[Bug 1272857] Re: Double free in libapache2-mod-auth-pgsql causes Apache to crash

2017-07-19 Thread Andreas Hasenack 
** Description changed:

  [Impact]
+ The libapache2-mod-auth-pgsql module will trigger frequent segfaults in 
apache if used in conjunction with a CGI script.
  
-  * An explanation of the effects of the bug on users and
- 
-  * justification for backporting the fix to the stable release.
- 
-  * In addition, it is helpful, but not required, to include an
-explanation of how the upload fixes this bug.
  
  [Test Case]
  
  * install the packages on the Ubuntu release you are testing:
  $ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql
  
  * create the database and populate it with the test user:
  $ sudo -u postgres -H createdb userdb
  $ sudo -u postgres -H psql userdb -c "CREATE TABLE UserLogin (Username text, 
ApachePassword text);"
  $ sudo -u postgres -H psql userdb -c "INSERT INTO UserLogin VALUES ('ubuntu', 
'secret');"
  
  * Create the DB user the module will use and grant access to the user table:
  $ sudo -u postgres -H psql postgres -c "CREATE ROLE www UNENCRYPTED PASSWORD 
'password' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"
  $ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;"
  
  * Create /etc/apache2/conf-available/authpgtest.conf with the following 
content:
  Alias /authpgtest /export/scratch/authpgtest
  
-   Options +ExecCGI +FollowSymLinks
-   AddHandler cgi-script .pl
-   AuthType basic
-   AuthName "My Auth"
-   Require valid-user
-   AuthBasicProvider pgsql
-   Auth_PG_authoritative On
-   Auth_PG_host 127.0.0.1
-   Auth_PG_port 5432
-   Auth_PG_user www
-   Auth_PG_pwd password
-   Auth_PG_database userdb
-   Auth_PG_encrypted off
-   Auth_PG_pwd_table UserLogin
-   Auth_PG_uid_field Username
-   Auth_PG_pwd_field ApachePassword
+   Options +ExecCGI +FollowSymLinks
+   AddHandler cgi-script .pl
+   AuthType basic
+   AuthName "My Auth"
+   Require valid-user
+   AuthBasicProvider pgsql
+   Auth_PG_authoritative On
+   Auth_PG_host 127.0.0.1
+   Auth_PG_port 5432
+   Auth_PG_user www
+   Auth_PG_pwd password
+   Auth_PG_database userdb
+   Auth_PG_encrypted off
+   Auth_PG_pwd_table UserLogin
+   Auth_PG_uid_field Username
+   Auth_PG_pwd_field ApachePassword
  
  
  * Enable this new configuration:
  $ sudo a2enconf authpgtest.conf
  
  * Enable the auth-pgsql and cgi modules and then restart apache:
  $ for n in 000_auth_pgsql cgi; do sudo a2enmod $n; done
  $ sudo service apache2 restart
  
  * Create the CGI directory for our script:
  $ sudo mkdir -p /export/scratch/authpgtest
  
  * Create the CGI script /export/scratch/authpgtest/hw.pl with the following 
contents:
  #!/usr/bin/perl
  print "Content-type: text/html\n\n";
  print "Hello, World!\n";
  
  * Make it executable:
  $ sudo chmod 0755 /export/scratch/authpgtest/hw.pl
  
- 
  * Access the http://ubuntu:secret@localhost/authpgtest/hw.pl URL a few times 
while tailing /var/log/apache/error.log. After a few tries it will fail, and 
apache will log a segfault:
  $ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
  Hello, World!
  $ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
  Hello, World!
  $ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
  curl: (52) Empty reply from server
  
  In /var/log/apache2/error.log:
  *** Error in `/usr/sbin/apache2': free(): invalid pointer: 0x7fa9340007c8 
***
  [Wed Jul 19 20:43:57.077960 2017] [core:notice] [pid 10926:tid 
140365262006144] AH00051: child pid 10930 exit signal Aborted (6), possible 
coredump in /etc/apache2
  
- 
- After installing the fixed libapache2-mod-auth-pgsql package, all attempts 
will work.
+ After installing the fixed libapache2-mod-auth-pgsql package, all
+ attempts will work.
  
  
- [Regression Potential] 
+ [Regression Potential]
+ This patch is already being used in Ubuntu releases higher than trusty, all 
the way to artful, and also in Debian.
  
-  * discussion of how regressions are most likely to manifest as a result
- of this change.
+ This is a very old module that hasn't been built in a while (see [other
+ info] below. It's possible that just by rebuilding it with the new
+ environment available in Trusty could introduce unknowns. Hopefully, if
+ that happens, it will be immediately noticed by the people who use it
+ and will test this SRU.
  
-  * It is assumed that any SRU candidate patch is well-tested before
-upload and has a low overall risk of regression, but it's important
-to make the effort to think about what ''could'' happen in the
-event of a regression.
- 
-  * This both shows the SRU team that the risks have been considered,
-and provides guidance to testers in regression-testing the SRU.
  
  [Other Info]
-  
-  * Anything else you think is useful to include
-  * Anticipate questions from users, SRU, +1 maintenance, security teams and 
the Technical Board
-  * and address these questions in advance
+ This module hasn't been rebuilt since vivid and seems unmaintained, being at 
version 2.0.3 since the precise days:
+  libapache2-mod

[Bug 1272857] Re: Double free in libapache2-mod-auth-pgsql causes Apache to crash

2017-07-19 Thread Andreas Hasenack 
** Description changed:

- Ubuntu Trusty Tahr 14.04
+ [Impact]
  
- apache2:
-   Installed: 2.4.7-1ubuntu1
-   Candidate: 2.4.7-1ubuntu1
-   Version table:
-  *** 2.4.7-1ubuntu1 0
- 500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
- 100 /var/lib/dpkg/status
+  * An explanation of the effects of the bug on users and
  
- Just maked a following steps:
- - sudo apt-get update
- - sudo apt-get upgrade
+  * justification for backporting the fix to the stable release.
  
- ProblemType: Crash
- DistroRelease: Ubuntu 14.04
- Package: apache2-bin 2.4.7-1ubuntu1
- ProcVersionSignature: Ubuntu 3.13.0-4.19-generic 3.13.0-rc8
- Uname: Linux 3.13.0-4-generic x86_64
- NonfreeKernelModules: nvidia
- ApportVersion: 2.13.1-0ubuntu2
- Architecture: amd64
- Date: Sun Jan 26 00:07:10 2014
- ExecutablePath: /usr/sbin/apache2
- InstallationDate: Installed on 2012-12-19 (402 days ago)
- InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64+mac 
(20111012)
- ProcCmdline: /usr/sbin/apache2 -k start
- ProcEnviron:
-  PATH=(custom, no user)
-  LANG=C
- SegvAnalysis:
-  Segfault happened at: 0x7f197ce45bb2:and%al,(%rax)
-  PC (0x7f197ce45bb2) ok
-  source "%al" ok
-  destination "(%rax)" (0x) not located in a known VMA region (needed 
writable region)!
- SegvReason: writing NULL VMA
- Signal: 11
- SourcePackage: apache2
- StacktraceTop:
-  ?? () from /usr/lib/apache2/modules/mod_cgid.so
-  
-  __accept_nocancel () at ../sysdeps/unix/syscall-template.S:81
-  ?? () from /usr/lib/apache2/modules/mod_cgid.so
-  ?? () from /usr/lib/apache2/modules/mod_cgid.so
- Title: apache2 crashed with SIGSEGV in ()
- UpgradeStatus: Upgraded to trusty on 2013-11-10 (76 days ago)
- UserGroups:
+  * In addition, it is helpful, but not required, to include an
+explanation of how the upload fixes this bug.
+ 
+ [Test Case]
+ 
+ * install the packages on the Ubuntu release you are testing:
+ $ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql
+ 
+ * create the database and populate it with the test user:
+ $ sudo -u postgres -H createdb userdb
+ $ sudo -u postgres -H psql userdb -c "CREATE TABLE UserLogin (Username text, 
ApachePassword text);"
+ $ sudo -u postgres -H psql userdb -c "INSERT INTO UserLogin VALUES ('ubuntu', 
'secret');"
+ 
+ * Create the DB user the module will use and grant access to the user table:
+ $ sudo -u postgres -H psql postgres -c "CREATE ROLE www UNENCRYPTED PASSWORD 
'password' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"
+ $ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;"
+ 
+ * Create /etc/apache2/conf-available/authpgtest.conf with the following 
content:
+ Alias /authpgtest /export/scratch/authpgtest
+ 
+   Options +ExecCGI +FollowSymLinks
+   AddHandler cgi-script .pl
+   AuthType basic
+   AuthName "My Auth"
+   Require valid-user
+   AuthBasicProvider pgsql
+   Auth_PG_authoritative On
+   Auth_PG_host 127.0.0.1
+   Auth_PG_port 5432
+   Auth_PG_user www
+   Auth_PG_pwd password
+   Auth_PG_database userdb
+   Auth_PG_encrypted off
+   Auth_PG_pwd_table UserLogin
+   Auth_PG_uid_field Username
+   Auth_PG_pwd_field ApachePassword
+ 
+ 
+ * Enable this new configuration:
+ $ sudo a2enconf authpgtest.conf
+ 
+ * Enable the auth-pgsql and cgi modules and then restart apache:
+ $ for n in 000_auth_pgsql cgi; do sudo a2enmod $n; done
+ $ sudo service apache2 restart
+ 
+ * Create the CGI directory for our script:
+ $ sudo mkdir -p /export/scratch/authpgtest
+ 
+ * Create the CGI script /export/scratch/authpgtest/hw.pl with the following 
contents:
+ #!/usr/bin/perl
+ print "Content-type: text/html\n\n";
+ print "Hello, World!\n";
+ 
+ * Make it executable:
+ $ sudo chmod 0755 /export/scratch/authpgtest/hw.pl
+ 
+ 
+ * Access the http://ubuntu:secret@localhost/authpgtest/hw.pl URL a few times 
while tailing /var/log/apache/error.log. After a few tries it will fail, and 
apache will log a segfault:
+ $ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
+ Hello, World!
+ $ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
+ Hello, World!
+ $ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
+ curl: (52) Empty reply from server
+ 
+ In /var/log/apache2/error.log:
+ *** Error in `/usr/sbin/apache2': free(): invalid pointer: 0x7fa9340007c8 
***
+ [Wed Jul 19 20:43:57.077960 2017] [core:notice] [pid 10926:tid 
140365262006144] AH00051: child pid 10930 exit signal Aborted (6), possible 
coredump in /etc/apache2
+ 
+ 
+ After installing the fixed libapache2-mod-auth-pgsql package, all attempts 
will work.
+ 
+ 
+ [Regression Potential] 
+ 
+  * discussion of how regressions are most likely to manifest as a result
+ of this change.
+ 
+  * It is assumed that any SRU candidate patch is well-tested before
+upload and has a low overall risk of regression, but it's important
+to make the effort to think about what ''could'' happen in the
+event of a regression.
+ 
+  * This both shows the SRU t

[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-07-19 Thread Andreas Hasenack 
** Description changed:

  [Impact]
  The libapache2-mod-auth-pgsql module will cause a segfault error in apache if 
its encrypted support is enabled ("Auth_PG_encrypted on") and a hash format not 
supported by crypt(3) is used.
  
  Since this is an apache module, users might be tempted to use
  htpasswd(1) to generate such hashes. The option to generate SHA hashes
  (-s) in particular will generate a hash incompatible with crypt(3),
  which will then return NULL and cause the segfault in unpatched versions
  of this apache module.
  
  The fix catches the situation when crypt(3) returns NULL and logs the
  event as an unsupported hash type being found, and denies the login.
  
  [Test Case]
  
  * install the packages on the Ubuntu release you are testing:
  $ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql
  
  * create the database and populate it with the test users from the attached 
test-users.sql file:
  $ sudo -u postgres -H createdb userdb
  $ sudo -u postgres -H psql userdb -f test-users.sql
  
  * Create the DB user we will use:
  $ sudo -u postgres -H psql postgres -c "CREATE ROLE www UNENCRYPTED PASSWORD 
'password' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"
  
  * Grant access:
  $ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;"
  
  * Create the /var/www/html/.htaccess file with this content:
  AuthType basic
  AuthName "My Auth"
  Require valid-user
  AuthBasicProvider pgsql
  Auth_PG_authoritative On
  Auth_PG_host 127.0.0.1
  Auth_PG_port 5432
  Auth_PG_user www
  Auth_PG_pwd password
  Auth_PG_database userdb
  Auth_PG_encrypted on
  Auth_PG_pwd_table UserLogin
  Auth_PG_uid_field Username
  Auth_PG_pwd_field ApachePassword
  
  * Setup access in apache by editing /etc/apache2/sites-
  enabled/000-default.conf and adding these lines somewhere inside the
   section:
  
  
  AllowOverride AuthConfig
  
  
  * Enable the mod-auth-pgsql module:
  $ sudo a2enmod 000_auth_pgsql
  
  * Restart apache:
  $ sudo service apache2 restart
  
  To try each test login, use a loop like this:
  
  $ for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 
ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o 
/dev/null -s; result=$?; echo $result; done
  Testing ubuntu-invalidhash... 52
  Testing ubuntu-md5... 0
  Testing ubuntu-sha256... 0
  Testing ubuntu-sha512... 0
  Testing ubuntu-des... 0
  
  Error 52 means "empty reply from server". That's when apache segfaulted:
  [Wed Jul 19 19:28:13.808711 2017] [core:notice] [pid 9499:tid 
140330145511296] AH00051: child pid 9677 exit signal Segmentation fault (11), 
possible coredump in /etc/apache2
  
  With the fixed version of libapache2-mod-auth-pgsql, the test loop will
  just record a normal authentication problem for the ubuntu-invalidhash
  user (since the hash is not supported) instead of an "empty reply from
  server":
  
  $ for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 
ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o 
/dev/null -s; result=$?; echo $result; done
  Testing ubuntu-invalidhash... 22
  Testing ubuntu-md5... 0
  Testing ubuntu-sha256... 0
  Testing ubuntu-sha512... 0
  Testing ubuntu-des... 0
  
  And we get this fact logged:
  [Wed Jul 19 19:38:56.547337 2017] [auth_pgsql:error] [pid 10035:tid 
140550732678912] [client 127.0.0.1:56946] [mod_auth_pgsql.c] - ERROR - PG user 
ubuntu-invalidhash: unsupported CRYPT format
  
  [Regression Potential]
+ The patch seems pretty straight forward and uses a well documented crypt(3) 
return value in the case of errors.
  
-  * discussion of how regressions are most likely to manifest as a result
- of this change.
+ This is a very old module that hasn't been built in a while (see [other
+ info] below. It's possible that just by rebuilding it with the new
+ environment available in each ubuntu release since vivid could introduce
+ unknowns. Hopefully, if that happens, it will be immediately noticed by
+ the people who use it and will test this SRU.
  
-  * It is assumed that any SRU candidate patch is well-tested before
-    upload and has a low overall risk of regression, but it's important
-    to make the effort to think about what ''could'' happen in the
-    event of a regression.
- 
-  * This both shows the SRU team that the risks have been considered,
-    and provides guidance to testers in regression-testing the SRU.
  
  [Other Info]
  
-  * Anything else you think is useful to include
-  * Anticipate questions from users, SRU, +1 maintenance, security teams and 
the Technical Board
-  * and address these questions in advance
+ Upstream doesn't have a bugtracker or public code hosting that I could
+ find, so I forwarded the patch via email. No response so far.
+ 
+ This module hasn't been rebuilt since vivid and seems unmaintained, being at 
version 2.0.3 since the precise days:
+  libapache2-mod-auth-pgsql | 2.0.3-5build2| precise
+  liba

[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-07-19 Thread Andreas Hasenack 
** Description changed:

  [Impact]
  
   * An explanation of the effects of the bug on users and
  
   * justification for backporting the fix to the stable release.
  
   * In addition, it is helpful, but not required, to include an
     explanation of how the upload fixes this bug.
  
  [Test Case]
  
  * install the packages on the Ubuntu release you are testing:
  $ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql
  
  * create the database and populate it with the test users from the attached 
test-users.sql file:
  $ sudo -u postgres -H createdb userdb
  $ sudo -u postgres -H psql userdb -f test-users.sql
  
  * Create the DB user we will use:
  $ sudo -u postgres -H psql postgres -c "CREATE ROLE www UNENCRYPTED PASSWORD 
'password' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"
  
  * Grant access:
  $ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;"
  
  * Create the /var/www/html/.htaccess file with this content:
  AuthType basic
  AuthName "My Auth"
  Require valid-user
  AuthBasicProvider pgsql
  Auth_PG_authoritative On
  Auth_PG_host 127.0.0.1
  Auth_PG_port 5432
  Auth_PG_user www
  Auth_PG_pwd password
  Auth_PG_database userdb
  Auth_PG_encrypted on
  Auth_PG_pwd_table UserLogin
  Auth_PG_uid_field Username
  Auth_PG_pwd_field ApachePassword
  
  * Setup access in apache by editing /etc/apache2/sites-
  enabled/000-default.conf and adding these lines somewhere inside the
   section:
  
  
  AllowOverride AuthConfig
  
  
  * Enable the mod-auth-pgsql module:
  $ sudo a2enmod 000_auth_pgsql
  
  * Restart apache:
  $ sudo service apache2 restart
  
- This is now ready for testing. The database was populated with the following 
usernames, all with the same password "secret":
-  ubuntu-invalidhash
-  ubuntu-md5
-  ubuntu-sha256
-  ubuntu-sha512
-  ubuntu-des
  
- To test each login, use a loop like this:
+ To try each test login, use a loop like this:
  
  $ for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 
ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o 
/dev/null -s; result=$?; echo $result; done
  Testing ubuntu-invalidhash... 52
  Testing ubuntu-md5... 0
  Testing ubuntu-sha256... 0
  Testing ubuntu-sha512... 0
  Testing ubuntu-des... 0
  
- The apache logs will show the segfault when ubuntu-invalidhash is tried:
+ Error 52 means "empty reply from server". That's when apache segfaulted:
  [Wed Jul 19 19:28:13.808711 2017] [core:notice] [pid 9499:tid 
140330145511296] AH00051: child pid 9677 exit signal Segmentation fault (11), 
possible coredump in /etc/apache2
- 
- Trying just that one manually:
- $ curl http://ubuntu-invalidhash:secret@localhost -o /dev/null -f
-   % Total% Received % Xferd  Average Speed   TimeTime Time  
Current
-  Dload  Upload   Total   SpentLeft  Speed
-   0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 0
- curl: (52) Empty reply from server
  
  With the fixed version of libapache2-mod-auth-pgsql, the test loop will
  just record a normal authentication problem for the ubuntu-invalidhash
  user (since the hash is not supported) instead of an "empty reply from
  server":
  
- $ curl http://ubuntu-invalidhash:secret@localhost -o /dev/null -f
-   % Total% Received % Xferd  Average Speed   TimeTime Time  
Current
-  Dload  Upload   Total   SpentLeft  Speed
-   0   4560 00 0  0  0 --:--:-- --:--:-- --:--:-- 0
- curl: (22) The requested URL returned error: 401
- 
- And the test loop will return 22 for that user, and no errors for the rest:
  $ for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 
ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o 
/dev/null -s; result=$?; echo $result; done
  Testing ubuntu-invalidhash... 22
  Testing ubuntu-md5... 0
  Testing ubuntu-sha256... 0
  Testing ubuntu-sha512... 0
  Testing ubuntu-des... 0
- 
  
  [Regression Potential]
  
   * discussion of how regressions are most likely to manifest as a result
  of this change.
  
   * It is assumed that any SRU candidate patch is well-tested before
     upload and has a low overall risk of regression, but it's important
     to make the effort to think about what ''could'' happen in the
     event of a regression.
  
   * This both shows the SRU team that the risks have been considered,
     and provides guidance to testers in regression-testing the SRU.
  
  [Other Info]
  
   * Anything else you think is useful to include
   * Anticipate questions from users, SRU, +1 maintenance, security teams and 
the Technical Board
   * and address these questions in advance

** Description changed:

  [Impact]
+ The libapache2-mod-auth-pgsql module will cause a segfault error in apache if 
its encrypted support is enabled ("Auth_PG_encrypted on") and a hash format not 
supported by crypt(3) is used.
  
-  * An

[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-07-19 Thread Andreas Hasenack 
** Description changed:

  [Impact]
  
   * An explanation of the effects of the bug on users and
  
   * justification for backporting the fix to the stable release.
  
   * In addition, it is helpful, but not required, to include an
     explanation of how the upload fixes this bug.
  
  [Test Case]
  
  * install the packages on the Ubuntu release you are testing:
  $ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql
  
  * create the database and populate it with the test users from the attached 
test-users.sql file:
  $ sudo -u postgres -H createdb userdb
  $ sudo -u postgres -H psql userdb -f test-users.sql
  
  * Create the DB user we will use:
  $ sudo -u postgres -H psql postgres -c "CREATE ROLE www UNENCRYPTED PASSWORD 
'password' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"
  
  * Grant access:
  $ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;"
  
  * Create the /var/www/html/.htaccess file with this content:
  AuthType basic
  AuthName "My Auth"
  Require valid-user
  AuthBasicProvider pgsql
  Auth_PG_authoritative On
  Auth_PG_host 127.0.0.1
  Auth_PG_port 5432
  Auth_PG_user www
  Auth_PG_pwd password
  Auth_PG_database userdb
  Auth_PG_encrypted on
  Auth_PG_pwd_table UserLogin
  Auth_PG_uid_field Username
  Auth_PG_pwd_field ApachePassword
  
  * Setup access in apache by editing /etc/apache2/sites-
  enabled/000-default.conf and adding these lines somewhere inside the
   section:
  
  
  AllowOverride AuthConfig
  
  
  * Enable the mod-auth-pgsql module:
  $ sudo a2enmod 000_auth_pgsql
  
  * Restart apache:
  $ sudo service apache2 restart
  
  This is now ready for testing. The database was populated with the following 
usernames, all with the same password "secret":
   ubuntu-invalidhash
   ubuntu-md5
   ubuntu-sha256
   ubuntu-sha512
   ubuntu-des
  
- The username that will cause a segfault is "ubuntu-invalidhash". To test each 
login, use a loop like this:
- for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 
ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o 
/dev/null -s && echo OK || echo FAIL; done
- Testing ubuntu-invalidhash... FAIL
- Testing ubuntu-md5... OK
- Testing ubuntu-sha256... OK
- Testing ubuntu-sha512... OK
- Testing ubuntu-des... OK
+ To test each login, use a loop like this:
  
- The fixed version must have all tests with the result OK.
+ $ for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 
ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o 
/dev/null -s; result=$?; echo $result; done
+ Testing ubuntu-invalidhash... 52
+ Testing ubuntu-md5... 0
+ Testing ubuntu-sha256... 0
+ Testing ubuntu-sha512... 0
+ Testing ubuntu-des... 0
+ 
+ The apache logs will show the segfault when ubuntu-invalidhash is tried:
+ [Wed Jul 19 19:28:13.808711 2017] [core:notice] [pid 9499:tid 
140330145511296] AH00051: child pid 9677 exit signal Segmentation fault (11), 
possible coredump in /etc/apache2
+ 
+ Trying just that one manually:
+ $ curl http://ubuntu-invalidhash:secret@localhost -o /dev/null -f
+   % Total% Received % Xferd  Average Speed   TimeTime Time  
Current
+  Dload  Upload   Total   SpentLeft  Speed
+   0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 0
+ curl: (52) Empty reply from server
+ 
+ With the fixed version of libapache2-mod-auth-pgsql, the test loop will
+ just record a normal authentication problem for the ubuntu-invalidhash
+ user (since the hash is not supported) instead of an "empty reply from
+ server":
+ 
+ $ curl http://ubuntu-invalidhash:secret@localhost -o /dev/null -f
+   % Total% Received % Xferd  Average Speed   TimeTime Time  
Current
+  Dload  Upload   Total   SpentLeft  Speed
+   0   4560 00 0  0  0 --:--:-- --:--:-- --:--:-- 0
+ curl: (22) The requested URL returned error: 401
+ 
+ And the test loop will return 22 for that user, and no errors for the rest:
+ $ for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 
ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o 
/dev/null -s; result=$?; echo $result; done
+ Testing ubuntu-invalidhash... 22
+ Testing ubuntu-md5... 0
+ Testing ubuntu-sha256... 0
+ Testing ubuntu-sha512... 0
+ Testing ubuntu-des... 0
+ 
  
  [Regression Potential]
  
   * discussion of how regressions are most likely to manifest as a result
  of this change.
  
   * It is assumed that any SRU candidate patch is well-tested before
     upload and has a low overall risk of regression, but it's important
     to make the effort to think about what ''could'' happen in the
     event of a regression.
  
   * This both shows the SRU team that the risks have been considered,
     and provides guidance to testers in regression-testing the SRU.
  
  [Other Info]
  
   * Anything else you think is useful to

[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-07-19 Thread Andreas Hasenack 
** Description changed:

  [Impact]
  
   * An explanation of the effects of the bug on users and
  
   * justification for backporting the fix to the stable release.
  
   * In addition, it is helpful, but not required, to include an
     explanation of how the upload fixes this bug.
  
  [Test Case]
  
  * install the packages on the Ubuntu release you are testing:
  $ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql
  
  * create the database and populate it with the test users from the attached 
test-users.sql file:
  $ sudo -u postgres -H createdb userdb
  $ sudo -u postgres -H psql userdb -f test-users.sql
  
  * Create the DB user we will use:
  $ sudo -u postgres -H psql postgres -c "CREATE ROLE www UNENCRYPTED PASSWORD 
'password' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"
- CREATE ROLE
  
  * Grant access:
  $ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;"
- GRANT
  
  * Create the /var/www/html/.htaccess with this content:
  AuthType basic
  AuthName "My Auth"
  Require valid-user
  AuthBasicProvider pgsql
  Auth_PG_authoritative On
  Auth_PG_host 127.0.0.1
  Auth_PG_port 5432
  Auth_PG_user www
  Auth_PG_pwd password
  Auth_PG_database userdb
  Auth_PG_encrypted on
  Auth_PG_pwd_table UserLogin
  Auth_PG_uid_field Username
  Auth_PG_pwd_field ApachePassword
  
- 
- * Setup access in apache by editing 
/etc/apache2/sites-enabled/000-default.conf and adding these lines somewhere 
inside the  section:
+ * Setup access in apache by editing /etc/apache2/sites-
+ enabled/000-default.conf and adding these lines somewhere inside the
+  section:
  
  
  AllowOverride AuthConfig
  
  
  * Enable the mod-auth-pgsql module:
  $ sudo a2enmod 000_auth_pgsql
  
  * Restart apache:
  $ sudo service apache2 restart
  
  This is now ready for testing. The database was populated with the following 
usernames, all with the same password "secret":
   ubuntu-invalidhash
   ubuntu-md5
   ubuntu-sha256
   ubuntu-sha512
   ubuntu-des
  
  The username that will cause a segfault is "ubuntu-invalidhash". To test each 
login, use a loop like this:
  for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 
ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o 
/dev/null -s && echo OK || echo FAIL; done
  Testing ubuntu-invalidhash... FAIL
  Testing ubuntu-md5... OK
  Testing ubuntu-sha256... OK
  Testing ubuntu-sha512... OK
  Testing ubuntu-des... OK
  
  The fixed version must have all tests with the result OK.
  
  [Regression Potential]
  
   * discussion of how regressions are most likely to manifest as a result
  of this change.
  
   * It is assumed that any SRU candidate patch is well-tested before
     upload and has a low overall risk of regression, but it's important
     to make the effort to think about what ''could'' happen in the
     event of a regression.
  
   * This both shows the SRU team that the risks have been considered,
     and provides guidance to testers in regression-testing the SRU.
  
  [Other Info]
  
   * Anything else you think is useful to include
   * Anticipate questions from users, SRU, +1 maintenance, security teams and 
the Technical Board
   * and address these questions in advance

** Description changed:

  [Impact]
  
   * An explanation of the effects of the bug on users and
  
   * justification for backporting the fix to the stable release.
  
   * In addition, it is helpful, but not required, to include an
     explanation of how the upload fixes this bug.
  
  [Test Case]
  
  * install the packages on the Ubuntu release you are testing:
  $ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql
  
  * create the database and populate it with the test users from the attached 
test-users.sql file:
  $ sudo -u postgres -H createdb userdb
  $ sudo -u postgres -H psql userdb -f test-users.sql
  
  * Create the DB user we will use:
  $ sudo -u postgres -H psql postgres -c "CREATE ROLE www UNENCRYPTED PASSWORD 
'password' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"
  
  * Grant access:
  $ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;"
  
- * Create the /var/www/html/.htaccess with this content:
+ * Create the /var/www/html/.htaccess file with this content:
  AuthType basic
  AuthName "My Auth"
  Require valid-user
  AuthBasicProvider pgsql
  Auth_PG_authoritative On
  Auth_PG_host 127.0.0.1
  Auth_PG_port 5432
  Auth_PG_user www
  Auth_PG_pwd password
  Auth_PG_database userdb
  Auth_PG_encrypted on
  Auth_PG_pwd_table UserLogin
  Auth_PG_uid_field Username
  Auth_PG_pwd_field ApachePassword
  
  * Setup access in apache by editing /etc/apache2/sites-
  enabled/000-default.conf and adding these lines somewhere inside the
   section:
  
  
  AllowOverride AuthConfig
  
  
  * Enable the mod-auth-pgsql module:
  $ sudo a2enmod 000_auth_pgsql
  
  * Restart apache:
  $ sudo service apache2 restart
  
  This is now ready for testing. The databas

[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-07-19 Thread Andreas Hasenack 
test users

** Description changed:

- I have configured a .htaccess to use libapache2-mod-auth-pgsql to
- authenticate a user against a postgres database. The settings are as
- follows:
+ [Impact]
  
+  * An explanation of the effects of the bug on users and
+ 
+  * justification for backporting the fix to the stable release.
+ 
+  * In addition, it is helpful, but not required, to include an
+explanation of how the upload fixes this bug.
+ 
+ [Test Case]
+ 
+ * install the packages:
+ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql
+ 
+ * create the database and populate it:
+ $ sudo -u postgres -H createdb userdb
+ $ cat > /tmp/prepare.sql  /tmp/prepare.sql < lines:
  
  
- AllowOverride AuthConfig
+ AllowOverride AuthConfig
  
  
  * Enable the mod-auth-pgsql module:
  $ sudo a2enmod 000_auth_pgsql
  
  * Restart apache:
  $ sudo service apache2 restart
  
  This is now ready for testing. The database was populated with the following 
usernames, all with the same password "secret":
-  ubuntu-invalidhash
-  ubuntu-md5
-  ubuntu-sha256
-  ubuntu-sha512
-  ubuntu-des
+  ubuntu-invalidhash
+  ubuntu-md5
+  ubuntu-sha256
+  ubuntu-sha512
+  ubuntu-des
  
  The username that will cause a segfault is "ubuntu-invalidhash". To test each 
login, use a loop like this:
  for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 
ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o 
/dev/null -s && echo OK || echo FAIL; done
  Testing ubuntu-invalidhash... FAIL
  Testing ubuntu-md5... OK
  Testing ubuntu-sha256... OK
  Testing ubuntu-sha512... OK
  Testing ubuntu-des... OK
  
  The fixed version must have all tests with the result OK.
  
  [Regression Potential]
  
-  * discussion of how regressions are most likely to manifest as a result
+  * discussion of how regressions are most likely to manifest as a result
  of this change.
  
-  * It is assumed that any SRU candidate patch is well-tested before
-upload and has a low overall risk of regression, but it's important
-to make the effort to think about what ''could'' happen in the
-event of a regression.
+  * It is assumed that any SRU candidate patch is well-tested before
+    upload and has a low overall risk of regression, but it's important
+    to make the effort to think about what ''could'' happen in the
+    event of a regression.
  
-  * This both shows the SRU team that the risks have been considered,
-and provides guidance to testers in regression-testing the SRU.
+  * This both shows the SRU team that the risks have been considered,
+    and provides guidance to testers in regression-testing the SRU.
  
  [Other Info]
-  
-  * Anything else you think is useful to include
-  * Anticipate questions from users, SRU, +1 maintenance, security teams and 
the Technical Board
-  * and address these questions in advance
+ 
+  * Anything else you think is useful to include
+  * Anticipate questions from users, SRU, +1 maintenance, security teams

[Bug 1644428] Re: Unable to log in with AD account after update

2017-07-19 Thread Andreas Hasenack 
The MP has been up for weeks. Here is a debdiff.

** Patch added: "zesty-revert-static-winbind-1677329.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1644428/+attachment/4917756/+files/zesty-revert-static-winbind-1677329.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1644428

Title:
  Unable to log in with AD account after update

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1644428/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-07-19 Thread Andreas Hasenack 
** Changed in: libapache2-mod-auth-pgsql (Ubuntu Trusty)
 Assignee: (unassigned) => Andreas Hasenack (ahasenack)

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Xenial)
 Assignee: (unassigned) => Andreas Hasenack (ahasenack)

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Zesty)
 Assignee: (unassigned) => Andreas Hasenack (ahasenack)

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Trusty)
   Status: New => In Progress

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Zesty)
   Status: New => In Progress

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Zesty)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libapache2-mod-auth-pgsql in Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1704706] Re: Installation and removal repeatedly fail

2017-07-19 Thread Andreas Hasenack 
Excellent, thanks for getting back to us and letting us know it's
working now :)

I'll just mark the bug back as "invalid" because it was a local
configuration issue, and not a defect in the software itself.

** Changed in: samba (Ubuntu)
   Status: Fix Committed => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1704706

Title:
  Installation and removal repeatedly fail

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1704706/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1675515] Re: old KLogPermitNonKernel directive error in rsyslog.conf

2017-07-19 Thread Andreas Hasenack 
*** This bug is a duplicate of bug 1531622 ***
https://bugs.launchpad.net/bugs/1531622

** Merge proposal unlinked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/rsyslog/+git/rsyslog/+merge/327718

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1675515

Title:
  old KLogPermitNonKernel directive error in rsyslog.conf

To manage notifications about this bug go to:
https://bugs.launchpad.net/rsyslog/+bug/1675515/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1675515] Re: old KLogPermitNonKernel directive error in rsyslog.conf

2017-07-19 Thread Andreas Hasenack 
*** This bug is a duplicate of bug 1531622 ***
https://bugs.launchpad.net/bugs/1531622

** Merge proposal unlinked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/rsyslog/+git/rsyslog/+merge/327650

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1675515

Title:
  old KLogPermitNonKernel directive error in rsyslog.conf

To manage notifications about this bug go to:
https://bugs.launchpad.net/rsyslog/+bug/1675515/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1704710] Re: package nginx-full 1.10.3-1ubuntu3.1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1

2017-07-19 Thread Andreas Hasenack 
*** This bug is a duplicate of bug 1679435 ***
https://bugs.launchpad.net/bugs/1679435

You should be fine. You can run one more "sudo apt -f install", which
means "fix it if there is something wrong".

I'm going to mark this bug as a duplicate of #1679435 since the symptoms
match: the graphical updater got stuck mid install. There was probably a
debconf prompt,

** This bug has been marked a duplicate of bug 1679435
   GNOME Software fails to install .deb packages that trigger debconf prompts

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nginx in Ubuntu.
https://bugs.launchpad.net/bugs/1704710

Title:
  package nginx-full 1.10.3-1ubuntu3.1 failed to install/upgrade:
  subprocess installed post-installation script returned error exit
  status 1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1704710/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1704706] Re: Installation and removal repeatedly fail

2017-07-19 Thread Andreas Hasenack 
> sudo testparm
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Error loading services.

This says that there are errors in your /etc/samba/smb.conf file ("Error
loading services"). You need to fix them. Please attach that file to
this bug.

> cat log.samba
> [2017/07/18 12:02:17.381638, 0] ../source4/smbd/server.c:372(binary_smbd_main)
>   samba version 4.5.8-Ubuntu started.
>  Copyright Andrew Tridgell and the Samba Team 1992-2016
> [2017/07/18 12:02:17.501606, 0] ../source4/smbd/server.c:466(binary_smbd_main)
>   At this time the 'samba' binary should only be used for either:
>   'server role = active directory domain controller' or to access the ntvfs 
> file server with > 
> 'server services = +smb' or the rpc proxy with 'dcerpc endpoint servers = 
> remote'
>   You should start smbd/nmbd/winbindd instead for domain member and 
> standalone file server tasks
> [2017/07/18 12:02:17.501733, 0] ../lib/util/become_daemon.c:111(exit_daemon)
>   STATUS=daemon failed to start: Samba detected misconfigured 'server role' 
> and exited. Check 
> logs for details, error code 22

That is just one log file, there are other in that directory. Please
attach them to this bug.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1704706

Title:
  Installation and removal repeatedly fail

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1704706/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1686183] Re: Ship ubuntu-advantage in ubuntu-minimal

2017-07-19 Thread Nish Aravamudan 
This is bit of a funky SRU (IMO). It seems like we want version 2 (from
the linked repository) in all releases > 12.04. However, given that is
not yet present in any release != 12.04, I'm not sure we need to worry
about the exact version (that is, they can all be 2?).

My immediate feedback is the debian/changelog from the linked repo
should be for artful, not precise. Then that can be backported (I think)
to all releases != 12.04. If this already existed, it seems like it
would say "trusty" and then have been copied forward.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ubuntu-advantage-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1686183

Title:
  Ship ubuntu-advantage in ubuntu-minimal

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1686183/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs