[Bug 1380229] [NEW] Potential Vulnerability for X509 Certificate Verification
*** This bug is a security vulnerability *** Public security bug reported: Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. We believe that nagios-nrpe-plugin didn't check whether the hostname matches the name in the ssl certificate and the expired date of the certificate. We found the vulnerability by static analysis, typically, a process of verification involves calling a chain of API, and we can deduce whether the communication process is vulnerable by detecting whether the process satisfies a certain relation. The result format is like this: notice: Line Number@Method Name, Source File We provide this result to help developers to locate the problem faster. This is the result for nagios-nrpe-plugin: [PDG]main'3 [Found]SSL_connect() [HASH] 2600616823 [LineNo]@ 157[Kind]call-site[Char] SSL_connect()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-nrpe-plugin/nagios-nrpe-2.12/src/check_nrpe.c [INFO] API SSL_new() Found! -- [HASH] 4103224634 [LineNo]@ 154[Kind]call-site[Char] SSL_new()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-nrpe-plugin/nagios-nrpe-2.12/src/check_nrpe.c [INFO] API SSL_CTX_new() Found! -- [HASH] 4083349714 [LineNo]@ 235[Kind]call-site[Char] SSL_CTX_new()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-nrpe-plugin/nagios-nrpe-2.12/src/nrpe.c [Warning] No secure SSL_Method API found! Potentially vulnerable!!! The result means that we found that nagios-nrpe-plugin uses ssl and it didn't invoke the method pertaining to the certificate, thus it is vulnearable if the certificate is tampered. We don't have a POC because we didn't succeed in configuring this software or don't know the way to verify the vulnerability. But through the analysis of the source code, we believe it breaks the ssl certificate verfication protocol. for more information about the importance of checking hostname: see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf Thanks. ** Affects: nagios-nrpe (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nagios-nrpe in Ubuntu. https://bugs.launchpad.net/bugs/1380229 Title: Potential Vulnerability for X509 Certificate Verification To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1380229/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1380231] [NEW] Potential Vulnerability for X509 Certificate Verification
*** This bug is a security vulnerability *** Public security bug reported: Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. We believe that nagios-plugins-basic didn't check whether the hostname matches the name in the ssl certificate and the expired date of the certificate. We found the vulnerability by static analysis, typically, a process of verification involves calling a chain of API, and we can deduce whether the communication process is vulnerable by detecting whether the process satisfies a certain relation. The result format is like this: notice: Line Number@Method Name, Source File We provide this result to help developers to locate the problem faster. This is the result for nagios-plugins-basic: [PDG]np_net_ssl_init_with_hostname [Found]SSL_connect() [HASH] 2965878942 [LineNo]@ 60[Kind]call-site[Char] SSL_connect()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c [INFO] API SSL_new() Found! -- [HASH] 3737899610 [LineNo]@ 54[Kind]call-site[Char] SSL_new ()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c [INFO] API SSL_CTX_new() Found! -- [HASH] 26244883 [LineNo]@ 50[Kind]call-site[Char] SSL_CTX_new ()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c [INFO] API SSLv23_client_method() Found! -- [HASH] 1523132904 [LineNo]@ 50[Kind]call-site[Char] SSLv23_client_method ()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c [INFO] API SSL_get_peer_certificate() Found! -- [HASH] 316360603 [LineNo]@ 107[Kind]call-site[Char] SSL_get_peer_certificate()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/nagios-plugins-basic/nagios-plugins-1.4.15/plugins/sslutils.c [Warning] No SSL_get_peer_certificate() SSL_get_verify_result() APIs found! Potentially vulnerable!!! We don't have a POC because we didn't succeed in configuring this software or don't know the way to verify the vulnerability. But through the analysis of the source code, we believe it breaks the ssl certificate verfication protocol. for more information about the importance of checking hostname: see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf Thanks. ** Affects: nagios-plugins (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nagios-plugins in Ubuntu. https://bugs.launchpad.net/bugs/1380231 Title: Potential Vulnerability for X509 Certificate Verification To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-plugins/+bug/1380231/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1380235] [NEW] Potential Vulnerability for X509 Certificate Verification
*** This bug is a security vulnerability *** Public security bug reported: Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. We believe that spamc didn't check whether the hostname matches the name in the ssl certificate and the expired date of the certificate. We found the vulnerability by static analysis, typically, a process of verification involves calling a chain of API, and we can deduce whether the communication process is vulnerable by detecting whether the process satisfies a certain relation. The result format is like this: notice: Line Number@Method Name, Source File We provide this result to help developers to locate the problem faster. This is the result for spamc: [PDG]message_filter [Found]SSL_connect() [HASH] 3238387200 [LineNo]@ 1369[Kind]call-site[Char] SSL_connect()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c [INFO] API SSL_new() Found! -- [HASH] 2841348688 [LineNo]@ 1367[Kind]call-site[Char] SSL_new()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c [INFO] API SSL_CTX_new() Found! -- [HASH] 1784966074 [LineNo]@ 1211[Kind]call-site[Char] SSL_CTX_new()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c [Warning] No secure SSL_Method API found! Potentially vulnerable!!! [PDG]message_tell [Found]SSL_connect() [HASH] 3756788397 [LineNo]@ 1717[Kind]call-site[Char] SSL_connect()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c [INFO] API SSL_new() Found! -- [HASH] 894746177 [LineNo]@ 1715[Kind]call-site[Char] SSL_new()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c [INFO] API SSL_CTX_new() Found! -- [HASH] 1784966074 [LineNo]@ 1211[Kind]call-site[Char] SSL_CTX_new()[Src] /home/roca/workspace/codebase/code/ubuntu_pkg/spamc/spamassassin-3.3.2/spamc/libspamc.c [Warning] No secure SSL_Method API found! Potentially vulnerable!!! We don't have a POC because we didn't succeed in configuring this software or don't know the way to verify the vulnerability. But through the analysis of the source code, we believe it breaks the ssl certificate verfication protocol. for more information about the importance of checking hostname: see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf Thanks. ** Affects: spamassassin (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to spamassassin in Ubuntu. https://bugs.launchpad.net/bugs/1380235 Title: Potential Vulnerability for X509 Certificate Verification To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1380235/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1374730] Re: X509 certificate verification problem
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to keepalived in Ubuntu. https://bugs.launchpad.net/bugs/1374730 Title: X509 certificate verification problem To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/keepalived/+bug/1374730/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1005821] Re: Can't use # as the delimiter between key prefixes and IDs.
** Changed in: memcached (Debian) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to memcached in Ubuntu. https://bugs.launchpad.net/bugs/1005821 Title: Can't use # as the delimiter between key prefixes and IDs. To manage notifications about this bug go to: https://bugs.launchpad.net/memcached/+bug/1005821/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1286194] Re: openvswitch-datapath-dkms 1.4.6-0ubuntu1.12.04.2: openvswitch kernel module failed to build
i have the same problem , how i can solve it ? * Inserting openvswitch module Module has probably not been built for this kernel. Install the openvswitch-datapath-source package, then read /usr/share/doc/openvswitch-datapath-source/README.Debian Setting up mininet (2.0.0-0ubuntu1~ubuntu12.04.1) ... Setting up openvswitch-pki (1.4.6-0ubuntu1.12.04.3) ... Creating controllerca... Creating switchca... Setting up openvswitch-controller (1.4.6-0ubuntu1.12.04.3) ... * Starting ovs-controller ovs-controller Oct 13 04:31:06|1|stream_ssl|INFO|Trusting CA cert from /etc/openvswitch-controller/cacert.pem (/C=US/ST=CA/O=Open vSwitch/OU=switchca/CN=OVS switchca CA Certificate (2014 Oct 13 04:31:05)) (fingerprint 95:a8:9e:72:e2:a9:3f:bf:74:b6:d0:29:01:3a:f2:cc:3a:83:a1:b2) [ OK ] Setting up openvswitch-datapath-dkms (1.4.6-0ubuntu1.12.04.3) ... Creating symlink /var/lib/dkms/openvswitch/1.4.6/source - /usr/src/openvswitch-1.4.6 DKMS: add completed. Kernel preparation unnecessary for this kernel. Skipping... Building module: cleaning build area(bad exit status: 2) ./configure --with-linux='/lib/modules/3.2.0-70-generic/build' make -C datapath/linux.(bad exit status: 2) Error! Bad return status for module build on kernel: 3.2.0-70-generic (x86_64) Consult /var/lib/dkms/openvswitch/1.4.6/build/make.log for more information. Setting up python-scipy (0.9.0+dfsg1-1ubuntu2) ... Processing triggers for libc-bin ... ldconfig deferred processing now taking place Processing triggers for python-support ... -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openvswitch in Ubuntu. https://bugs.launchpad.net/bugs/1286194 Title: openvswitch-datapath-dkms 1.4.6-0ubuntu1.12.04.2: openvswitch kernel module failed to build To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvswitch/+bug/1286194/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1380425] [NEW] Rootwrap error with cinder-volume
Public bug reported: The cinder-volume service (2014.2~rc2-0ubuntu1~cloud0) generates the following rootwrap error in the cinder-volume.log file: 2014-10-12 23:10:12.463 12082 INFO cinder.openstack.common.service [-] Starting 2014-10-12 23:10:12.463 12082 INFO cinder.openstack.common.service [-] Starting 1 workers 2014-10-12 23:10:12.465 12082 INFO cinder.openstack.common.service [-] Started child 12123 2014-10-12 23:10:12.468 12123 INFO cinder.service [-] Starting cinder-volume node (version 2014.2) 2014-10-12 23:10:12.470 12123 INFO cinder.volume.manager [req-0d64c7d5-8ae3-4afb-bd20-28308aa28b7b - - - - -] Starting volume driver LVMISCSIDriver (2.0.0) 2014-10-12 23:10:12.529 12123 ERROR cinder.volume.manager [req-0d64c7d5-8ae3-4afb-bd20-28308aa28b7b - - - - -] Error encountered during initialization of driver: LVMISCSIDriver 2014-10-12 23:10:12.529 12123 ERROR cinder.volume.manager [req-0d64c7d5-8ae3-4afb-bd20-28308aa28b7b - - - - -] Unexpected error while running command. Command: sudo cinder-rootwrap /etc/cinder/rootwrap.conf env LC_ALL=C vgs --noheadings -o name cinder-volumes Exit code: 1 Stdout: u'' Stderr: u'sudo: no tty present and no askpass program specified\n' Adding a * to the following line in the /etc/sudoers.d/cinder_sudoers file resolves the issue: cinder ALL = (root) NOPASSWD: /usr/bin/cinder-rootwrap /etc/cinder/rootwrap.conf For example: cinder ALL = (root) NOPASSWD: /usr/bin/cinder-rootwrap /etc/cinder/rootwrap.conf * Other services contain this * in their rootwrap configuration files. ** Affects: cinder (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cinder in Ubuntu. https://bugs.launchpad.net/bugs/1380425 Title: Rootwrap error with cinder-volume To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cinder/+bug/1380425/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1218114] Re: 1.4.14-0ubuntu3 (still) FTBFS on arm64
** Changed in: memcached (Debian) Status: New = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to memcached in Ubuntu. https://bugs.launchpad.net/bugs/1218114 Title: 1.4.14-0ubuntu3 (still) FTBFS on arm64 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/memcached/+bug/1218114/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1177398] Re: init-script status method doesn't handle instances correctly
** Changed in: memcached (Debian) Status: New = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to memcached in Ubuntu. https://bugs.launchpad.net/bugs/1177398 Title: init-script status method doesn't handle instances correctly To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/memcached/+bug/1177398/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1362741] Re: update golang packages to 1.3.1
This is one of those packages that needs to be on a 'rolling release' list. It doesn't make sense to not update this package as soon as a new release is released. Each new version of Go fixes bugs and makes drastic improvements over the last version. I wonder, do the package maintainers behind Ubuntu have a 'rolling release' list? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to golang in Ubuntu. https://bugs.launchpad.net/bugs/1362741 Title: update golang packages to 1.3.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/golang/+bug/1362741/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1319600] Re: maas-cli stack trace if .maascli.db unreadable
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: maas (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to maas in Ubuntu. https://bugs.launchpad.net/bugs/1319600 Title: maas-cli stack trace if .maascli.db unreadable To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1319600/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1380442] [NEW] default vsftpd package no login with pam-pgsql
Public bug reported: 1) lsb_release -rd: Description: Ubuntu 14.04.1 LTS Release: 14.04 2) default vsftpd package - apt-cache policy vsftpd: Installed: 3.0.2-1ubuntu2.14.04.1 Candidate: 3.0.2-1ubuntu2.14.04.1 Version table: *** 3.0.2-1ubuntu2.14.04.1 0 500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 100 /var/lib/dpkg/status 3.0.2-1ubuntu2 0 500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages 3) I expect to be able to log in as a virtual user via pam-pgsql 4) Receive below errors error received when attempting to log in via filezilla Command:USER test Response: 331 Please specify the password. Command:PASS Response: 500 OOPS: priv_sock_get_result Error: Critical error: Could not connect to server error logged in /var/log/auth.log PAM unable to dlopen(pam_pgsql.so): libffi.so.6: failed to map segment from shared object: Cannot allocate memory PAM adding faulty module: pam_pgsql.so 5) Solution: - 1) apt-get source vsftpd - 2) apply patches found in the debian distribution (can someone explain why patched source isn't already in debian zip?) - 3) make make install (requires packages libwrap0 libwrap0-dev) login works fine after installing from source, meaning the default vsftpd package is not compiled from its corresponding source. Without source of the default distributed package, I was unable to debug further. 6) I can provide configuration files, but will need an email to forward them to. ** Affects: vsftpd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to vsftpd in Ubuntu. https://bugs.launchpad.net/bugs/1380442 Title: default vsftpd package no login with pam-pgsql To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/vsftpd/+bug/1380442/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs