On Thu, 2020-03-19 at 09:44 +, Olivier Tilloy wrote:
> It looks like symlinking firefox and thunderbird's own copies of
> libnssckbi.so to the system-wide p11-kit-trust.so is the proper way to
> fix this bug, as far as Mozilla's products are concerned.
>
> Before I proceed to doing this, I'd
Now https://gitlab.gnome.org/GNOME/gnome-shell/issues/2105
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1609700
Title:
username is not saved in openconnect connection
Please test the Fedora 30 build with that commit reverted, at
https://koji.fedoraproject.org/koji/taskinfo?taskID=36857342
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1609700
That build seems not to fix it. I tried to build locally to bisect, but
can't seem to get the local build to work at all. May have to leave this
to the NM maintainers.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in
According to https://bugs.launchpad.net/bugs/1609700 this bug has
reoccurred in f30.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1609700
Title:
username is not saved in
*** Bug 1705711 has been marked as a duplicate of this bug. ***
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1609700
Title:
username is not saved in openconnect connection
I wonder if this regression is caused by
https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=009f7560867e939
?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
** Package changed: network-manager-openconnect (Ubuntu) => gnome-shell
(Ubuntu)
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-shell in Ubuntu.
https://bugs.launchpad.net/bugs/1838838
Title:
username is not saved in
I moved it to NetworkManager because that's where the regression is.
There's not a lot we can do about it in NetworkManager-openconnect.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
** Package changed: network-manager-openconnect (Ubuntu) => network-
manager (Ubuntu)
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1838838
Title:
username is not saved in
@kvasko yes, it works here. Are you sure that's the version of
libnssckbi.so that is being used? There are lots; I've replaced them
all...
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
I have worked out the problem with the new NetworkManager which required
me to set ipv4.dns-priority=-1 (which, in turn, messes things up for
those with fresh installs that don't get the new NetworkManager).
The new NM sets ipv4.dns-search=~. automatically for full-tunnel VPNs
but it doesn't also
Any word on when this CVE will be fixed?
In the meantime I have put the 1.10.14-0ubuntu2 package into an apt
repository at http://david.woodhou.se/cve-2018-1000135/ for users who
need it. I couldn't work out how to copy it into a PPA without
rebuilding it.
In the short term can someone please at
> That's weird, do you understand why? The update was deleted so you should be
> back to initial
> situation, we had no change to the previous package build
Other package changes? Certainly systemd-resolver although we don't use
that (because of a previous VPN DNS leak problem) we use dnsmasq.
Do we have any idea when this will be fixed? Most of my users used to
get away with the DNS leakage and it was "only" a security problem but
stuff actually worked. Then the NM and other updates were shipped, we
set ipv4.dns-priority=-1 and ipv4.dns-search=~. and it all worked fine.
Then the NM
@ddstreet We don't use systemd-resolver here. It's fairly trivial to set
up a VPN service; the openconnect 'make check' uses ocserv
automatically, for example. You shouldn't have difficulty reproducing
this locally.
--
You received this bug notification because you are a member of Desktop
And (in case any of my colleagues are paying attention and inclined to
do it before the next time I get to spend any real time in front of a
computer, next week), without the dns-priority and dns-search settings
that made it work again after the recent NM update.
--
You received this bug
Till, you want that for the case where dnsmasq is being used and is
misbehaving?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1754671
Title:
Full-tunnel VPN DNS leakage
On the 1.10.14 regression simply making those dns-priority/dns-
search settings the *default* behaviour for a full-tunnel VPN would
appear to be the correct thing to do (i.e. use the DNS of a full-tunnel
VPN for *all* lookups), and I think it should resolve the problems
people were seeing.
--
On the switch to using dnsmasq: that decision predates my tenure so I
have limited visibility. I can try to get our IT team to expend effort
in moving to systemd-resolved and see what breaks. It may even be
completely unnecessary in xenial, and is merely inherited to make our
bionic setups less
Dammit, "completely unnecessary in bionic but inherited from xenial"...
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1754671
Title:
Full-tunnel VPN DNS leakage regression
This is Bionic.
After last week's update to 1.10.14-0ubuntu2 all my VPN users (who are
using dnsmasq) reported that DNS supported working for them while they
were on the VPN. Some internal names were looked up correctly, others
weren't.
I resolved it for them as follows:
$ sudo nmcli con modify
We aren't using systemd-resolver for various historical reasons; we are
using dnsmasq which should be expected to work. It isn't, but we have
manually added the dns-priority=-1;dns-search=~. settings which make it
work, as an emergency deployment when the latest NM update broke things
for
These systems are using dnsmasq not systemd-resolver. This was done for
historical reasons; I'm not sure of the specific bug which caused that
choice.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
I am receiving reports that it isn't fixed in 18.04 either. Users are
still seeing DNS lookups on the local network, until they manually edit
the VPN config to include:
[ipv4]
dns-priority=-1
dns-search=~.;
I thought that wasn't going to be necessary?
--
You received this bug notification
Are you referring to my comment 16? You do need your distribution to
ship p11-kit-trust.so in place of Mozilla's libnssckbi.so, so it has a
consistent set of trusted CAs with the rest of the system.
--
You received this bug notification because you are a member of Desktop
Packages, which is
@seb128 please see "In 16.04 the NetworkManager package used to carry
this patch..." in the bug description above.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1754671
Title:
Is there a 16.04 package? This was a regression there caused by an
earlier update.
I have users reporting the same bizarre behaviour I wasn't able to
clearly describe before — essentially, DNS being sent out seemingly
random interfaces (sometimes VPN, sometimes local). My advice to just
install
Not sure what happened there. It was looking up *some* names in the
$COMPANY.com domain on the VPN, but others not, consistently. I couldn't
see a pattern.
I have manually set ipv4.dns-search="~." and ipv4.dns-priority=-1 and
now it does seem to be behaving. However, this shouldn't be necessary.
Hm, that didn't last long. Now it isn't looking up *anything* in the VPN
domains. It's all going to the local VPN server. I don't know what
changed.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
network-manager-1.10.14-0ubuntu1 does seem to fix the DNS problem here;
thanks.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1754671
Title:
Full-tunnel VPN DNS leakage
Any progress on fixing this?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
SSL trust not system-wide
Status in ca-certificates package in Ubuntu:
Confirmed
** Description changed:
- On Ubuntu 16.04 with xserver-xorg-1:7.7+13ubuntu3, xvimagesink fails for
+ On Ubuntu 16.04 with xorg-server-hwe-16.04-1.19.5, xvimagesink fails for
certain sizes of image. Originally seen when receiving a meeting screen
share in Pidgin, reproducible as follows:
** Description changed:
- On Ubuntu 16.04 with xserver-xorg-2:1.17.2-2, xvimagesink fails for
+ On Ubuntu 16.04 with xserver-xorg-1:7.7+13ubuntu3, xvimagesink fails for
certain sizes of image. Originally seen when receiving a meeting screen
share in Pidgin, reproducible as follows:
$
Public bug reported:
On Ubuntu 16.04 with xserver-xorg-2:1.17.2-2, xvimagesink fails for
certain sizes of image. Originally seen when receiving a meeting screen
share in Pidgin, reproducible as follows:
$ gst-launch-1.0 -v videotestsrc ! video/x-raw,width=905,height=720 !
xvimagesink
The
This is CVE-2018-1000135. For some reason the 'Link to CVE' option above
doesn't seem to work.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000135
** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2018-1000135
--
You received this bug notification because you are a
*** This bug is a security vulnerability ***
Public security bug reported:
In 16.04 the NetworkManager package used to carry this patch:
http://bazaar.launchpad.net/~network-manager/network-manager/ubuntu/view/head:/debian/patches/Filter-DNS-servers-to-add-to-dnsmasq-based-on-availa.patch
It
I don't think this should be considered a 'feature request'. If you have
a full-tunnel VPN, your employer will *expect* all your network traffic
to go via the VPN as if you were dialled directly into the corporate
network. Allowing some of the DNS traffic to "escape" to be seen by
potentially
Public bug reported:
Pidgin requires the "liveadder" element from gstreamer1.0-plugins-bad,
and has no error handling for the case where it isn't present:
https://developer.pidgin.im/ticket/17290
Perhaps the package should depend on gstreamer1.0-plugins-bad to avoid
this failure mode.
**
** Patch added:
"0001-Pidgin-Indicate-mute-unmute-status-when-changed-remo.patch"
https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1751037/+attachment/5060325/+files/0001-Pidgin-Indicate-mute-unmute-status-when-changed-remo.patch
--
You received this bug notification because you are a
** Patch added:
"0001-Do-not-rewrite-custom-buddy-icons-already-in-the-cac.patch"
https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1751046/+attachment/5060328/+files/0001-Do-not-rewrite-custom-buddy-icons-already-in-the-cac.patch
--
You received this bug notification because you are a
** Patch added: "0001-Fix-Finch-search-results-display-17238.patch"
https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1751039/+attachment/5060327/+files/0001-Fix-Finch-search-results-display-17238.patch
--
You received this bug notification because you are a member of Desktop
Packages,
** Patch added:
"0001-Ensure-labelled-buttons-are-shown-for-search-results.patch"
https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1751038/+attachment/5060326/+files/0001-Ensure-labelled-buttons-are-shown-for-search-results.patch
--
You received this bug notification because you are a
Public bug reported:
Every time Pidgin starts up, it rewrites all the buddy icon files for no
good reason.
Fixed in 2.13 by #17259: https://developer.pidgin.im/ticket/17259
** Affects: pidgin (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
Every time Pidgin
Public bug reported:
Pidgin fails to display buttons with custom labels in search dialogs.
Fixed in 2.13 by #17188: https://developer.pidgin.im/ticket/17188
(by cherry-picking an existing fix from the master branch for #14821).
Please could you pull this fix into the packages, even if 2.13
Public bug reported:
When I am on an audio call and the remote end mutes me, that is not
correctly displayed in the local UI. Fixed in Pidgin 2.13 by #17273:
https://developer.pidgin.im/ticket/17273
Please could you pull this fix into the packages, even if 2.13 isn't
released in time.
**
Public bug reported:
Finch doesn't clear the previous search results when they are updated in
real time.
Fixed upstream by #17238: https://developer.pidgin.im/ticket/17238
Please could you pull this fix into the packages, even if 2.13 isn't
released in time.
** Affects: pidgin (Ubuntu)
cf. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741005
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704180
https://lists.freedesktop.org/archives/p11-glue/2013-June/000331.html
** Bug watch added: Debian Bug tracker #741005
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741005
This appears to still be broken in 16.04.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/420411
Title:
vpn connection handshake times out too soon
Status in network-manager
I believe NSS wants these patches backported from 3.30:
https://bugzilla.mozilla.org/show_bug.cgi?id=1334976
Firefox has its own copy of NSS which I think as of Firefox 54 should be fine.
Thunderbird also needs fixing, I think.
** Bug watch added: Mozilla Bugzilla #1334976
Public bug reported:
In Ubuntu 16.04 with Evolution 3.18, I obtained a new S/MIME cert from
Comodo and sent myself an encrypted email. Evolution can't decrypt its
own message, reporting 'Could not parse S/MIME message: security
library: invalid algorithm. (-8186) - Decoder failed'.
The same
This is actually a NetworkManager bug. As noted in bug 1648905 it's
fixed upstream by
https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=nm-1-2=bb45adeda0bf427ada23b09daf970b0757e82d60
** Also affects: network-manager (Ubuntu)
Importance: Undecided
Status: New
** Bug
*** This bug is a duplicate of bug 1609700 ***
https://bugs.launchpad.net/bugs/1609700
Actually, this is probably a duplicate of bug 1609700
** This bug has been marked a duplicate of bug 1609700
username is not saved in openconnect connection dialog
--
You received this bug
When do we get a fix for 16.04?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1648905
Title:
VPN username and settings not saved
Status in network-manager package in
Public bug reported:
The OpenConnect VPN auth-dialog doesn't remember usernames and other
settings.
See discussion (and fix) in
https://bugzilla.redhat.com/show_bug.cgi?id=1332491
** Affects: network-manager (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug
https://bugzilla.gnome.org/show_bug.cgi?id=723084
** Bug watch added: GNOME Bug Tracker #723084
https://bugzilla.gnome.org/show_bug.cgi?id=723084
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
Setting aside the wisdom of that response, and my surprise at
discovering that the distribution even *permits* you to ship your own
copy of certain libraries — *especially* security-critical libraries —
in your own package instead of using the system's version doesn't
that mean you should be
** Also affects: thunderbird (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/1648616
Title:
Firefox uses its own version of
Public bug reported:
Because of bug 1647285 I need to install corporate SSL CAs into the
database of each NSS-using application individually. Unfortunately it
doesn't seem to work for Firefox. Not only does Firefox ship with its
*own* version of NSS instead using the system's version, but it even
Is there an upstream bug/RFE filed for this?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/893024
Title:
Support 802.1x auth requirement detection and fallback
Status in
FWIW the trust issue has mostly been solved. Fedora for example ships
p11-kit-trust.so as a replacement for NSS's libnssckbi.so. It provides
all the trust roots in the place that NSS *expects* them to come from.
--
You received this bug notification because you are a member of Desktop
Packages,
61 matches
Mail list logo