[Touch-packages] [Bug 1987583] [NEW] package libgbm1 21.2.6-0ubuntu0.1~20.04.2 [modified: usr/lib/aarch64-linux-gnu/libgbm.so.1.0.0] failed to install/upgrade: unable to make backup link of './usr/lib
Public bug reported: Reported while upgrading 20.04 to 22.04 ProblemType: Package DistroRelease: Ubuntu 22.04 Package: libgbm1 22.0.5-0ubuntu0.1 Uname: Linux 4.19.219-odroid-arm64 aarch64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: arm64 CasperMD5CheckResult: unknown CompositorRunning: None Date: Wed Aug 24 21:40:57 2022 DistUpgraded: 2022-08-24 22:04:11,462 DEBUG got a conffile-prompt from dpkg for file: '/etc/pulse/default.pa' DistroCodename: jammy DistroVariant: ubuntu DkmsStatus: rtl8814au/5.8.5.1, 4.19.219-odroid-arm64, aarch64: installed rtl88x2bu/5.13.1, 4.19.219-odroid-arm64, aarch64: installed DuplicateSignature: package:libgbm1:21.2.6-0ubuntu0.1~20.04.2 [modified: usr/lib/aarch64-linux-gnu/libgbm.so.1.0.0] Unpacking libgbm1:arm64 (22.0.5-0ubuntu0.1) over (21.2.6-0ubuntu0.1~20.04.2) ... dpkg: error processing archive /tmp/apt-dpkg-install-2UDLxZ/011-libgbm1_22.0.5-0ubuntu0.1_arm64.deb (--unpack): unable to make backup link of './usr/lib/aarch64-linux-gnu/libgbm.so.1.0.0' before installing new version: Invalid cross-device link ErrorMessage: unable to make backup link of './usr/lib/aarch64-linux-gnu/libgbm.so.1.0.0' before installing new version: Invalid cross-device link ExtraDebuggingInterest: Yes, if not too technical GraphicsCard: Lspci-vt: -+-[0002:20]---00.0-[21]00.0 Sandisk Corp WD Blue SN570 NVMe SSD \-[:00]- ProcKernelCmdLine: storagemedia=mtd androidboot.storagemedia=mtd androidboot.mode=normal root=UUID=ea5041c4-93df-4890-895c-cc4f02c13672 quiet splash plymouth.ignore-serial-consoles earlycon=uart8250,mmio32,0xfe66 pci=nomsi fsck.mode=force fsck.repair=yes mtdparts=sfc_nor:0x2@0xe(env),0x20@0x10(uboot),0x10@0x30(splash),0xc0@0x40(firmware) console=tty1 Python3Details: /usr/bin/python3.10, Python 3.10.4, python3-minimal, 3.10.4-0ubuntu2 PythonDetails: N/A RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: dpkg 1.21.1ubuntu2.1 apt 2.4.7 SourcePackage: mesa Title: package libgbm1 21.2.6-0ubuntu0.1~20.04.2 [modified: usr/lib/aarch64-linux-gnu/libgbm.so.1.0.0] failed to install/upgrade: unable to make backup link of './usr/lib/aarch64-linux-gnu/libgbm.so.1.0.0' before installing new version: Invalid cross-device link UpgradeStatus: Upgraded to jammy on 2022-08-25 (0 days ago) acpidump: version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.110-1ubuntu1 version.libgl1-mesa-dri: libgl1-mesa-dri 22.0.5-0ubuntu0.1 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.xserver-xorg-core: xserver-xorg-core 2:21.1.3-2ubuntu2.1 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2ubuntu1 version.xserver-xorg-video-intel: xserver-xorg-video-intel N/A version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-2build1 ** Affects: mesa (Ubuntu) Importance: Undecided Status: New ** Tags: apport-package arm64 jammy ubuntu -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to mesa in Ubuntu. https://bugs.launchpad.net/bugs/1987583 Title: package libgbm1 21.2.6-0ubuntu0.1~20.04.2 [modified: usr/lib/aarch64-linux-gnu/libgbm.so.1.0.0] failed to install/upgrade: unable to make backup link of './usr/lib/aarch64-linux- gnu/libgbm.so.1.0.0' before installing new version: Invalid cross- device link Status in mesa package in Ubuntu: New Bug description: Reported while upgrading 20.04 to 22.04 ProblemType: Package DistroRelease: Ubuntu 22.04 Package: libgbm1 22.0.5-0ubuntu0.1 Uname: Linux 4.19.219-odroid-arm64 aarch64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: arm64 CasperMD5CheckResult: unknown CompositorRunning: None Date: Wed Aug 24 21:40:57 2022 DistUpgraded: 2022-08-24 22:04:11,462 DEBUG got a conffile-prompt from dpkg for file: '/etc/pulse/default.pa' DistroCodename: jammy DistroVariant: ubuntu DkmsStatus: rtl8814au/5.8.5.1, 4.19.219-odroid-arm64, aarch64: installed rtl88x2bu/5.13.1, 4.19.219-odroid-arm64, aarch64: installed DuplicateSignature: package:libgbm1:21.2.6-0ubuntu0.1~20.04.2 [modified: usr/lib/aarch64-linux-gnu/libgbm.so.1.0.0] Unpacking libgbm1:arm64 (22.0.5-0ubuntu0.1) over (21.2.6-0ubuntu0.1~20.04.2) ... dpkg: error processing archive /tmp/apt-dpkg-install-2UDLxZ/011-libgbm1_22.0.5-0ubuntu0.1_arm64.deb (--unpack): unable to make backup link of './usr/lib/aarch64-linux-gnu/libgbm.so.1.0.0' before installing new version: Invalid cross-device link ErrorMessage: unable to make backup link of './usr/lib/aarch64-linux-gnu/libgbm.so.1.0.0' before installing new version: Invalid cross-device link ExtraDebuggingInterest: Yes, if not too technical GraphicsCard: Lspci-vt: -+-[0002:20]---00.0-[21]00.0 Sandisk Corp WD Blue SN570 NVMe SSD \-[:00]- ProcKernelCmdLine: storagemedia=mtd androidboot.storagemedia=mtd
[Touch-packages] [Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
@Vital & Seth Thanks for the clarification, so qualys is the culprit!, such a good security company providing false reports without actually doing full scan, and now I am looking for a script to demonstrate this vulnerability fix, any good script? Will this do..? https://github.com/nccgroup/ssh_user_enum -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Trusty: Fix Released Status in openssh source package in Xenial: Fix Released Status in openssh source package in Bionic: Fix Released Status in openssh source package in Cosmic: Fix Released Bug description: https://nvd.nist.gov/vuln/detail/CVE-2018-15473 OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. Fixed in Debian: https://www.debian.org/security/2018/dsa-4280 Currently pending triage? https://people.canonical.com/~ubuntu- security/cve/2018/CVE-2018-15473.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
@set, That's fine, but scanned Qualys report suggests to install openssh >7.8 to fix this bug!, not sure where is the issue, PFA for sample qualys report, do you know how to change the openssh version and hide OS version without compiling?, any SSHD_options? let me know. Thanks ** Attachment added: "recent qualys report on a server with openssh 7.6p1" https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+attachment/5253000/+files/qualys_scan_report_2019.png -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Trusty: Fix Released Status in openssh source package in Xenial: Fix Released Status in openssh source package in Bionic: Fix Released Status in openssh source package in Cosmic: Fix Released Bug description: https://nvd.nist.gov/vuln/detail/CVE-2018-15473 OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. Fixed in Debian: https://www.debian.org/security/2018/dsa-4280 Currently pending triage? https://people.canonical.com/~ubuntu- security/cve/2018/CVE-2018-15473.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
@Seth, if the update released after November 6th 2018, then why I am getting 7.6p1 version even when i install with the latest ISO distro from Feb 10 here ?. http://cdimage.ubuntu.com/releases/18.04.2/release/ubuntu-18.04.2 -server-amd64.iso The above ISO is from Feb 2019 and it should be having an update of the fixed version, but it doesn't!. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Trusty: Fix Released Status in openssh source package in Xenial: Fix Released Status in openssh source package in Bionic: Fix Released Status in openssh source package in Cosmic: Fix Released Bug description: https://nvd.nist.gov/vuln/detail/CVE-2018-15473 OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. Fixed in Debian: https://www.debian.org/security/2018/dsa-4280 Currently pending triage? https://people.canonical.com/~ubuntu- security/cve/2018/CVE-2018-15473.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
@seth, apt-upgrade doesnt update even in 18.04, I had to compile new ver 7.9p1 and replace the sshd bin file..!, don't know why it is still not pushed to the main repo!. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Trusty: Fix Released Status in openssh source package in Xenial: Fix Released Status in openssh source package in Bionic: Fix Released Status in openssh source package in Cosmic: Fix Released Bug description: https://nvd.nist.gov/vuln/detail/CVE-2018-15473 OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. Fixed in Debian: https://www.debian.org/security/2018/dsa-4280 Currently pending triage? https://people.canonical.com/~ubuntu- security/cve/2018/CVE-2018-15473.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
How to get the fix installed via apt?. any link..? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Trusty: Fix Released Status in openssh source package in Xenial: Fix Released Status in openssh source package in Bionic: Fix Released Status in openssh source package in Cosmic: Fix Released Bug description: https://nvd.nist.gov/vuln/detail/CVE-2018-15473 OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. Fixed in Debian: https://www.debian.org/security/2018/dsa-4280 Currently pending triage? https://people.canonical.com/~ubuntu- security/cve/2018/CVE-2018-15473.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1158500] Re: auditd fails to add rules when used in precise with -lts-quantal kernel
any news ? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1158500 Title: auditd fails to add rules when used in precise with -lts-quantal kernel Status in audit package in Ubuntu: In Progress Status in linux package in Ubuntu: Invalid Bug description: auditctl fails to add rules when run with the -lts-quantal kernel Eample: # auditctl -l No rules # auditctl -a entry,always -F arch=b64 -S execve -k exec Error sending add rule data request (Invalid argument) # Looks like the syscall table needs updating, it works with the 3.2.0 kernel. Tagging this as a security vulnerability because it fails fairly quietly and may lead to high security systems not having required auditing (like PCI compliant systems), I only noticed by looking in /var/log/boot.log. Description: Ubuntu 12.04.2 LTS Release: 12.04 ii auditd 1.7.18-1ubuntu1 User space tools for security auditing ii linux-image-generic-lts-quantal3.5.0.26.33 Generic Linux kernel image To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1158500/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1158500] Re: auditd fails to add rules when used in precise with -lts-quantal kernel
We really need to have auditd working ! More than annoying I find this bug quite critical given it renders auditd almost useless. = so true, it's quite amazing for a LTS/stable branch... Please do something :-) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1158500 Title: auditd fails to add rules when used in precise with -lts-quantal kernel Status in audit package in Ubuntu: In Progress Status in linux package in Ubuntu: Invalid Bug description: auditctl fails to add rules when run with the -lts-quantal kernel Eample: # auditctl -l No rules # auditctl -a entry,always -F arch=b64 -S execve -k exec Error sending add rule data request (Invalid argument) # Looks like the syscall table needs updating, it works with the 3.2.0 kernel. Tagging this as a security vulnerability because it fails fairly quietly and may lead to high security systems not having required auditing (like PCI compliant systems), I only noticed by looking in /var/log/boot.log. Description: Ubuntu 12.04.2 LTS Release: 12.04 ii auditd 1.7.18-1ubuntu1 User space tools for security auditing ii linux-image-generic-lts-quantal3.5.0.26.33 Generic Linux kernel image To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1158500/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp