url = require('url'); var util = require('util'); var EventEmitter = require('events').EventEmitter; var ClientRequest = require('_http_client').ClientRequest; +var debug = util.debuglog('http'); // New Agent code. @@ -44,7 +45,12 @@ function Agent(options) { EventEmitter.call(this); var self = this; + + self.defaultPort = 80; + self.protocol = 'http:'; + self.options = util._extend({}, options); + // don't confuse net and make it think that we're connecting to a pipe self.options.path = null; self.requests = {}; @@ -54,11 +60,9 @@ function Agent(options) { self.keepAlive = self.options.keepAlive || false; self.maxSockets = self.options.maxSockets || Agent.defaultMaxSockets; - self.on('free', function(socket, host, port, localAddress) { -var name = host + ':' + port; -if (localAddress) { - name += ':' + localAddress; -} + self.on('free', function(socket, options) { +var name = self.getName(options); +debug('agent.on(free)', name); if (!socket.destroyed && self.requests[name] && self.requests[name].length) { @@ -103,18 +107,38 @@ exports.Agent = Agent; Agent.defaultMaxSockets = Infinity; Agent.prototype.createConnection = net.createConnection; -Agent.prototype.defaultPort = 80; -Agent.prototype.protocol = 'http:'; -Agent.prototype.addRequest = function(req, host, port, localAddress) { - var name = host + ':' + port; - if (localAddress) { -name += ':' + localAddress; - } + +// Get the key for a given set of request options +Agent.prototype.getName = function(options) { + var name = ''; + + if (options.host) +name += options.host; + else +name += 'localhost'; + + name += ':'; + if (options.port) +name += options.port; + name += ':'; + if (options.localAddress) +name += options.localAddress; + name += ':'; + return name; +}; + +Agent.prototype.addRequest = function(req, options) { + var host = options.host; + var port = options.port; + var localAddress = options.localAddress; + + var name = this.getName(options); if (!this.sockets[name]) { this.sockets[name] = []; } if (this.freeSockets[name] && this.freeSockets[name].length) { +debug('have free socket'); // we have a free socket, so use that. var socket = this.freeSockets[name].shift(); @@ -125,9 +149,11 @@ Agent.prototype.addRequest = function(req, host, port, localAddress) { socket.ref(); req.onSocket(socket); } else if (this.sockets[name].length < this.maxSockets) { +debug('call onSocket'); // If we are under maxSockets create a new one. -req.onSocket(this.createSocket(name, host, port, localAddress, req)); +req.onSocket(this.createSocket(req, options)); } else { +debug('wait for socket'); // We are over limit so we'll add it to the queue. if (!this.requests[name]) { this.requests[name] = []; @@ -136,14 +162,12 @@ Agent.prototype.addRequest = function(req, host, port, localAddress) { } }; -Agent.prototype.createSocket = function(name, host, port, localAddress, req) { +Agent.prototype.createSocket = function(req, options) { var self = this; - var options = util._extend({}, self.options); - options.port = port; - options.host = host; - options.localAddress = localAddress; + options = util._extend({}, options); + options = util._extend(options, self.options); - options.servername = host; + options.servername = options.host; if (req) { var hostHeader = req.getHeader('host'); if (hostHeader) { @@ -151,30 +175,36 @@ Agent.prototype.createSocket = function(name, host, port, localAddress, req) { } } + var name = self.getName(options); + + debug('createConnection', name, options); var s = self.createConnection(options); if (!self.sockets[name]) { self.sockets[name] = []; } this.sockets[name].push(s); + debug('sockets', name, this.sockets[name].length); function onFree() { -self.emit('free', s, host, port, localAddress); +self
Bug#801897: TypeError: Request path contains unescaped characters
node-once 1.1.1-1 ii node-osenv0.1.0-1 ii node-read 1.0.5-1 ii node-read-package-json1.2.4-1 ii node-request 2.26.1-1 ii node-retry0.6.0-1 ii node-rimraf 2.2.8-1 ii node-semver 2.1.0-2 ii node-sha 1.2.3-1 ii node-slide1.1.4-1 ii node-tar 1.0.3-2 ii node-underscore 1.7.0~dfsg-1 ii node-which1.0.5-2 ii nodejs4.3.1~dfsg-3 npm recommends no packages. npm suggests no packages. -- no debconf information -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D signature.asc Description: PGP signature
Bug#804293: linux-image-4.2.0-1-amd64: Crash in ip6_datagram_connect
Apoligies for my bug reporting style having turned into something like personal blog postings... I'm distressed about this bug. I'm worried that a dozen production machines that are currently running Debian stable with similar IPv6 + IPsec configuration will be affected once stretch is released. Therefore I'm trying my best to learn the tools and diagnose the bug. Any tips would be greatly appreciated. On Wed, Nov 25 2015, Gerald Turner wrote: > On Wed, Nov 25 2015, Gerald Turner wrote: >> I suppose I'll restart bisection at last 'bad' and let the kernels >> run for a day before issueing 'git bisect good'. > > I'm in the process of doing this, may take a week. I took a week to re-perform bisection, this time booting twice and waiting for a day of uptime before issueing 'git bisect good'. Nevertheless the result was the exact same replay I copied two emails back. Nothing gained. I then scrutinized over the backtrace disassembly (three emails back). Panic occurs at the return from inline function rt6_get_cookie declared in ip6_fib.h. This function was introduced during 4.2 with merge c1a34035: commit c1a34035506d3a7ad62403125d59c86b763c477d Merge: 01b6961 d52d399 Author: David S. Miller <da...@davemloft.net> Date: Mon May 25 13:25:35 2015 -0400 Merge branch 'ipv6_route_sharing' commit d52d3997f843ffefaa8d8462790ffcaca6c74192 Author: Martin KaFai Lau <ka...@fb.com> Date: Fri May 22 20:56:06 2015 -0700 ipv6: Create percpu rt6_info commit 83a09abd1a8badbbb715f928d07c65ac47709c47 Author: Martin KaFai Lau <ka...@fb.com> Date: Fri May 22 20:56:05 2015 -0700 ipv6: Break up ip6_rt_copy() commit 8d0b94afdca84598912347e61defa846a0988d04 Author: Martin KaFai Lau <ka...@fb.com> Date: Fri May 22 20:56:04 2015 -0700 ipv6: Keep track of DST_NOCACHE routes in case of iface down/unregister commit 3da59bd94583d1239e4fbdee452265a160b9cd71 Author: Martin KaFai Lau <ka...@fb.com> Date: Fri May 22 20:56:03 2015 -0700 ipv6: Create RTF_CACHE clone when FLOWI_FLAG_KNOWN_NH is set commit 48e8aa6e3137692d38f20e8bfff100e408c6bc53 Author: Martin KaFai Lau <ka...@fb.com> Date: Fri May 22 20:56:02 2015 -0700 ipv6: Set FLOWI_FLAG_KNOWN_NH at flowi6_flags commit b197df4f0f3782782e9ea8996e91b65ae33e8dd9 Author: Martin KaFai Lau <ka...@fb.com> Date: Fri May 22 20:56:01 2015 -0700 ipv6: Add rt6_get_cookie() function commit 45e4fd26683c9a5f88600d91b08a484f7f09226a Author: Martin KaFai Lau <ka...@fb.com> Date: Fri May 22 20:56:00 2015 -0700 ipv6: Only create RTF_CACHE routes after encountering pmtu exception commit 8b9df2657704dd31a79497dde429f9190caa Author: Martin KaFai Lau <ka...@fb.com> Date: Fri May 22 20:55:59 2015 -0700 ipv6: Combine rt6_alloc_cow and rt6_alloc_clone commit 2647a9b07032c5a95ddee1fcb65d95bddbc6b7f9 Author: Martin KaFai Lau <ka...@fb.com> Date: Fri May 22 20:55:58 2015 -0700 ipv6: Remove external dependency on rt6i_gateway and RTF_ANYCAST commit fd0273d7939f2ce3247f6aac5f6b9a0135d4cd39 Author: Martin KaFai Lau <ka...@fb.com> Date: Fri May 22 20:55:57 2015 -0700 ipv6: Remove external dependency on rt6i_dst and rt6i_src commit 286c2349f6665c3e67f464a5faa14a0e28be4842 Author: Martin KaFai Lau <ka...@fb.com> Date: Fri May 22 20:55:56 2015 -0700 ipv6: Clean up ipv6_select_ident() and ip6_fragment() This following is all conjecture, but evidently with this merge the IPv6 routing cache gained some optimization, is now using per-CPU structures, and has relegated PMTU updates to a slower path. My IPv6 + IPsec environments have had their share of PMTU problems in the past (two of the three sites are behind 6in4 tunnels, all three sites have differing MTU's, used to get stalls, even on interactive SSH traffic, due to PMTU cache eviction/re-discovery). Also the crash occurs immediately after boot (or login for the desktop system), and I'm using systemd, highly concurrent, maybe a race with the per-CPU change? Also the "Merge: 01b6961 d52d399" line is vaguely interesting (to me anway, because I'm a git newbie) because commit 01b6961 happens to be the same exotic driver as as the _first bad commit_ from my bisect runs. Therefore I think I'm onto something... I spent some time trying to build 4.2.6 with these commits reverted, unfortunately there are a few commits that came later that modify lines From this merge, so simply running 'git revert -m 1 c1a340355' is not possible. I eventually built a 4.2.6 kernel with the following commits reverted: git revert 9c7370a1 # ipv6: Fix a potential deadlock when creating pcpu rt git revert a73e4195 # ipv6: Add rt6_make_pcpu_route git revert ad706862 # ipv6: Remove un-used argument from ip6_dst_alloc git revert 87775312 # net-ipv6: Delete an unnecessary check before the function call "
Bug#804293: linux-image-4.2.0-1-amd64: Crash in ip6_datagram_connect
Control: tags -1 patch On Wed, Dec 02 2015, Gerald Turner wrote: > Sadly this too crashed, however at least it was a different crash! Oooh found it! This last oops I got after peeling off a few commits was reported in the kernel.org bug tracking system: https://bugzilla.kernel.org/show_bug.cgi?id=106611 Martin KaFai Lau responded saying that there are fixes in the 4.3 kernel: > There is a fix related to 8d0b94afdca84598912347e61defa846a0988d04 > in 4.2.5: > 58d772c ipv6: Don't call with rt6_uncached_list_flush_dev > > Also, there is a ipsec related fix for ipv6 which is currently in > 4.3: > ebfa45f ipv6: Move common init code for rt6_info to a new function > rt6_info_init() > 0a1f596 ipv6: Initialize rt6_info properly in > ip6_blackhole_route() > > Can you give 4.3 a try? Indeed. I built 4.2.6 with commits ebfa45f and 0a1f596 cherry picked. No more crashes! I must've been really lucky identifying the ipv6_route_sharing merge as being the culprit, or maybe I did something smart, but either way, I should've spent more time scouring bugzilla.k.o rather than burn ~20 hours bisecting and cargo-culting commits ;-) What's the likeliness that stretch will be released with a >=4.3 kernel, or that linux-stable will be updated with a 4.2.7 that cherry picks these patches? -- Gerald Turner <gtur...@unzane.com>Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D commit ebfa45f0d952e5e7bb30a7f9daaad681de138728 Author: Martin KaFai Lau <ka...@fb.com> Date: Thu Oct 15 16:39:57 2015 -0700 ipv6: Move common init code for rt6_info to a new function rt6_info_init() Introduce rt6_info_init() to do the common init work for 'struct rt6_info' (after calling dst_alloc). It is a prep work to fix the rt6_info init logic in the ip6_blackhole_route(). Signed-off-by: Martin KaFai Lau <ka...@fb.com> Cc: Hannes Frederic Sowa <han...@stressinduktion.org> Cc: Julian Anastasov <j...@ssi.bg> Cc: Phil Sutter <p...@nwl.cc> Cc: Steffen Klassert <steffen.klass...@secunet.com> Signed-off-by: David S. Miller <da...@davemloft.net> diff --git a/net/ipv6/route.c b/net/ipv6/route.c index ed04e29..4198017 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -319,6 +319,15 @@ static const struct rt6_info ip6_blk_hole_entry_template = { #endif +static void rt6_info_init(struct rt6_info *rt) +{ + struct dst_entry *dst = >dst; + + memset(dst + 1, 0, sizeof(*rt) - sizeof(*dst)); + INIT_LIST_HEAD(>rt6i_siblings); + INIT_LIST_HEAD(>rt6i_uncached); +} + /* allocate dst with ip6_dst_ops */ static struct rt6_info *__ip6_dst_alloc(struct net *net, struct net_device *dev, @@ -327,13 +336,9 @@ static struct rt6_info *__ip6_dst_alloc(struct net *net, struct rt6_info *rt = dst_alloc(>ipv6.ip6_dst_ops, dev, 0, DST_OBSOLETE_FORCE_CHK, flags); - if (rt) { - struct dst_entry *dst = >dst; + if (rt) + rt6_info_init(rt); - memset(dst + 1, 0, sizeof(*rt) - sizeof(*dst)); - INIT_LIST_HEAD(>rt6i_siblings); - INIT_LIST_HEAD(>rt6i_uncached); - } return rt; } commit 0a1f59620068fb82a2e2aded202e62f4bb856d52 Author: Martin KaFai Lau <ka...@fb.com> Date: Thu Oct 15 16:39:58 2015 -0700 ipv6: Initialize rt6_info properly in ip6_blackhole_route() ip6_blackhole_route() does not initialize the newly allocated rt6_info properly. This patch: 1. Call rt6_info_init() to initialize rt6i_siblings and rt6i_uncached 2. The current rt->dst._metrics init code is incorrect: - 'rt->dst._metrics = ort->dst._metris' is not always safe - Not sure what dst_copy_metrics() is trying to do here considering ip6_rt_blackhole_cow_metrics() always returns NULL Fix: - Always do dst_copy_metrics() - Replace ip6_rt_blackhole_cow_metrics() with dst_cow_metrics_generic() 3. Mask out the RTF_PCPU bit from the newly allocated blackhole route. This bug triggers an oops (reported by Phil Sutter) in rt6_get_cookie(). It is because RTF_PCPU is set while rt->dst.from is NULL. Fixes: d52d3997f843 ("ipv6: Create percpu rt6_info") Signed-off-by: Martin KaFai Lau <ka...@fb.com> Reported-by: Phil Sutter <p...@nwl.cc> Tested-by: Phil Sutter <p...@nwl.cc> Cc: Hannes Frederic Sowa <han...@stressinduktion.org> Cc: Julian Anastasov <j...@ssi.bg> Cc: Phil Sutter <p...@nwl.cc> Cc: Steffen Klassert <steffen.klass...@secunet.com> Signed-off-by: David S. Miller <da...@davemloft.net> diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 4198017..968f31c 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -248,12 +248,6 @@ static void ip6_rt_blackhole_redirect(struct dst_entry *dst, struct soc