This bug was fixed in the package network-manager - 1.10.6-2ubuntu1.2
---
network-manager (1.10.6-2ubuntu1.2) bionic; urgency=medium
[ Till Kamppeter ]
* debian/tests/nm: Add gi.require_version() calls for NetworkManager
and NMClient to avoid stderr output which fails the
I have just run the test case from this bug description on the bionic-proposed
version 1.10.6-2ubuntu1.2.
tcpdump does not show any leak of the VPN-specific queries. I have not observed
other issues in my tests.
** Tags removed: verification-needed verification-needed-bionic
** Tags added:
Hello dwmw2, or anyone else affected,
Accepted network-manager into bionic-proposed. The package will build
now and be available at https://launchpad.net/ubuntu/+source/network-
manager/1.10.6-2ubuntu1.2 in a few hours, and then in the -proposed
repository.
Please help us by testing this new
Sorry for the late reply, I was on a conference last week.
I installed the PPA now and tested with the reproducer of the initial
posting. This works for me. Also the machine in general seems to work OK
with this version of network-manager.
Thank you very much Dariusz for packaging this version.
Great work, thank you very much!
It will need some testing of which I can only test the reproducer in the
initial description of this bug report, not any regressions which the
first attempt of upstream-update-based SRU, as I could not reproduce
these by myself.
So I would say to take this as a
I have backported what was listed as nm-1-10 fix for the bug in the upstream
bugzilla [1].
I have also applied fixes for bug #1825946 and bug #1790098 to it.
[1]
https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=1e486a721de1fec76c81bfc461671a7fbdae531b
After testing this
Launchpad has imported 73 comments from the remote bug at
https://bugzilla.gnome.org/show_bug.cgi?id=746422.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
** CVE removed: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2018-15688
--
You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.
https://bugs.launchpad.net/bugs/1754671
Title:
Full-tunnel VPN DNS leakage regression
To
I have worked out the problem with the new NetworkManager which required
me to set ipv4.dns-priority=-1 (which, in turn, messes things up for
those with fresh installs that don't get the new NetworkManager).
The new NM sets ipv4.dns-search=~. automatically for full-tunnel VPNs
but it doesn't also
Any word on when this CVE will be fixed?
In the meantime I have put the 1.10.14-0ubuntu2 package into an apt
repository at http://david.woodhou.se/cve-2018-1000135/ for users who
need it. I couldn't work out how to copy it into a PPA without
rebuilding it.
In the short term can someone please at
> That's weird, do you understand why? The update was deleted so you should be
> back to initial
> situation, we had no change to the previous package build
Other package changes? Certainly systemd-resolver although we don't use
that (because of a previous VPN DNS leak problem) we use dnsmasq.
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: network-manager (Ubuntu Xenial)
Status: New => Confirmed
--
You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.
seb128, it seems that dwmw2 NEEDS this SRU, without he does not get his
environment working correctly, with SRU he gets it at least working
setting the parameters he mentioned. I asked the posters of the
regressions whether they get their situation fixed when using this SRU,
the systemd SRU and
> Then the NM update was pulled, and new installations aren't working at
all, even if we don't set the DNS config as described.
That's weird, do you understand why? The update was deleted so you
should be back to initial situation, we had no change to the previous
package build
Also Till is
Do we have any idea when this will be fixed? Most of my users used to
get away with the DNS leakage and it was "only" a security problem but
stuff actually worked. Then the NM and other updates were shipped, we
set ipv4.dns-priority=-1 and ipv4.dns-search=~. and it all worked fine.
Then the NM
I have checked again on Bionic, making sure that the installed systemd
actually comes from the bionic-proposed repository, that the behavior
according to the test case shown in the initial description of this bug
is correct, DNS queries of destinations in the VPN done through the
VPN's DNS and DNS
This was fixed in systemd 237-3ubuntu10.22 for bionic, and
239-7ubuntu10.14 for cosmic. I missed a "#" in the changelog (sorry) so
the tooling didn't automatically mark this bug as fix released.
** Changed in: systemd (Ubuntu Bionic)
Status: Fix Committed => Fix Released
** Changed in:
@ddstreet We don't use systemd-resolver here. It's fairly trivial to set
up a VPN service; the openconnect 'make check' uses ocserv
automatically, for example. You shouldn't have difficulty reproducing
this locally.
--
You received this bug notification because you are a member of Network-
@dwmw2 and/or @till-kamppeter, can you verify the systemd upload for
this bug for b and c?
--
You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.
https://bugs.launchpad.net/bugs/1754671
Title:
Full-tunnel VPN DNS leakage
We are not going to do cosmic/n-m changes at this point, best to upgrade
to Disco if you need that issue resolved
** Changed in: network-manager (Ubuntu Bionic)
Assignee: Olivier Tilloy (osomon) => Till Kamppeter (till-kamppeter)
** Changed in: network-manager (Ubuntu Cosmic)
Status:
bug #1831261 is also described as a potential side effect from this
change
--
You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.
https://bugs.launchpad.net/bugs/1754671
Title:
Full-tunnel VPN DNS leakage regression
To
** Also affects: network-manager (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: systemd (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Changed in: systemd (Ubuntu Cosmic)
Assignee: (unassigned) => Dan Streetman (ddstreet)
** Changed in: systemd
> Is this going to be fixed in disco?
speaking for systemd only, the commit needed is
a97a3b256cd6c56ab1d817440d3b8acb3272ee17:
https://github.com/systemd/systemd/commit/a97a3b256
that's included starting at v240, so is already in disco.
--
You received this bug notification because you are a
Uploaded patched systemd to b/c queues.
--
You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.
https://bugs.launchpad.net/bugs/1754671
Title:
Full-tunnel VPN DNS leakage regression
To manage notifications about this bug go
Is this going to be fixed in disco?
--
You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.
https://bugs.launchpad.net/bugs/1754671
Title:
Full-tunnel VPN DNS leakage regression
To manage notifications about this bug go to:
** Tags added: ddstreet-next
--
You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.
https://bugs.launchpad.net/bugs/1754671
Title:
Full-tunnel VPN DNS leakage regression
To manage notifications about this bug go to:
systemd accepted to bionic/cosmic-proposed, please test
** Tags removed: verification-failed verification-failed-bionic
** Tags added: verification-needed verification-needed-bionic
verification-needed-cosmic
** Changed in: systemd (Ubuntu Cosmic)
Status: In Progress => Fix Committed
**
dwmw2, yes, exactly for this case.
--
You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.
https://bugs.launchpad.net/bugs/1754671
Title:
Full-tunnel VPN DNS leakage regression
To manage notifications about this bug go to:
And (in case any of my colleagues are paying attention and inclined to
do it before the next time I get to spend any real time in front of a
computer, next week), without the dns-priority and dns-search settings
that made it work again after the recent NM update.
--
You received this bug
Till, you want that for the case where dnsmasq is being used and is
misbehaving?
--
You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.
https://bugs.launchpad.net/bugs/1754671
Title:
Full-tunnel VPN DNS leakage regression
To
Please create the following files (and directories if needed for them):
1. /etc/systemd/journald.d/noratelimit.conf containing
RateLimitIntervalSec=0
RateLimitBurst=0
2. /etc/NetworkManager/conf.d/debug.conf
[logging]
level=TRACE
domains=ALL
Then restart journald:
sudo systemctl restart
dwmw2, the systemd fix was mainly meant for people with standard
configuration where this fix is actually needed and solve the problem.
You are writing that adding "dns-priority=-1;dns-search=~." solves the
problem for you. Where/to which file did you add this? Do you need this
already with the
Unfortunately, the SRU for systemd did not yet get processed. Therefore
I have now uploaded this version of systemd to my PPA so that you can
already test/get your problem solved. Please tell here whether it
actually fixes the bug.
Here is my PPA:
On the switch to using dnsmasq: that decision predates my tenure so I
have limited visibility. I can try to get our IT team to expend effort
in moving to systemd-resolved and see what breaks. It may even be
completely unnecessary in xenial, and is merely inherited to make our
bionic setups less
Dammit, "completely unnecessary in bionic but inherited from xenial"...
--
You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.
https://bugs.launchpad.net/bugs/1754671
Title:
Full-tunnel VPN DNS leakage regression
To manage
On the 1.10.14 regression simply making those dns-priority/dns-
search settings the *default* behaviour for a full-tunnel VPN would
appear to be the correct thing to do (i.e. use the DNS of a full-tunnel
VPN for *all* lookups), and I think it should resolve the problems
people were seeing.
--
Due to the SRU regressions reported in LP: #1829838 and LP: #1829566, I
have reverted this SRU for the moment, restoring network-manager
1.10.6-2ubuntu1.1 to bionic-updates. I am marking this bug
verification-failed pending resolution of the reported regressions.
** Changed in: network-manager
> These systems are using dnsmasq not systemd-resolver.
> This was done for historical reasons; I'm not sure of
> the specific bug which caused that choice.
NetworkManager in Ubuntu 16.04 and earlier defaulted to integrating with
dnsmasq. But on 18.04 and later, this integration has been
We aren't using systemd-resolver for various historical reasons; we are
using dnsmasq which should be expected to work. It isn't, but we have
manually added the dns-priority=-1;dns-search=~. settings which make it
work, as an emergency deployment when the latest NM update broke things
for
I am receiving reports that it isn't fixed in 18.04 either. Users are
still seeing DNS lookups on the local network, until they manually edit
the VPN config to include:
[ipv4]
dns-priority=-1
dns-search=~.;
I thought that wasn't going to be necessary?
--
You received this bug notification
dwmw2, did you apply the systemd fix from comment #27? For this bug to
be fixed you need BOTRH the fixed packages of network-manager and
systemd.
--
You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.
These systems are using dnsmasq not systemd-resolver. This was done for
historical reasons; I'm not sure of the specific bug which caused that
choice.
--
You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.
The original bug report was about a regression in 16.04 with the dnsmasq
integration. While I'm glad this got the ball rolling on the bionic
networkd integration, let's not forget that we broke xenial? Added a
xenial task for network-manager accordingly.
** Also affects: network-manager (Ubuntu
This bug was fixed in the package network-manager - 1.10.14-0ubuntu2
---
network-manager (1.10.14-0ubuntu2) bionic; urgency=medium
[ Till Kamppeter ]
* debian/tests/nm: Add gi.require_version() calls for NetworkManager
and NMClient to avoid stderr output which fails the test.
Will be releasing network-manager without the systemd part for now as it
poses no threat to the user.
--
You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.
https://bugs.launchpad.net/bugs/1754671
Title:
Full-tunnel VPN DNS
I have now done the test under [Test Case] in the initial description of
this bug report.
I have a completely updated (including -proposed) Bionic machine (real
iron, a Lenovo X1 Carbon 2nd gen from 2015) with network-manager
1.10.14-0ubuntu1
I have configured the Canonical VPN, both UK and US.
Good news, the network-manager SRU is not broken or wrong, but an
additional SRU, on systemd, is needed to actually fix this bug.
I got a hint from Iain Lane (Laney, thank you very much) to the
following fix in systemd upstream:
https://github.com/systemd/systemd/commit/a97a3b256
and backported
** Description changed:
- * Impact
+ [Impact]
+ When using a VPN the DNS requests might still be sent to a DNS server outside
the VPN when they should not
- When using a VPN the DNS requests might still be sent to a DNS server
- outside the VPN when they should not
+ [Test case]
+ 1) Set up a
@dwmw2, 'This was a regression there caused by an earlier update.' would
give some details ont that? you should probably open another report
specifically about that if there was a regression in a xenial update
--
You received this bug notification because you are a member of Network-
manager,
Hm, that didn't last long. Now it isn't looking up *anything* in the VPN
domains. It's all going to the local VPN server. I don't know what
changed.
--
You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.
Not sure what happened there. It was looking up *some* names in the
$COMPANY.com domain on the VPN, but others not, consistently. I couldn't
see a pattern.
I have manually set ipv4.dns-search="~." and ipv4.dns-priority=-1 and
now it does seem to be behaving. However, this shouldn't be necessary.
@dwmw2, as far as i understand, you should configuring DNS through
systemd-resolve only. Try remove your edits from `/etc/NetworkManager
/system-connections`, or even delete your connections from
NetworkManager interface, and create new. After that, establish vpn
connection and see at
network-manager-1.10.14-0ubuntu1 does seem to fix the DNS problem here;
thanks.
--
You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.
https://bugs.launchpad.net/bugs/1754671
Title:
Full-tunnel VPN DNS leakage regression
To
I can also confirm that the network-manager package version
1.10.14-0ubuntu1 from bionic-proposed fixes the issue.
--
You received this bug notification because you are a member of Network-
manager, which is subscribed to NetworkManager.
https://bugs.launchpad.net/bugs/1754671
Title:
@Steve (sorry for the late reply): not sure how that relates to bug
#1726124, but in my limited understanding of the changes, they shouldn't
regress the split-DNS use case.
Some relevant pointers to better understand the fixes and their context:
-
Please test and share your feedback on this new version here, but
refrain from changing the verification-needed-bionic tag for now. This
new version includes many changes and we want to give it an extended
testing period to ensure no regressions sneak in, before it is published
to bionic-updates.
Hello dwmw2, or anyone else affected,
Accepted network-manager into bionic-proposed. The package will build
now and be available at https://launchpad.net/ubuntu/+source/network-
manager/1.10.14-0ubuntu1 in a few hours, and then in the -proposed
repository.
Please help us by testing this new
57 matches
Mail list logo
