Bug#1043096: xserver-xorg-input-libinput: After upgrading from Bullseye to Bookworm, mouse scrollwheel behaves odd with Logitech MX;Master 3 mouse
Package: xserver-xorg-input-libinput Version: 1.2.1-1+b1 Severity: important Dear Maintainer, after upgrading from Bullseye to Bookworm, mouse scrollwheel behaviour became odd with (at least) Logitech MX Master 3 mouse. The distribution upgrade also upgraded xserver-xorg-input-libinput from 0.30.0-1 to 1.2.1-1+b1. The observed issues are: 1. All applications: Each tick scrolled up or down produces a random scrolling distance. When scrolling up and down the same number of ticks, end position is different from the start position. 2. Firefox only: After stopping scrolling with the mouse wheel, first tick is ignored when starting scrolling in the opposite direction. When scrolling up and down one tick only, no scrolling happens at all. In Bullseye, scrolling is perfect. Each tick is recognised and scrolls exactly the same distance (in lines or pixels) in all applications. This affects at least the Logitech MX Master 3 mouse. This behaviour was not observed with no-name usb mouse or Microsoft Bluetooth Notebook Mouse 5000. But it may affect other mice as well, Logitech or not. Downgrading xserver-xorg-input-libinput to 0.30.0-1 resolves this issue in Bookworm. Upgrading to 1.3.0-1 from Sid does resolve the random scroll distance, but not the missing ticks when reverting scroll direction or scrolling one tick up and down. So, some change in xserver-xorg-input-libinput after 0.30.0-1 breaks mouse wheel scrolling at least with Logitech MX Master 3 mouse. This issue is very annoying and seriously affects user experience. -- Package-specific info: X server symlink status: lrwxrwxrwx 1 root root 13 Feb 26 2012 /etc/X11/X -> /usr/bin/Xorg -rwxr-xr-x 1 root root 274 May 3 03:41 /usr/bin/Xorg Diversions concerning libGL are in place diversion of /usr/lib/arm-linux-gnueabihf/libGL.so.1.2.0 to /usr/lib/mesa-diverted/arm-linux-gnueabihf/libGL.so.1.2.0 by glx- diversions diversion of /usr/lib/powerpc64le-linux-gnu/libGLESv2.so.2 to /usr/lib/mesa-diverted/powerpc64le-linux-gnu/libGLESv2.so.2 by glx- diversions diversion of /usr/lib/libGL.so.1 to /usr/lib/mesa-diverted/libGL.so.1 by glx-diversions diversion of /usr/lib/arm-linux-gnueabihf/libGLESv2.so.2.0.0 to /usr/lib/mesa-diverted/arm-linux-gnueabihf/libGLESv2.so.2.0.0 by glx- diversions diversion of /usr/lib/libGLESv2.so.2 to /usr/lib/mesa- diverted/libGLESv2.so.2 by glx-diversions diversion of /usr/lib/arm-linux-gnueabihf/libGL.so to /usr/lib/mesa- diverted/arm-linux-gnueabihf/libGL.so by glx-diversions diversion of /usr/lib/i386-linux-gnu/libGLX_indirect.so.0 to /usr/lib/mesa-diverted/i386-linux-gnu/libGLX_indirect.so.0 by glx- diversions diversion of /usr/lib/x86_64-linux-gnu/libGLESv1_CM.so.1.1.0 to /usr/lib/mesa-diverted/x86_64-linux-gnu/libGLESv1_CM.so.1.1.0 by glx- diversions diversion of /usr/lib/arm-linux-gnueabihf/libGLESv1_CM.so to /usr/lib/mesa-diverted/arm-linux-gnueabihf/libGLESv1_CM.so by glx- diversions diversion of /usr/lib/i386-linux-gnu/libGLESv2.so.2 to /usr/lib/mesa- diverted/i386-linux-gnu/libGLESv2.so.2 by glx-diversions diversion of /usr/lib/arm-linux-gnueabihf/libGLESv2.so.2.1.0 to /usr/lib/mesa-diverted/arm-linux-gnueabihf/libGLESv2.so.2.1.0 by glx- diversions diversion of /usr/lib/i386-linux-gnu/libGLESv2.so.2.1.0 to /usr/lib/mesa-diverted/i386-linux-gnu/libGLESv2.so.2.1.0 by glx- diversions diversion of /usr/lib/x86_64-linux-gnu/libGLESv2.so.2 to /usr/lib/mesa- diverted/x86_64-linux-gnu/libGLESv2.so.2 by glx-diversions diversion of /usr/lib/x86_64-linux-gnu/libGLX_indirect.so.0 to /usr/lib/mesa-diverted/x86_64-linux-gnu/libGLX_indirect.so.0 by glx- diversions diversion of /usr/lib/arm-linux-gnueabihf/libGL.so.1.2 to /usr/lib/mesa-diverted/arm-linux-gnueabihf/libGL.so.1.2 by glx- diversions diversion of /usr/lib/x86_64-linux-gnu/libGLESv2.so.2.1.0 to /usr/lib/mesa-diverted/x86_64-linux-gnu/libGLESv2.so.2.1.0 by glx- diversions diversion of /usr/lib/powerpc64le-linux-gnu/libGLESv1_CM.so to /usr/lib/mesa-diverted/powerpc64le-linux-gnu/libGLESv1_CM.so by glx- diversions diversion of /usr/lib/aarch64-linux-gnu/libGLESv1_CM.so.1.1.0 to /usr/lib/mesa-diverted/aarch64-linux-gnu/libGLESv1_CM.so.1.1.0 by glx- diversions diversion of /usr/lib/powerpc64le-linux-gnu/libGL.so.1.2.0 to /usr/lib/mesa-diverted/powerpc64le-linux-gnu/libGL.so.1.2.0 by glx- diversions diversion of /usr/lib/libGLESv1_CM.so.1.1.0 to /usr/lib/mesa- diverted/libGLESv1_CM.so.1.1.0 by glx-diversions diversion of /usr/lib/powerpc64le-linux-gnu/libGLESv2.so to /usr/lib/mesa-diverted/powerpc64le-linux-gnu/libGLESv2.so by glx- diversions diversion of /usr/lib/i386-linux-gnu/libGLESv1_CM.so.1 to /usr/lib/mesa-diverted/i386-linux-gnu/libGLESv1_CM.so.1 by glx- diversions diversion of /usr/lib/aarch64-linux-gnu/libGL.so.1.2.0 to /usr/lib/mesa-diverted/aarch64-linux-gnu/libGL.so.1.2.0 by glx- diversions diversion of /usr/lib/x86_64-linux-gnu/libGLESv1_CM.so to /usr/lib/mesa-diverted/x86_64-linux-gnu/libGLESv1_CM.so b
Bug#1041006:
This problem can be worked around (if configuration allows this) by changing: mail_attribute_dict = file:%h/dovecot-attributes to e.g. mail_attribute_dict = file:/path/to/mails/%d/%n/dovecot-attributes This avoids missing %h value. Bug can be closed. NOTE: Examples in dovecot documentation all use: mail_attribute_dict = file:%h/Maildir/dovecot-attributes This triggered the error I've observed. -- Robert Senger PGP/GPG Public Key ID: 8714E1A3
Bug#1041006: dovecot: Setting ACLs through IMAP fails with mail-crypt-plugin enabled
Source: dovecot Severity: normal This bug was observed in dovecot 2.3.4 on Debian 10 and in dovecot 2.3.20 on FreeBSD 13. The following plugins are enabled: mail-crypt, mail-crypt-acl, imap-acl and acl. We are using encrypted folder keys for mail encryption. Encryption is enabled or disabled for each user individually by storing the mail_crypt_save_version option in userdb. Sharing a user's mailbox to another user works fine if sharing is enabled on the command line using doveadm. If the sharing user's mails are encrypted, the password can be supplied on the command line. But sharing by using e.g. Roundcube as MUA throws an error in the dovecot logs, regardless if the sharing user has encryption enabled or not. This is the error message: Jul 13 18:15:34 prokyon dovecot: imap(administra...@mydomain.de)<23701><8f41pGAAkIL9EChC8NEBAQAC>: Error: mail-crypt-acl-plugin: Cannot initialize destination user some...@mydomain.de: userdb didn't return a home directory, but mail_attribute_dict used it (%h): file:%h/dovecot-attributes Jul 13 18:15:34 prokyon dovecot: imap(administra...@mydomain.de)<23701><8f41pGAAkIL9EChC8NEBAQAC>: Error: Mailbox INBOX: Failed to set ACL After that, sharing is configured only halfway. It looks like mail-crypt-acl plugin fails to determine the receiving user's home directory. I cannot see any attemps to query userdb in advance of this error. The configured userdb query definitely returns the home directory (otherwise nothing would work at all...). This is independent whether the sharing user has encryption enabled or not. I cannot run any tests with unencrypted folder keys, or global keys, or encryption disabled globally with mail-crypt plugin enabled but unused. I would expect that this error will occur in all these configurations. Expected result is that folder sharing at least can be enabled by using a capable MUA (like Roundcube), if the sharing user is using unencrypted folder keys, if global keys are used or encryption is disabled for the sharing user (this is the configuration where I see this error). I don't know what happens if the sharing user uses encrypted folder keys and the password is needed for sharing. -- Robert Senger PGP/GPG Public Key ID: 8714E1A3
Bug#1036525: network-manager-applet: Add support for WPA3 Enterprise networks
Source: network-manager-applet Version: 1.30.0-2 Severity: wishlist Tags: patch upstream Dear Maintainer, please add support for WPA3 Enterprise networks. NetworkManager does support these networks, only network-manager-applet and libnma packages do not. I've patched both packages and successfully added full support for WPA3 Enterprise. I am not a professional developer, and I do not have a build environment, so I had to patch the deb-src packages. Because of that, I have not included these patches as they may be of doubtfull quality, but if anyone is interested in those patches, just contact me. Robert -- System Information: Debian Release: 12.0 APT prefers testing-security APT policy: (500, 'testing-security'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.1.27-sandybridge (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#972969: openafs-modules-dkms: Does not build on bullseye with kernel 5.9.1
Package: openafs-modules-dkms Version: 1.8.6-3 Severity: serious Tags: ftbfs Justification: fails to build from source (but built successfully in the past) DKMS fails to build module on bullseye with kernel 5.9.1 -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.8.14-sandybridge (SMP w/4 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openafs-modules-dkms depends on: ii dkms 2.8.3-4 ii libc6-dev 2.31-4 ii perl 5.30.3-4 Versions of packages openafs-modules-dkms recommends: ii openafs-client 1.8.6-3 openafs-modules-dkms suggests no packages. -- no debconf information DKMS make.log for openafs-1.8.6 for kernel 5.9.1-sandybridge (x86_64) Mo 26. Okt 04:36:10 CET 2020 checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking build system type... x86_64-pc-linux-gnu checking host system type... x86_64-pc-linux-gnu checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking for a BSD-compatible install... /usr/bin/install -c checking for flex... flex checking lex output file root... lex.yy checking lex library... none needed checking whether yytext is a pointer... no checking for pkg-config... /usr/bin/pkg-config checking pkg-config is at least version 0.9.0... yes checking for libxslt... no checking for saxon... no checking for xalan-j... no checking for xsltproc... xsltproc checking for fop... no checking for dblatex... no checking for docbook2pdf... no checking for kindlegen... no checking for doxygen... no checking for dot... no checking for library containing strerror... none required checking for pid_t... yes checking for size_t... yes checking whether ln -s works... yes checking for ranlib... ranlib checking for bison... no checking for byacc... no checking if lex is flex... yes checking whether byte order is known at compile time... yes checking whether byte ordering is bigendian... no checking whether printf understands the %z length modifier... yes checking your OS... linux checking your AFS sysname... amd64_linux26 checking for ranlib... (cached) ranlib checking for as... as checking for mv... mv checking for rm... rm checking for ld... ld checking for cp... cp checking for gencat... gencat checking if gcc accepts -march=pentium... no checking if gcc needs -fno-strength-reduce... yes checking if gcc needs -fno-strict-aliasing... yes checking if gcc supports -fno-common... yes checking if gcc supports -pipe... yes checking if linux kbuild requires EXTRA_CFLAGS... no checking if linux kernel module build works... yes checking operation follow_link in inode_operations... no checking operation put_link in inode_operations... no checking operation rename in inode_operations... yes checking for linux/cred.h... yes checking for linux/config.h... no checking for linux/exportfs.h... yes checking for linux/freezer.h... yes checking for linux/key-type.h... yes checking for linux/semaphore.h... yes checking for linux/seq_file.h... yes checking for linux/sched/signal.h... yes checking for linux/uaccess.h... yes checking for struct vfs_path... no checking for kuid_t... yes checking for struct proc_ops... yes checking for time_t... no checking for backing_dev_info in struct address_space... no checking for write_begin in struct address_space_operations... yes checking for name in struct backing_dev_info... no checking for session_keyring in struct cred... yes checking for ctl_name in struct ctl_table... no checking for d_u.d_alias in struct dentry... yes checking for d_automount in struct dentry_operations... yes checking for gid in struct group_info... yes checking for i_alloc_sem in struct inode... no checking for i_blkbits in struct inode... yes checking for i_blksize in struct inode... no checking for i_mutex in struct inode... no checking for i_security in struct inode... yes checking for f_path in struct file... yes checking for flock in struct file_operations... yes checking for iterate in struct file_operations... ye
Bug#970258: openafs-modules-dkms: Does not build on bullseye with kernel 5.8.7
Package: openafs-modules-dkms Version: 1.8.6-2 Severity: serious Tags: ftbfs Justification: fails to build from source (but built successfully in the past) DKMS fails to build the module on bullseye with kernel 5.8.7 -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.7.17-ivybridge (SMP w/8 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openafs-modules-dkms depends on: ii dkms 2.8.3-4 ii libc6-dev 2.31-3 ii perl 5.30.3-4 Versions of packages openafs-modules-dkms recommends: ii openafs-client 1.8.6-2 openafs-modules-dkms suggests no packages. -- no debconf information -- Robert Senger PGP/GPG Public Key ID: 8714E1A3 DKMS make.log for openafs-1.8.6 for kernel 5.8.7-ivybridge (x86_64) So 13. Sep 22:35:01 CEST 2020 checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking build system type... x86_64-pc-linux-gnu checking host system type... x86_64-pc-linux-gnu checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking for a BSD-compatible install... /usr/bin/install -c checking for flex... no checking for lex... no checking for pkg-config... /usr/bin/pkg-config checking pkg-config is at least version 0.9.0... yes checking for libxslt... no checking for saxon... no checking for xalan-j... no checking for xsltproc... no checking for fop... no checking for dblatex... no checking for docbook2pdf... no configure: WARNING: Docbook stylesheets not found; some documentation can't be built checking for kindlegen... no checking for doxygen... no checking for dot... no checking for library containing strerror... none required checking for pid_t... yes checking for size_t... yes checking whether ln -s works... yes checking for ranlib... ranlib checking for bison... no checking for byacc... no checking if lex is flex... yes checking whether byte order is known at compile time... yes checking whether byte ordering is bigendian... no checking whether printf understands the %z length modifier... yes checking your OS... linux checking your AFS sysname... amd64_linux26 checking for ranlib... (cached) ranlib checking for as... as checking for mv... mv checking for rm... rm checking for ld... ld checking for cp... cp checking for gencat... gencat checking if gcc accepts -march=pentium... no checking if gcc needs -fno-strength-reduce... yes checking if gcc needs -fno-strict-aliasing... yes checking if gcc supports -fno-common... yes checking if gcc supports -pipe... yes checking if linux kbuild requires EXTRA_CFLAGS... no checking if linux kernel module build works... yes checking operation follow_link in inode_operations... no checking operation put_link in inode_operations... no checking operation rename in inode_operations... yes checking for linux/cred.h... yes checking for linux/config.h... no checking for linux/exportfs.h... yes checking for linux/freezer.h... yes checking for linux/key-type.h... yes checking for linux/semaphore.h... yes checking for linux/seq_file.h... yes checking for linux/sched/signal.h... yes checking for linux/uaccess.h... yes checking for struct vfs_path... no checking for kuid_t... yes checking for struct proc_ops... yes checking for time_t... no checking for backing_dev_info in struct address_space... no checking for write_begin in struct address_space_operations... yes checking for name in struct backing_dev_info... no checking for session_keyring in struct cred... yes checking for ctl_name in struct ctl_table... no checking for d_u.d_alias in struct dentry... yes checking for d_automount in struct dentry_operations... yes checking for gid in struct group_info... yes checking for i_alloc_sem in struct inode... no checking for i_blkbits in struct inode... yes checking for i_blksize in struct inode... no checking for i_mutex in struct inode... no checking for i_security in struct inode... yes checking for f_path in struct file... yes checking for flock in struct file_operations... y
Bug#945751: openafs-modules-dkms: openafs-dkms kernel module does not build for kernel 5.3.0-2-amd64
Package: openafs-modules-dkms Version: 1.8.4~pre1-1 Severity: serious Tags: ftbfs Justification: fails to build from source (but built successfully in the past) Dear Maintainer, The openafs-dkms kernel module fails to build on kernel 5.3.0-2 on buster. In file included from /var/lib/dkms/openafs/1.8.4pre1/build/src/libafs/MODLOAD-5.3.0-2-amd64-SP/rx_kmutex.c:24: /var/lib/dkms/openafs/1.8.4pre1/build/src/afs/LINUX/osi_compat.h: In function ‘afs_linux_search_keyring’: /var/lib/dkms/openafs/1.8.4pre1/build/src/afs/LINUX/osi_compat.h:225:12: error: too few arguments to function ‘keyring_search’ 225 | key_ref = keyring_search( |^~ In file included from /usr/src/linux- headers-5.3.0-2-common/include/linux/cred.h:13, from /usr/src/linux- headers-5.3.0-2-common/include/linux/seq_file.h:12, from /usr/src/linux- headers-5.3.0-2-common/include/linux/seq_file_net.h:5, from /usr/src/linux- headers-5.3.0-2-common/include/net/net_namespace.h:177, from /usr/src/linux- headers-5.3.0-2-common/include/linux/netdevice.h:38, from /usr/src/linux- headers-5.3.0-2-common/include/net/inet_sock.h:19, from /usr/src/linux- headers-5.3.0-2-common/include/linux/udp.h:16, from /var/lib/dkms/openafs/1.8.4pre1/build/src/libafs/MODLOAD-5.3.0-2-amd64-SP/./netinet/udp.h:1, from /var/lib/dkms/openafs/1.8.4pre1/build/src/rx/rx_kcommon.h:110, from /var/lib/dkms/openafs/1.8.4pre1/build/src/libafs/MODLOAD-5.3.0-2-amd64-SP/rx_kmutex.c:20: /usr/src/linux-headers-5.3.0-2-common/include/linux/key.h:387:18: note: declared here 387 | extern key_ref_t keyring_search(key_ref_t keyring, | ^~ make[5]: *** [/usr/src/linux-headers-5.3.0-2-common/scripts/Makefile.build:286: /var/lib/dkms/openafs/1.8.4pre1/build/src/libafs/MODLOAD-5.3.0-2-amd64-SP/rx_kmutex.o] Fehler 1 make[4]: *** [/usr/src/linux-headers-5.3.0-2-common/Makefile:1639: _module_/var/lib/dkms/openafs/1.8.4pre1/build/src/libafs/MODLOAD-5.3.0-2-amd64-SP] Fehler 2 make[3]: *** [/usr/src/linux-headers-5.3.0-2-common/Makefile:179: sub-make] Fehler 2 make[3]: Verzeichnis „/usr/src/linux-headers-5.3.0-2-amd64“ wird verlassen FAILURE: make exit code 2 make[2]: *** [Makefile.afs:280: openafs.ko] Fehler 1 make[2]: Verzeichnis „/var/lib/dkms/openafs/1.8.4pre1/build/src/libafs/MODLOAD-5.3.0-2-amd64-SP“ wird verlassen make[1]: *** [Makefile:187: linux_compdirs] Fehler 2 make[1]: Verzeichnis „/var/lib/dkms/openafs/1.8.4pre1/build/src/libafs“ wird verlassen make: *** [Makefile:15: all] Fehler 2 -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.2.0-3-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openafs-modules-dkms depends on: ii dkms 2.8.1-3 ii libc6-dev 2.29-3 ii perl 5.30.0-9 Versions of packages openafs-modules-dkms recommends: ii openafs-client 1.8.4~pre1-1 openafs-modules-dkms suggests no packages. -- no debconf information
Bug#944124: apt fails to verify certificate when using https and ocsp stapling
Package: apt Version: 1.8.4 Severity: normal Dear Maintainer, We are running several debian repositories for custom kernel and patched deb packages. We use apache2 on Buster, with https enabled, to serve the repos. This worked fine, until we decided to enable ocsp stapling in apache2, which runs other vhosts besides the repos. Since then, apt fails to validate the server's certificate. Error message is: Fehl:15 https://microscopium.de/repos/apt/debian/common buster/patched Release Certificate verification failed: The certificate is NOT trusted. The received OCSP status response is invalid. Could not handshake: Error in the certificate verification. [IP: fd10:2842:f0d1:101:222:4dff:feb8:17c 8000] Restarting apache2 helps for a while (apt works, at least once), but the error comes up again when apt is run later. All web tools tell us that certificate installation and ocsp stapling are correct. No other problems with other https clients have been observed so far. Our configuration uses squid-deb-proxy, but disabling the proxy does not resolve the certificate problem. -- Package-specific info: -- apt-config dump -- APT ""; APT::Architecture "amd64"; APT::Build-Essential ""; APT::Build-Essential:: "build-essential"; APT::Install-Recommends "true"; APT::Install-Suggests "0"; APT::Sandbox ""; APT::Sandbox::User "_apt"; APT::Authentication ""; APT::Authentication::TrustCDROM "true"; APT::NeverAutoRemove ""; APT::NeverAutoRemove:: "^firmware-linux.*"; APT::NeverAutoRemove:: "^linux-firmware$"; APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*$"; APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*-[a-z0-9]*$"; APT::NeverAutoRemove:: "^linux-image-5\.2\.0-2-amd64$"; APT::NeverAutoRemove:: "^linux-image-5\.2\.0-3-amd64$"; APT::NeverAutoRemove:: "^linux-headers-5\.2\.0-2-amd64$"; APT::NeverAutoRemove:: "^linux-headers-5\.2\.0-3-amd64$"; APT::NeverAutoRemove:: "^linux-image-extra-5\.2\.0-2-amd64$"; APT::NeverAutoRemove:: "^linux-image-extra-5\.2\.0-3-amd64$"; APT::NeverAutoRemove:: "^linux-modules-5\.2\.0-2-amd64$"; APT::NeverAutoRemove:: "^linux-modules-5\.2\.0-3-amd64$"; APT::NeverAutoRemove:: "^linux-modules-extra-5\.2\.0-2-amd64$"; APT::NeverAutoRemove:: "^linux-modules-extra-5\.2\.0-3-amd64$"; APT::NeverAutoRemove:: "^linux-signed-image-5\.2\.0-2-amd64$"; APT::NeverAutoRemove:: "^linux-signed-image-5\.2\.0-3-amd64$"; APT::NeverAutoRemove:: "^linux-image-unsigned-5\.2\.0-2-amd64$"; APT::NeverAutoRemove:: "^linux-image-unsigned-5\.2\.0-3-amd64$"; APT::NeverAutoRemove:: "^kfreebsd-image-5\.2\.0-2-amd64$"; APT::NeverAutoRemove:: "^kfreebsd-image-5\.2\.0-3-amd64$"; APT::NeverAutoRemove:: "^kfreebsd-headers-5\.2\.0-2-amd64$"; APT::NeverAutoRemove:: "^kfreebsd-headers-5\.2\.0-3-amd64$"; APT::NeverAutoRemove:: "^gnumach-image-5\.2\.0-2-amd64$"; APT::NeverAutoRemove:: "^gnumach-image-5\.2\.0-3-amd64$"; APT::NeverAutoRemove:: "^.*-modules-5\.2\.0-2-amd64$"; APT::NeverAutoRemove:: "^.*-modules-5\.2\.0-3-amd64$"; APT::NeverAutoRemove:: "^.*-kernel-5\.2\.0-2-amd64$"; APT::NeverAutoRemove:: "^.*-kernel-5\.2\.0-3-amd64$"; APT::NeverAutoRemove:: "^linux-backports-modules-.*-5\.2\.0-2-amd64$"; APT::NeverAutoRemove:: "^linux-backports-modules-.*-5\.2\.0-3-amd64$"; APT::NeverAutoRemove:: "^linux-modules-.*-5\.2\.0-2-amd64$"; APT::NeverAutoRemove:: "^linux-modules-.*-5\.2\.0-3-amd64$"; APT::NeverAutoRemove:: "^linux-tools-5\.2\.0-2-amd64$"; APT::NeverAutoRemove:: "^linux-tools-5\.2\.0-3-amd64$"; APT::NeverAutoRemove:: "^linux-cloud-tools-5\.2\.0-2-amd64$"; APT::NeverAutoRemove:: "^linux-cloud-tools-5\.2\.0-3-amd64$"; APT::NeverAutoRemove:: "^linux-buildinfo-5\.2\.0-2-amd64$"; APT::NeverAutoRemove:: "^linux-buildinfo-5\.2\.0-3-amd64$"; APT::NeverAutoRemove:: "^linux-source-5\.2\.0-2-amd64$"; APT::NeverAutoRemove:: "^linux-source-5\.2\.0-3-amd64$"; APT::NeverAutoRemove:: "^postgresql-"; APT::VersionedKernelPackages ""; APT::VersionedKernelPackages:: "linux-image"; APT::VersionedKernelPackages:: "linux-headers"; APT::VersionedKernelPackages:: "linux-image-extra"; APT::VersionedKernelPackages:: "linux-modules"; APT::VersionedKernelPackages:: "linux-modules-extra"; APT::VersionedKernelPackages:: "linux-signed-image"; APT::VersionedKernelPackages:: "linux-image-unsigned"; APT::VersionedKernelPackages:: "kfreebsd-image"; APT::VersionedKernelPackages:: "kfreebsd-headers"; APT::VersionedKernelPackages:: "gnumach-image"; APT::VersionedKernelPackages:: ".*-modules"; APT::VersionedKernelPackages:: ".*-kernel"; APT::VersionedKernelPackages:: "linux-backports-modules-.*"; APT::VersionedKernelPackages:: "linux-modules-.*"; APT::VersionedKernelPackages:: "linux-tools"; APT::VersionedKernelPackages:: "linux-cloud-tools"; APT::VersionedKernelPackages:: "linux-buildinfo"; APT::VersionedKernelPackages:: "linux-source"; APT::Never-MarkAuto-Sections ""; APT::Never-MarkAuto-Sections:: "metapackages"; APT::Never-MarkAuto-Sections:: "contrib/metapackages"; APT::Never-MarkAuto-Sections:: "non-free/metapackages"; APT::Never-MarkAuto-Sections:: "restrict
Bug#941045: selinux-policy-default: system-policy-default causes pam_selinux failure
Package: selinux-policy-default Version: 2:2.20190201-2 Severity: normal Dear Maintainer, In enforcing mode, selinux causes pam_selinux and systemd process user@ to fail when logging in via ssh. root@prokyon:~# systemctl status user@1000 ● user@1000.service - User Manager for UID 1000 Loaded: loaded (/lib/systemd/system/user@.service; static; vendor preset: enabled) Active: failed (Result: protocol) since Tue 2019-09-24 01:12:29 CEST; 40s ago Docs: man:user@.service(5) Process: 6912 ExecStart=/lib/systemd/systemd --user (code=exited, status=224/PAM) Main PID: 6912 (code=exited, status=224/PAM) Sep 24 01:12:29 prokyon systemd[1]: Starting User Manager for UID 1000... Sep 24 01:12:29 prokyon systemd[6912]: pam_selinux(systemd-user:session): Unable to get valid context for rsenger Sep 24 01:12:29 prokyon systemd[6912]: pam_selinux(systemd-user:session): conversation failed Sep 24 01:12:29 prokyon systemd[6912]: pam_unix(systemd-user:session): session opened for user rsenger by (uid=0) Sep 24 01:12:29 prokyon systemd[6912]: PAM failed: Cannot make/remove an entry for the specified session Sep 24 01:12:29 prokyon systemd[6912]: user@1000.service: Failed to set up PAM session: Operation not permitted Sep 24 01:12:29 prokyon systemd[6912]: user@1000.service: Failed at step PAM spawning /lib/systemd/systemd: Operation not permitted Sep 24 01:12:29 prokyon systemd[1]: user@1000.service: Failed with result 'protocol'. Sep 24 01:12:29 prokyon systemd[1]: Failed to start User Manager for UID 1000. No other hints in the logs. No AVC logged, neither with or without dontaudit rules. System is Debian 10 buster. -- System Information: Debian Release: 10.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages selinux-policy-default depends on: ii libselinux1 2.8-1+b1 ii libsemanage1 2.8-2 ii libsepol12.8-1 ii policycoreutils 2.8-1 ii selinux-utils2.8-1+b1 Versions of packages selinux-policy-default recommends: pn checkpolicy pn setools Versions of packages selinux-policy-default suggests: pn logcheck pn syslog-summary
Bug#939225: sssd fails on dual stack / ipv6 only hosts
Package: sssd Version: 1.16.3-3.1 Severity: important Tags: ipv6 Dear Maintainer, * What led up to the situation? Laptop with sssd and sssd-krb5 installed. Two wifi networks, one dual stack ipv4/ipv6, other ipv6 only (with dns64/nat64). * What exactly did you do (or not do) that was effective (or ineffective)? Laptop connects to dual stack netwotk. Kerberos authentication works, kdc is reached via ipv4 (seen with tcpdump on the server). Laptop then switches to ipv6 only network. Kerberos authentication fails, kinit reports kdc cannot be contacted. * What was the outcome of this action? Kerberos authentication fails if ipv4 is initially available, and becomes unavailable after switching networks. * What outcome did you expect instead? sssd should always try both address families, regardless of previous availability. sssd should prefer ipv6 by default. -- System Information: Debian Release: 10.0 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages sssd depends on: ii python3-sss 1.16.3-3.1 ii sssd-ad 1.16.3-3.1 ii sssd-common 1.16.3-3.1 ii sssd-ipa 1.16.3-3.1 ii sssd-krb51.16.3-3.1 ii sssd-ldap1.16.3-3.1 ii sssd-proxy 1.16.3-3.1 sssd recommends no packages. sssd suggests no packages. -- no debconf information
Bug#928838: cups: Printing from local queue via remote queue not working any more, jobs just vanish
Package: cups Version: 2.2.10-6 Severity: normal Dear Maintainer, * What led up to the situation? Setup: Laptop (Client) running Debian 9/10 and CUPS 2.2.1/2.2.10 Server/Router running Debian 10 and CUPS 2.2.10 Printer Samsung Xpress C480W, LAN/WLAN Laptop is connected to Server via SSID WLAN_1, Subnet 1 Printer is connected to Server via SSID WLAN_2, Subnet 2 Server should act as a print server running CUPS. Clients (laptop, printer) in different subnets should not communicate directly. Printer is configured in CUPS on the server as ipp://printername:631/ipp/print, with Samsung C48x driver, queue name SAMSUNG, printing test pages from the server's web interface works fine Printer is configured in CUPS on the Laptop as ipps://servername:631/printers/SAMSUNG With Debian 9 and CUPS 2.2.1 on the Server, this setup worked fine. * What exactly did you do (or not do) that was effective (or ineffective)? Upgraded Server to Debian 10, CUPS 2.2.10 * What was the outcome of this action? Printing as describes above stopped working. Jobs sent from the laptop just go into Nirvana, they vanish and do not show up in the server's queue. The servers access_log reports success, but printing never happens. No errors are reported neither on the laptop nor on the server. * What outcome did you expect instead? Printing as before. * Workaround(s) - Downgrading CUPS from 2.2.10 to 2.2.1 (debs from Debian 9) on the Debian 10 server fixes this problem, printing works fine again. - Using a client.conf file with "ServerName servername" makes printing possible, but without a local queue there's no queue dialog that can report failures (emtpy tray, paper jam) on the client - Printing directly to the printer from the laptop works, but is not desired So, CUPS 2.2.10 is broken when used as a print server for clients running local queues. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages cups depends on: ii cups-client2.2.10-6 ii cups-common2.2.10-6 ii cups-core-drivers 2.2.10-6 ii cups-daemon2.2.10-6 ii cups-filters 1.21.6-5 ii cups-ppdc 2.2.10-6 ii cups-server-common 2.2.10-6 ii debconf [debconf-2.0] 1.5.71 ii ghostscript9.27~dfsg-1 ii libavahi-client3 0.7-4+b1 ii libavahi-common3 0.7-4+b1 ii libc6 2.28-10 ii libcups2 2.2.10-6 ii libcupsimage2 2.2.10-6 ii libgcc11:8.3.0-6 ii libstdc++6 8.3.0-6 ii libusb-1.0-0 2:1.0.22-2 ii poppler-utils 0.71.0-3 ii procps 2:3.3.15-2 Versions of packages cups recommends: ii avahi-daemon 0.7-4+b1 ii colord 1.4.3-4 ii cups-filters [ghostscript-cups] 1.21.6-5 ii printer-driver-gutenprint5.3.1-7 Versions of packages cups suggests: ii cups-bsd 2.2.10-6 pn cups-pdf ii foomatic-db20181217-2 ii hplip 3.18.12+dfsg0-2 ii printer-driver-hpcups 3.18.12+dfsg0-2 pn smbclient ii udev 241-3 -- Configuration Files: /etc/cups/cupsd.conf [Errno 13] Keine Berechtigung: '/etc/cups/cupsd.conf' -- debconf information: cupsys/backend: lpd, socket, usb, snmp, dnssd cupsys/raw-print: true
Bug#921808: grub-efi-amd64 / grub-pc-bin version 2.02+dfsg1-10 fail to boot from mdraid
Package: grub-efi-amd64
Version: 2.02+dfsg1-10
Severity: important
Dear Maintainer,
* What led up to the situation?
Installed Debian Buster on mdraid 1 (2 disks) system using debootstrap. Disks
are partitioned to allow both UEFI and legacy boot. Configured things in
chroot. Installed grub-efi-amd64 and grub-pc-bin package.
* What exactly did you do (or not do) that was effective (or
ineffective)?
Ran "grub-install --target=i386-pc /dev/sda", "grub-install --target=i386-pc
/dev/sdb" to install grub in bios-grub partition, "grub-install
--target=x86_64-efi --no-nvram --removable" to install grub into efi partition,
done in chroot on laptop with disks attached via usb and mdraid started. Moved
disks to target system. Tried to boot up.
* What was the outcome of this action?
System does not boot, neither UEFI nor legacy mode. GRUB drops to shell.
* What outcome did you expect instead?
Expected to get to GRUB menu.
* Workaround
Downgraded all GRUB packages to current Debian Stretch versions. No other
changes. Ran "grub-install ..." in chroot as above. Moved disks to target
system. Result: System boots fine in both UEFI and legacy mode.
Upgraded GRUB to Buster versions on running target system, reinstalled GRUB
(both legacy and efi). After that, system does not boot any more, as above.
* Note
System information is not from affected server system, it's from the laptop
that's running reportbug.
-- Package-specific info:
*** BEGIN /proc/mounts
/dev/mapper/aljanah_root / btrfs
rw,relatime,ssd,space_cache,subvolid=257,subvol=/root 0 0
/dev/loop0 /var/cache/openafs ext4 rw,relatime 0 0
/dev/mapper/aljanah_boot /boot btrfs
ro,relatime,ssd,space_cache,subvolid=256,subvol=/boot 0 0
/dev/sda3 /boot/grub ext4 ro,relatime 0 0
/dev/sda2 /boot/efi vfat
ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro
0 0
/dev/mapper/_dev_sda7 /home/rsenger btrfs
rw,relatime,ssd,space_cache,subvolid=257,subvol=/rsenger 0 0
*** END /proc/mounts
*** BEGIN /boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
set have_grubenv=true
load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true
else
set default="0"
fi
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}
if [ x$feature_default_font_path = xy ] ; then
font=unicode
else
insmod part_gpt
insmod ext2
set root='hd0,gpt3'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt3
--hint-efi=hd0,gpt3 --hint-baremetal=ahci0,gpt3
d9b51fef-c34d-4e4e-847b-813786f7cfeb
else
search --no-floppy --fs-uuid --set=root d9b51fef-c34d-4e4e-847b-813786f7cfeb
fi
font="/unicode.pf2"
fi
if loadfont $font ; then
set gfxmode=1024x768x32
load_video
insmod gfxterm
set locale_dir=$prefix/locale
set lang=de_DE
insmod gettext
fi
terminal_output gfxterm
if [ "${recordfail}" = 1 ] ; then
set timeout=30
else
if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=-1
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=-1
fi
fi
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/05_debian_theme ###
insmod part_gpt
insmod ext2
set root='hd0,gpt3'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt3
--hint-efi=hd0,gpt3 --hint-baremetal=ahci0,gpt3
d9b51fef-c34d-4e4e-847b-813786f7cfeb
else
search --no-floppy --fs-uuid --set=root d9b51fef-c34d-4e4e-847b-813786f7cfeb
fi
insmod png
if background_image /.background_cache.png; then
set color_normal=white/black
set color_highlight=black/white
else
set menu_color_normal=cyan/blue
set menu_color_highlight=white/blue
fi
### END /etc/grub.d/05_debian_theme ###
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###
### BEGIN /etc/grub.d/30_uefi-firmware ###
### END /etc/grub.d/30_uefi-firmware ###
### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simp
Bug#886417: linux-source-4.9: Kernel sources do not compile
Package: linux-source-4.9 Followup-For: Bug #886417 I am also using a custom config, trying to build a kernel for a old AMD Geode i386 machine (inside a i386 systemd-nspawn container running on a amd64 machine). -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-5-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages linux-source-4.9 depends on: ii binutils 2.28-5 ii xz-utils 5.2.2-1.2+b1 Versions of packages linux-source-4.9 recommends: ii bc1.06.95-9+b3 ii gcc 4:6.3.0-4 ii libc6-dev [libc-dev] 2.24-11+deb9u1 ii make 4.1-9.1 Versions of packages linux-source-4.9 suggests: pn libncurses-dev | ncurses-dev pn libqt4-dev ii pkg-config0.29-4+b1 # # Automatically generated file; DO NOT EDIT. # Linux/i386 4.9.65-1-geode Kernel Configuration # # CONFIG_64BIT is not set CONFIG_X86_32=y CONFIG_X86=y CONFIG_INSTRUCTION_DECODER=y CONFIG_OUTPUT_FORMAT="elf32-i386" CONFIG_ARCH_DEFCONFIG="arch/x86/configs/i386_defconfig" CONFIG_LOCKDEP_SUPPORT=y CONFIG_STACKTRACE_SUPPORT=y CONFIG_MMU=y CONFIG_ARCH_MMAP_RND_BITS_MIN=8 CONFIG_ARCH_MMAP_RND_BITS_MAX=16 CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8 CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16 CONFIG_NEED_SG_DMA_LENGTH=y CONFIG_GENERIC_ISA_DMA=y CONFIG_GENERIC_BUG=y CONFIG_GENERIC_HWEIGHT=y CONFIG_ARCH_MAY_HAVE_PC_FDC=y CONFIG_RWSEM_XCHGADD_ALGORITHM=y CONFIG_GENERIC_CALIBRATE_DELAY=y CONFIG_ARCH_HAS_CPU_RELAX=y CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y CONFIG_HAVE_SETUP_PER_CPU_AREA=y CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y CONFIG_ARCH_HIBERNATION_POSSIBLE=y CONFIG_ARCH_SUSPEND_POSSIBLE=y CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y CONFIG_ARCH_WANT_GENERAL_HUGETLB=y CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y CONFIG_ARCH_SUPPORTS_UPROBES=y CONFIG_FIX_EARLYCON_MEM=y CONFIG_DEBUG_RODATA=y CONFIG_PGTABLE_LEVELS=2 CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config" CONFIG_IRQ_WORK=y CONFIG_BUILDTIME_EXTABLE_SORT=y CONFIG_THREAD_INFO_IN_TASK=y # # General setup # CONFIG_BROKEN_ON_SMP=y CONFIG_INIT_ENV_ARG_LIMIT=32 CONFIG_CROSS_COMPILE="" # CONFIG_COMPILE_TEST is not set CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_HAVE_KERNEL_GZIP=y CONFIG_HAVE_KERNEL_BZIP2=y CONFIG_HAVE_KERNEL_LZMA=y CONFIG_HAVE_KERNEL_XZ=y CONFIG_HAVE_KERNEL_LZO=y CONFIG_HAVE_KERNEL_LZ4=y # CONFIG_KERNEL_GZIP is not set # CONFIG_KERNEL_BZIP2 is not set # CONFIG_KERNEL_LZMA is not set CONFIG_KERNEL_XZ=y # CONFIG_KERNEL_LZO is not set # CONFIG_KERNEL_LZ4 is not set CONFIG_DEFAULT_HOSTNAME="(none)" CONFIG_SWAP=y CONFIG_SYSVIPC=y CONFIG_SYSVIPC_SYSCTL=y CONFIG_POSIX_MQUEUE=y CONFIG_POSIX_MQUEUE_SYSCTL=y CONFIG_CROSS_MEMORY_ATTACH=y CONFIG_FHANDLE=y CONFIG_USELIB=y CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y CONFIG_AUDITSYSCALL=y CONFIG_AUDIT_WATCH=y CONFIG_AUDIT_TREE=y # # IRQ subsystem # CONFIG_GENERIC_IRQ_PROBE=y CONFIG_GENERIC_IRQ_SHOW=y CONFIG_IRQ_DOMAIN=y CONFIG_IRQ_DOMAIN_HIERARCHY=y CONFIG_GENERIC_MSI_IRQ=y CONFIG_GENERIC_MSI_IRQ_DOMAIN=y # CONFIG_IRQ_DOMAIN_DEBUG is not set CONFIG_IRQ_FORCED_THREADING=y CONFIG_SPARSE_IRQ=y CONFIG_CLOCKSOURCE_WATCHDOG=y CONFIG_ARCH_CLOCKSOURCE_DATA=y CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y CONFIG_GENERIC_TIME_VSYSCALL=y CONFIG_GENERIC_CLOCKEVENTS=y CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y CONFIG_GENERIC_CMOS_UPDATE=y # # Timers subsystem # CONFIG_TICK_ONESHOT=y CONFIG_NO_HZ_COMMON=y # CONFIG_HZ_PERIODIC is not set CONFIG_NO_HZ_IDLE=y # CONFIG_NO_HZ is not set CONFIG_HIGH_RES_TIMERS=y # # CPU/Task time and stats accounting # CONFIG_TICK_CPU_ACCOUNTING=y # CONFIG_IRQ_TIME_ACCOUNTING is not set CONFIG_BSD_PROCESS_ACCT=y CONFIG_BSD_PROCESS_ACCT_V3=y CONFIG_TASKSTATS=y CONFIG_TASK_DELAY_ACCT=y CONFIG_TASK_XACCT=y CONFIG_TASK_IO_ACCOUNTING=y # # RCU Subsystem # CONFIG_TINY_RCU=y # CONFIG_RCU_EXPERT is not set CONFIG_SRCU=y # CONFIG_TASKS_RCU is not set # CONFIG_RCU_STALL_COMMON is not set # CONFIG_TREE_RCU_TRACE is not set # CONFIG_RCU_EXPEDITE_BOOT is not set CONFIG_BUILD_BIN2C=y CONFIG_IKCONFIG=m # CONFIG_IKCONFIG_PROC is not set CONFIG_LOG_BUF_SHIFT=17 CONFIG_NMI_LOG_BUF_SHIFT=13 CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y CONFIG_CGROUPS=y CONFIG_PAGE_COUNTER=y CONFIG_MEMCG=y CONFIG_MEMCG_SWAP=y # CONFIG_MEMCG_SWAP_ENABLED is not set CONFIG_BLK_CGROUP=y # CONFIG_DEBUG_BLK_CGROUP is not set CONFIG_CGROUP_WRITEBACK=y CONFIG_CGROUP_SCHED=y CONFIG_FAIR_GROUP_SCHED=y # CONFIG_CFS_BANDWIDTH is not set # CONFIG_RT_GROUP_SCHED is not set # CONFIG_CGROUP_PIDS is not set CONFIG_CGROUP_FREEZER=y # CONFIG_CGROUP_HUGETLB is not set CONFIG_CPUSETS=y CONFIG_PROC_PID_CPUSET=
Bug#886417: linux-source-4.9: Kernel sources do not compile
Package: linux-source-4.9 Version: 4.9.65-3+deb9u2 Severity: serious Justification: fails to build from source (but built successfully in the past) Dear Maintainer, compilation of Kernel sources 4.9.65-3+deb9u2 fails: [snip] CC arch/x86/mm/gup.o CC arch/x86/mm/setup_nx.o CC arch/x86/mm/tlb.o arch/x86/mm/tlb.c: In function ‘switch_mm_irqs_off’: arch/x86/mm/tlb.c:160:3: error: implicit declaration of function ‘load_new_mm_cr3’ [-Werror=implicit-function-declaration] load_new_mm_cr3(next->pgd); ^~~ cc1: some warnings being treated as errors scripts/Makefile.build:298: die Regel für Ziel „arch/x86/mm/tlb.o“ scheiterte make[3]: *** [arch/x86/mm/tlb.o] Fehler 1 scripts/Makefile.build:549: die Regel für Ziel „arch/x86/mm“ scheiterte make[2]: *** [arch/x86/mm] Fehler 2 Makefile:995: die Regel für Ziel „arch/x86“ scheiterte make[1]: *** [arch/x86] Fehler 2 make[1]: Verzeichnis „/usr/src/linux-4.9.65“ wird verlassen debian/ruleset/targets/common.mk:295: die Regel für Ziel „debian/stamp/build/kernel“ scheiterte make: *** [debian/stamp/build/kernel] Fehler 2 -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-5-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages linux-source-4.9 depends on: ii binutils 2.28-5 ii xz-utils 5.2.2-1.2+b1 Versions of packages linux-source-4.9 recommends: ii bc1.06.95-9+b3 ii gcc 4:6.3.0-4 ii libc6-dev [libc-dev] 2.24-11+deb9u1 ii make 4.1-9.1 Versions of packages linux-source-4.9 suggests: pn libncurses-dev | ncurses-dev pn libqt4-dev ii pkg-config0.29-4+b1
Bug#886255: inn2 is deinstalled during migration from cron to systemd-cron
Source: inn2 Severity: normal Dear Maintainer, inn2 Debian package defines a dependency on "cron". Migration of the host system from cron to systemd-cron deinstalls cron and also deinstalls inn2. This can be fixed with replacing the dependency on "cron" in debian/control by a dependency on "cron | cron-daemon". I have not thoroughly tested inn2 when systemd-cron is used, but for a couple of days now it seems inn2 runs smoothly with systemd-cron. -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#882250: isc-dhcp-server: The dhcpv6 server does not respond to solicits, and therefore does not hand out ipv6 leases.
Package: isc-dhcp-server Version: 4.3.5-3 Followup-For: Bug #882250 This issue seems to be caused by the Debian-specific patch dhcommon- getifaddrs.patch, reverting this patch in the Debian Stretch source package and compiling and installing the package also resolves the problem. In my previous posts I forgot to mention that eth0 on my machine also has some aliases: eth0:0: flags=4163 mtu 1500 inet 172.16.3.251 netmask 255.255.0.0 broadcast 172.16.255.255 ether 00:0d:b9:0d:84:b0 txqueuelen 1000 (Ethernet) eth0:1: flags=4163 mtu 1500 inet 172.16.4.251 netmask 255.255.0.0 broadcast 172.16.255.255 ether 00:0d:b9:0d:84:b0 txqueuelen 1000 (Ethernet) eth0:2: flags=4163 mtu 1500 inet 172.16.2.251 netmask 255.255.0.0 broadcast 172.16.255.255 ether 00:0d:b9:0d:84:b0 txqueuelen 1000 (Ethernet) I do not know what makes the new method using getifaddr() fail on eth0 in my specific case. Maybe the multiple ip6 addresses, maybe the aliases, maybe anything other. -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages isc-dhcp-server depends on: ii debconf [debconf-2.0] 1.5.61 ii debianutils4.8.1.1 ii libc6 2.24-11+deb9u1 ii libdns-export162 1:9.10.3.dfsg.P4-12.3+deb9u3 ii libirs-export141 1:9.10.3.dfsg.P4-12.3+deb9u3 ii libisc-export160 1:9.10.3.dfsg.P4-12.3+deb9u3 ii lsb-base 9.20161125 Versions of packages isc-dhcp-server recommends: ii isc-dhcp-common 4.3.5-3 ii policycoreutils 2.6-3 Versions of packages isc-dhcp-server suggests: pn isc-dhcp-server-ldap ii policykit-1 0.105-18 -- Configuration Files: /etc/dhcp/dhcpd.conf changed [not included] /etc/dhcp/dhcpd6.conf changed [not included] -- debconf information excluded
Bug#882250: isc-dhcp-server: The dhcpv6 server does not respond to solicits, and therefore does not hand out ipv6 leases.
Package: isc-dhcp-server Version: 4.3.5-3 Followup-For: Bug #882250 I can also confirm that compiling the original dhcp-4.3.5 tarball from isc and replacing the binary in /usr/sbin resolves this problem. -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages isc-dhcp-server depends on: ii debconf [debconf-2.0] 1.5.61 ii debianutils4.8.1.1 ii libc6 2.24-11+deb9u1 ii libdns-export162 1:9.10.3.dfsg.P4-12.3+deb9u3 ii libirs-export141 1:9.10.3.dfsg.P4-12.3+deb9u3 ii libisc-export160 1:9.10.3.dfsg.P4-12.3+deb9u3 ii lsb-base 9.20161125 Versions of packages isc-dhcp-server recommends: ii isc-dhcp-common 4.3.5-3 ii policycoreutils 2.6-3 Versions of packages isc-dhcp-server suggests: pn isc-dhcp-server-ldap ii policykit-1 0.105-18 -- Configuration Files: /etc/dhcp/dhcpd.conf changed [not included] /etc/dhcp/dhcpd6.conf changed [not included] -- debconf information excluded
Bug#882250: isc-dhcp-server: The dhcpv6 server does not respond to solicits, and therefore does not hand out ipv6 leases.
Package: isc-dhcp-server
Version: 4.3.5-3
Followup-For: Bug #882250
I can confirm this bug after upgrading from Debian 8 Jessie to Debian 9
Stretch.
I am running isc-dhcp-server in both v4 and v6 mode on a number of interfaces,
one LAN and several WLAN interfaces.
Before upgrade, clients got v6 addresses on all interfaces. After upgrade, only
WLAN clients get v6 addresses from isc-dhcp-server. Whenever LAN clients
connect, I see solicit messages in the isc-dhcp-server logs and in tcpdump
output, but there's never sent an answer. Radvd and ipv4 works fine on all
interfaces.
The only difference between LAN and WLAN interface is that the LAN interface
has some additional addresses used as listening addresses by a local squid
proxy and that it has a global dynamic address assigned by the ISP.
Some configuration and debugging information:
root@prokyon:/etc/dhcp# ifconfig eth0
eth0: flags=4163 mtu 1500
inet 192.168.0.251 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fd10:2842:f0d1:101:20d:b9ff:fe0d:84b0 prefixlen 128 scopeid
0x0
inet6 2001:472:7d:977::53 prefixlen 128 scopeid 0x0
inet6 2001:a61:4619:8f01::1 prefixlen 64 scopeid 0x0
inet6 fd10:3d52:f521::13 prefixlen 128 scopeid 0x0
inet6 2001:472:7d:977::13 prefixlen 128 scopeid 0x0
inet6 fd10:5d12:c721::13 prefixlen 128 scopeid 0x0
inet6 fd10:2842:f0d1::13 prefixlen 128 scopeid 0x0
inet6 fd10:7d41:b631::13 prefixlen 128 scopeid 0x0
inet6 2001:472:52b5:101:20d:b9ff:fe0d:84b0 prefixlen 128 scopeid
0x0
inet6 fe80::20d:b9ff:fe0d:84b0 prefixlen 64 scopeid 0x20
ether 00:0d:b9:0d:84:b0 txqueuelen 1000 (Ethernet)
RX packets 9329004 bytes 6196176943 (5.7 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7248452 bytes 4465680935 (4.1 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@prokyon:/etc/dhcp# ifconfig wlan0
wlan0: flags=4163 mtu 1500
inet 192.168.1.123 netmask 255.255.255.128 broadcast 192.168.1.127
inet6 2001:472:52b5:202:a5:4ff:fe3d:9610 prefixlen 128 scopeid
0x0
inet6 fd10:2842:f0d1:202:a5:4ff:fe3d:9610 prefixlen 128 scopeid
0x0
inet6 fe80::a5:4ff:fe3d:9610 prefixlen 64 scopeid 0x20
ether 02:a5:04:3d:96:10 txqueuelen 1000 (Ethernet)
RX packets 645631 bytes 147489457 (140.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 813939 bytes 494687778 (471.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
dhcpd6.conf:
subnet6 fd10:2842:f0d1:101::/64 {
# lan
# Range for clients
range6 fd10:2842:f0d1:101:af31:9c41:dd6b:7a4
fd10:2842:f0d1:101:af31:9c41:dd6b:7c4;
# Range for clients requesting a temporary address
range6 fd10:2842:f0d1:101::/64 temporary;
# Additional options
option dhcp6.name-servers fd10:2842:f0d1:101:20d:b9ff:fe0d:84b0;
option dhcp6.sntp-servers fd10:2842:f0d1:101:20d:b9ff:fe0d:84b0;
option dhcp6.domain-search "its-me.de";
# Prefix range for delegation to sub-routers
#prefix6 2001:472:7c:100:: 2001:db8:0:f00:: /56;
ddns-domainname "its-me.de.";
ddns-rev-domainname "ip6.arpa.";
}
subnet6 fd10:2842:f0d1:202::/64 {
# wlan
# Range for clients
range6 fd10:2842:f0d1:202:5d32:abf3:7de2:5d3
fd10:2842:f0d1:202:5d32:abf3:7de2:5f3;
# Range for clients requesting a temporary address
range6 fd10:2842:f0d1:202::/64 temporary;
# Additional options
option dhcp6.name-servers fd10:2842:f0d1:101:20d:b9ff:fe0d:84b0;
option dhcp6.sntp-servers fd10:2842:f0d1:101:20d:b9ff:fe0d:84b0;
option dhcp6.domain-search "its-me.de";
# Prefix range for delegation to sub-routers
#prefix6 2001:472:7c:100:: 2001:db8:0:f00:: /56;
ddns-domainname "its-me.de.";
ddns-rev-domainname "ip6.arpa.";
}
dhcpd.log: (LAN client, broken)
Dec 28 01:41:51 prokyon dhcpd[27274]: Solicit message from
fe80::230:5ff:fe96:90dd port 546, transaction ID 0x925C6800
Dec 28 01:41:53 prokyon dhcpd[27274]: Solicit message from
fe80::230:5ff:fe96:90dd port 546, transaction ID 0x925C6800
Dec 28 01:41:55 prokyon dhcpd[27274]: Solicit message from
fe80::230:5ff:fe96:90dd port 546, transaction ID 0x925C6800
Dec 28 01:41:59 prokyon dhcpd[27274]: Solicit message from
fe80::230:5ff:fe96:90dd port 546, transaction ID 0x925C6800
Dec 28 01:42:07 prokyon dhcpd[27274]: Solicit message from
fe80::230:5ff:fe96:90dd port 546, transaction ID 0x925C6800
tcpdump: (LAN client, broken)
01:42:44.628547 IP6 fe80::230:5ff:fe96:90dd.dhcpv6-client >
ff02::1:2.dhcpv6-server: dhcp6 solicit
01:42:45.699812 IP6 fe80::230:5ff:fe96:90dd.dhcpv6-client >
ff02::1:2.dhcpv6-server: dhcp6 solicit
01:42:47.902235 IP6 fe80::230:5ff:fe96:90dd.dhcpv6-client >
ff02::1:2.dhcpv6-server: dhcp6 solicit
01:42:52.096659 IP6 fe80::230:5ff:fe96:9
Bug#882101: radvd with systemd and selinux results in radvd running in wrong selinux context
Package: radvd Version: 1:2.15-2 Severity: normal Dear Maintainer, Running radvd on Debian 9.2 with systemd and selinux enabled results in radvd running in wrong selinux context. This is what I get, radvd running in init_t context: # ps -auxZ | grep radvd system_u:system_r:init_t:s0root 11139 0.5 0.6 2580 1628 ? S
Bug#871704: Labels of files in `/etc/init.d/` prevent systemd tools from working
Package: selinux-policy-default Version: 2:2.20161023.1-9 Followup-For: Bug #871704 I can confirm this bug. It affects all units having: - Non standard SELinux type in /etc/init.d/ startup script (meaning, other than initrc_exec_t) - No unit file in /lib/systemd/system or /etc/systemd/system (and thus are controlled by autogenerated unit file) ALL systemctl actions (start, stop, restart, status...) fail on these units in enforcing mode (but not in permissive mode). Error messages are e.g.: root@pherkad:/etc/systemd/system# systemctl stop exim4 Failed to stop exim4.service: Access denied See system logs and 'systemctl status exim4.service' for details. Failed to get load state of exim4.service: Access denied root@pherkad:/etc/systemd/system# systemctl start exim4 Failed to start exim4.service: Access denied See system logs and 'systemctl status exim4.service' for details. The error is logged in audit.log (see above report), but audit2allow does not produce rules from that. This also affects tab completion of all systemctl actions, as tab completion seems to trigger "systemctl status ". This was reported in #879037 for refpolicy. Possible workarounds: Either set SELinux type of offending init script to standard initrc_exec_t, or create a simple systemd unit file for the affected service. Offending services on my Debian 9.2 installations are exim4 and ntp, which are both standard services and installed by default. Cheers, Robert -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages selinux-policy-default depends on: ii libselinux1 2.6-3+b3 ii libsemanage1 2.6-2 ii libsepol12.6-2 pn policycoreutils pn selinux-utils Versions of packages selinux-policy-default recommends: pn checkpolicy pn setools Versions of packages selinux-policy-default suggests: pn logcheck pn syslog-summary
Bug#808374: Confirmed
I can confirm this bug. After upgrading to 3.16.7-ckt20 (custom build from source), FreeRADIUS stopped responding to auth queries from hostapd, wifi clients using EAP-TLS, EAP-TTLS or EAP-PEAP could not authenticate any more. Downgrade to 3.16.7-ckt11 (custom build from source) fixed this issue.
Bug#808431: linux-source-3.16: FreeRADIUS stopped working when kernel was updated to 3.16.7-ckt20
Package: linux-source-3.16 Version: 3.16.7-ckt-20 Severity: important Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? Upgrading the Kernel from 3.16.7-ckt11 to 3.16.7-ckt20 (compiled from source each) broke FreeRADIUS. The freeradius daemon stopped responding to udp auth queries from locally installed hostapd wifi daemon. Wifi clients using EAP-TLS auth cannot authenticate an more. * What exactly did you do (or not do) that was effective (or ineffective)? Downgrade to Kernel 3.16.7-ckt11 fixed the issue. * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these template lines *** -- System Information: Debian Release: 8.2 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
