[Bug 2072974] Re: python3-paramiko is unusable on Jammy in FIPS mode
Hey there Nick, Just chiming in from the FIPS-side of things, you are correct that FIPS isn't available for Noble yet. That's likely more than a year out still (hopefully less, though). FIPS will never make it to Oracular however, since FIPS is only for LTS releases. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2072974 Title: python3-paramiko is unusable on Jammy in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/2072974/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2080988] [NEW] Consideration for implementing Python plugin support for "sudo"
Public bug reported: Hello! I'm opening this LP to begin the discussion for consideration of implementing the Python Plugin API (documented here[1]) into our sudo package. We have received requests for this from some customers, and other distros (RHEL[2], namely, apparently as of 9.x) have implemented this. The lack of inclusion on our end has presented itself as a migration blocker for some. This has yet to be implemented upstream, with extensive discussion going back a few years found here[3], though stalling out March 2022. I recognize this would represent (potentially significant) security concerns, though given the above, I believe it would be worthwhile to consider implementing this in future releases. Thanks for your time and consideration! [1] https://www.sudo.ws/docs/man/1.9.0/sudo_plugin_python.man/ [2] https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-single/considerations_in_adopting_rhel_9/index#new-packages_assembly_changes-to-packages [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990855 ** Affects: sudo (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2080988 Title: Consideration for implementing Python plugin support for "sudo" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2080988/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2074225] Re: wpa_supplicant on wired connection on FIPS fails to connect
For additional information, this is being configured in netplan. Here is the relevant (obfuscated) section of that configuration: --- auth: key-management: 802.1x method: tls ca-certificate: /var/my_dir/net/certs/CA.pem client-certificate: /var/my_dir/net/certs/WorkstationAuth.cert client-key: /var/my_dir/net/certs/WorkstationAuth.key identity: abcde01234 --- -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2074225 Title: wpa_supplicant on wired connection on FIPS fails to connect To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wpasupplicant/+bug/2074225/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2074225] [NEW] wpa_supplicant on wired connection on FIPS fails to connect
Public bug reported: Hello, It would seem that wpa_supplicant, when used on a wired connection for 802.1x authentication, does not operate correctly on a Jammy system when FIPS is enabled (either fips or fips-updates). It's unclear what precisely is going on, but based on the logs we've seen thus far, it would appear that wpa_supplicant is failing to negotiate the connection (possibly due to disabled alg's): --- wpa_supplicant[19782]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error wpa_supplicant[19782]: OpenSSL: openssl_handshake - SSL_connect error:1C800073:Provider routines::invalid data wpa_supplicant[19782]: OpenSSL: pending error: error:0A0C0103:SSLroutines::internal error --- In this particular example, the upstream radius server and certificates being used for authentication have all been verified to be FIPS- compliant, and other networked devices are in FIPS mode and are able to authenticate against it. There has been some recent patches pushed upstream to this as well[1] that may be related here too. This connection is confirmed to otherwise be working fine when FIPS mode is disabled. Thank you! 1. Description: Ubuntu 22.04.4 LTS 2. ii wpasupplicant 2:2.10-6ubuntu2 amd64client support for WPA and WPA2 (IEEE 802.11i) 3. Connection is successful 4. Connection fails to negotiate [1] https://lists.infradead.org/pipermail/hostap/2024-July/042827.html ** Affects: wpasupplicant (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2074225 Title: wpa_supplicant on wired connection on FIPS fails to connect To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wpasupplicant/+bug/2074225/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2072974] [NEW] python3-paramiko is unusable on Jammy in FIPS mode
Public bug reported: Hello! When one enables FIPS mode on a Jammy system and then attempts to use paramiko in Python, the module crashes with the following output: --- root@jipster:~# cat /proc/sys/crypto/fips_enabled 1 root@jipster:~# python3 Python 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import paramiko Traceback (most recent call last): File "", line 1, in File "/usr/lib/python3/dist-packages/paramiko/__init__.py", line 22, in from paramiko.transport import SecurityOptions, Transport File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 133, in class Transport(threading.Thread, ClosingContextManager): File "/usr/lib/python3/dist-packages/paramiko/transport.py", line 208, in Transport if KexCurve25519.is_available(): File "/usr/lib/python3/dist-packages/paramiko/kex_curve25519.py", line 30, in is_available X25519PrivateKey.generate() File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/x25519.py", line 46, in generate return backend.x25519_generate_key() File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 2317, in x25519_generate_key evp_pkey = self._evp_pkey_keygen_gc(self._lib.NID_X25519) File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 2305, in _evp_pkey_keygen_gc self.openssl_assert(evp_pkey_ctx != self._ffi.NULL) File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 242, in openssl_assert return binding._openssl_assert(self._lib, ok, errors=errors) File "/usr/lib/python3/dist-packages/cryptography/hazmat/bindings/openssl/binding.py", line 77, in _openssl_assert raise InternalError( cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is commonly encountered when another library is not cleaning up the OpenSSL error stack. If you are using cryptography with another library that uses OpenSSL try disabling it before reporting a bug. Otherwise please file an issue at https://github.com/pyca/cryptography/issues with information on how to reproduce this. ([_OpenSSLErrorWithText(code=50856204, lib=6, reason=524556, reason_text=b'error:0308010C:digital envelope routines::unsupported')]) --- In the above trace, it appears to be attempting to generate an x25519 key, which isn't an acceptable alg's in FIPS 140-3 and thus fails to work. 1. root@jipster:~# lsb_release -rd Description:Ubuntu 22.04.4 LTS Release:22.04 2. root@jipster:~# apt-cache policy python3-paramiko python3-paramiko: Installed: 2.9.3-0ubuntu1.2 Candidate: 2.9.3-0ubuntu1.2 3. Expect that one can import the paramiko module successfully for use 4. Module crashes when (presumably) it attempts to use disallowed alg ** Affects: paramiko (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2072974 Title: python3-paramiko is unusable on Jammy in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/paramiko/+bug/2072974/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2058133] Re: [SRU] update-manager crashes when ua security-status response is an error
Coming here from my dup bug report 2060971. Can confirm that the newer version of update-manager seems to fix the issue. And indeed, my livepatch install is a little jankey on my system for some reason, but instead of being greeted with a crash every morning, I'm now presented with pending updates as expected \o/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2058133 Title: [SRU] update-manager crashes when ua security-status response is an error To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-livepatch-client/+bug/2058133/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060971] Re: Software Updater crashes upon login
Hi Grant! I keep my system updated regularly, but indeed I'm on slightly older: --- :~$ dpkg -l|grep update-manager ii python3-update-manager 1:22.04.19 all python 3.x module for update-manager ii update-manager 1:22.04.19 all GNOME application that manages apt updates ii update-manager-core1:22.04.19 all manage release upgrades --- Looks like it's phasing for me, so I'll override that and let you know if that helps any! --- The following packages have been kept back: python3-update-manager update-manager update-manager-core --- Can confirm the issue happened again this morning, so should be easy to tell. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060971 Title: Software Updater crashes upon login To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2060971/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2058286] Re: Requesting SRU for Octavia 10.1.1
** Description changed: Howdy! - I have a customer in case 00381750 requesting a time frame for when - Octavia 10.1.1 can be SRUed, as they mentioned they are interested in - some fixes included in that version for issues they are experiencing. - I'm having trouble finding when that version was actually released[1], - but looking at the last-modify times on the source files, I'd - guesstimate on or around 08 Feb 2024. + This is just a generic request for Octavia 10.1.1 to be SRUed, as there + are a number of useful fixes that it would be nice to see pulled in. I'm + having trouble finding when that version was actually released[1], but + looking at the last-modify times on the source files, I'd guesstimate on + or around 08 Feb 2024. Thanks! [1] https://docs.openstack.org/releasenotes/octavia/yoga.html ** Information type changed from Private to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2058286 Title: Requesting SRU for Octavia 10.1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/octavia/+bug/2058286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
