[Bug 1866113] Re: CVE-2019-16235, CVE-2019-16236, CVE-2019-16237
You can find it built here: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages ** Changed in: dino-im (Ubuntu Bionic) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866113 Title: CVE-2019-16235, CVE-2019-16236, CVE-2019-16237 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dino-im/+bug/1866113/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1819761] Re: [MIR] containerd
I reviewed containerd 1.3.1-0ubuntu1 as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability. containerd is a daemon that manages the complete container lifecycle of its host system. Containerd controls runc. - No CVE History: - Build-Depends - debhelper (>= 9) - go-md2man - golang-go (>= 2:1.10~) - golang-race-detector-runtime - libbtrfs-dev | btrfs-progs (<< 4.16.1~) - libseccomp-dev - pkg-config - pre/post rm and postinst scripts added automatically - No init scripts - systemd units - containerd.service - add overlay module to kernel and runs /usr/bin/containerd. Also sets some limits on number of processes, number of cores and files. - No dbus services - No setuid binaries - binaries in PATH - /usr/bin/containerd - /usr/bin/containerd-shim - /usr/bin/containerd-shim-runc-v1 - /usr/bin/containerd-shim-runc-v2 - /usr/bin/containerd-stress - /usr/bin/ctr - No sudo fragments - No polkit files - No udev rules - unit tests / autopkgtests - different tests are available in the source code - imake test (run automatically during build): non-integration tests - make root-test: non-integration tests (requires root) - make integration: run all tests, including integration tests (requires root) - also autopkgtest available (basic smoke DEP8 test) - http://autopkgtest.ubuntu.com/packages/containerd - No cron jobs - Build logs: - No compilation errors or warnings. - E: Lintian run failed (policy violation) Lintian: fail - Processes spawned - in pkg/process/ it implements its own way of Exec'ing processes - nsexec.c and cloned_binary.c: from runc, we commented about this function in runc MIR, nothing new. - vendor/github.com/containerd/go-runc/runc.go: Execute process inside the container. - Memory management - Only in vendored code. - File IO - Some File IO in archive/tar*.go, looks ok. - Other File IO are mostly done in vendored code. - Logging - uses logrus for logging, much like runc. - Environment variable usage - only in vendored code. - Use of privileged functions - setuid, setgid and setresuid from runc code. - Lchown used in some places to change the uid and gid of the named file. - No use of cryptography / random number sources etc - Use of temp files mainly in test code. - Use of networking - Only found something on: - runtime/v1/shim/client/client.go - runtime/v2/shim/publisher.go - cmd/containerd/command/publish.go - client.go - looks ok - No use of WebKit - No use of PolicyKit - Coverity results - We end up finding a possible bug, we are working with upstream to get it investigated. Security team ACK for promoting containerd to main. Unassigning the Security Team. ** Changed in: containerd (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1819761 Title: [MIR] containerd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/containerd/+bug/1819761/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1864979] Re: Ubuntu Re-installation Aborted
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1864979 Title: Ubuntu Re-installation Aborted To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1864979/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856459]
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures ** Tags added: community-security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856459 Title: Update FFmpeg to 3.4.7 in Bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1856459/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856922] Re: Ubuntu One Cannot Sign in. downloaded Installerfetch, Security
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856922 Title: Ubuntu One Cannot Sign in. downloaded Installerfetch, Security To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1856922/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856698] Re: I can see the password as I type into the password field after I reboot my PC
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856698 Title: I can see the password as I type into the password field after I reboot my PC To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1856698/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862488] Re: clementine crashed with SIGSEGV in gst_element_set_state()
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Public Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862488 Title: clementine crashed with SIGSEGV in gst_element_set_state() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clementine/+bug/1862488/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862555]
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures ** Tags added: community-security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862555 Title: Filezilla outdated version To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/filezilla/+bug/1862555/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1864379] Re: plasma-discover crashed with SIGABRT in raise()
Thanks for taking the time to report this bug and helping to make Ubuntu better. Your bug report is more likely to get attention if it is made in English, since this is the language understood by the majority of Ubuntu developers. Additionally, please only mark a bug as "security" if it shows evidence of allowing attackers to cross privilege boundaries or to directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public ** Changed in: plasma-discover (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1864379 Title: plasma-discover crashed with SIGABRT in raise() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/plasma-discover/+bug/1864379/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1852367] Re: [MIR] mysql-router (mysql-8.0)
I reviewed mysql-router 8.0.19-0ubuntu2 as checked into focal (when this review started). This shouldn't be considered a full audit but rather a quick gauge of maintainability. mysql-router is a binary package from mysql-8.0 that is responsible for routing connections from MySQL clients to MySQL servers. As mentioned previously, only mysql-router is missing in main from mysql-8.0 source package. - No CVE History: - Build-Depends - libc6 (>= 2.28) - libevent-core-2.1-7 (>= 2.1.8-stable) - libevent-extra-2.7-7 (>= 2.1.8-stable) - libevent-openssl-2.7-7 (>= 2.1.8-stable) - libgcc1 - liblz4-1 - libssl1.1 - libstdc++6 - zlib1g - No pre/post rm and pre/post inst scripts. - No init scripts - No systemd units - No dbus services - No setuid binaries - binaries in PATH - /usr/bin/mysqlrouter - /usr/bin/mysqlrouter_keyring - /usr/bin/mysqlrouter_passwd - /usr/bin/mysqlrouter_plugin_info - No sudo fragments - No polkit files - No udev rules - unit tests / autopkgtests - As mentioned previously, router has its own test section in the code at router/tests, but it's not available during build or in autopkgtest. - No cron jobs - Build logs: - Apparently no relevant issues on router build log. - Processes spawned - Some bash scripts are created on router. We don't like the sudo commands but it looks unlikely to be used in an automated way: - router/src/router/src/config_generator.cc:2781 - router/src/http/src/posix_re.h:173: Posix extended regular expressions. C++11 has std::regex, by gcc-4.x throws exceptions when it it used. Instead mysql-router implements a subset of std::regex. It looks like they didn't try to recreate the wheel on this, so looks fine. - router/src/harness/src/utilities-posix.cc:49 - router/src/harness/src/process_launcher.cc:448 - router/src/harness/src/hostname_validator.cc:51 - All above look fine - Memory management - Lots of memory management, hard to say just by looking if anything is wrong, so will dig into it during cppcheck. - File IO - Lots of file IO, but looks ok. - Logging - router/src/json_schema_embedder/json_schema_embedder.cc: logs to in_filename and out_filename that the user passed as argument. - the rest of the code seems to be covered by mysql-router logging feature e.g.: https://dev.mysql.com/doc/mysql-router/8.0/en/mysql-router-server-logging.html - Environment variable usage - router uses some environment variables in its tests. - other than that: - router/src/router/src/router_app.cc:117:std::string path(std::getenv("PATH")); - router/src/router/src/router_app.cc:585: auto pid_file_env = std::getenv("ROUTER_PID"); - router/src/router/src/config_generator.cc:1761:std::string path(std::getenv("PATH")); - router/src/router/src/common/mysql_session.cc:290: getenv("MYSQL_ROUTER_RECORD_MOCK") ? getenv("MYSQL_ROUTER_RECORD_MOCK") - router/src/router/src/common/mysql_session.cc:297:const char *outfile = std::getenv("MYSQL_ROUTER_RECORD_MOCK"); - router/src/router/src/keyring_info.cc:179: err_code = ::setenv("ROUTER_ID", std::to_string(router_id).c_str(), 1); - router/src/router/src/utils.cc:215: const char *env_var_value = std::getenv(env_var.c_str()); - router/src/mock_server/src/duk_module_shim.c:231:static duk_ret_t node_process_getenv(duk_context *ctx) { - router/src/mock_server/src/duk_module_shim.c:232: duk_push_string(ctx, getenv(duk_require_string(ctx, 0))); - router/src/mock_server/src/duk_module_shim.c:325: "process.getenv(key);}}); }")) { - seem ok to me. - Use of privileged functions - router/src/routing/src/mysql_routing.cc:477 - chmod 777 to a socket file, it is not clear to me if that can be a problem, but some comments in the code say this permission is to mimic what mysql server does. - router/src/harness/src/filesystem.cc:649: runs chmod on top of a file with the permissions passed to the function. - router/src/harness/src/filesystem.cc:661: chmod 777, used to make file public, so it will be really public. - router/src/harness/src/filesystem.cc:677: chmod 600, used to make file private. - router/src/harness/src/tty.c:163: ioctl used to fill the winsize structure with the screen width and height. - router/src/router/src/config_generator.cc:2741: chmod 700 to script file. - Use of cryptography / random number sources etc - To communicate with MySQL metadata server when ssl_mode is set. - Use of temp files - overall looks safe - router/src/router/src/config_generatior.cc:584: set socketsdir to /tmp if user didn't specify one - router/src/router/src/utils.cc:100 - Use of networking - plenty of use of networking as one should expect. - It looks ok enough, going in-depth will be overkill. - No use of WebKit - No use of PolicyKit - cppcheck results - plenty of warnings in testing code, ignoring it. Some warnings on
[Bug 1862770] Re: MySQL autopkgtest regressed in Focal release pocket
This is the same as bug #1862364 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862770 Title: MySQL autopkgtest regressed in Focal release pocket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1862770/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862364] [NEW] mysql-8.0 FTBFS (focal) because of hardcoded date in test
Public bug reported: Just similar to bug #1859100 there is another test that just started failing because of a date that expired. See the snippet of build log below: [ 51%] main.events_1w4 [ fail ] Test ended at 2020-02-07 10:46:06 CURRENT_TEST: main.events_1 mysqltest: At line 69: Query 'ALTER EVENT event_starts_test ON SCHEDULE AT '2020-02-02 20:00:02'' failed. ERROR 1589 (HY000): Event execution time is in the past and ON COMPLETION NOT PRESERVE is set. The event was not changed. Specify a time in the future. The result from queries just before the failure was: drop event if exists event1; Warnings: Note1305Event event1 does not exist create event event1 on schedule every 15 minute starts now() ends date_add(now(), interval 5 hour) DO begin end; alter event event1 rename to event2 enable; alter event event2 disable; alter event event2 enable; alter event event2 on completion not preserve; alter event event2 on schedule every 1 year on completion preserve rename to event3 comment "new comment" do begin select 1; end__ alter event event3 rename to event2; drop event event2; create event event2 on schedule every 2 second starts now() ends date_add(now(), interval 5 hour) comment "some" DO begin end; drop event event2; CREATE EVENT event_starts_test ON SCHEDULE EVERY 10 SECOND COMMENT "" DO SELECT 1; SELECT interval_field, interval_value, event_definition FROM information_schema.events WHERE event_name='event_starts_test'; INTERVAL_FIELD INTERVAL_VALUE EVENT_DEFINITION SECOND 10 SELECT 1 SELECT execute_at IS NULL, starts IS NULL, ends IS NULL, event_comment FROM information_schema.events WHERE event_schema='events_test' AND event_name='event_starts_test'; execute_at IS NULL starts IS NULL ends IS NULLEVENT_COMMENT 1 0 1 safe_process[29375]: Child process: 29376, exit: 1 - the logfile can be found in '/<>/builddir/mysql- test/var/log/main.events_1/events_1.log' Doing a grep for 2020 shows some other tests that has a 2020 date, it might be a good idea to fix them altogether. ** Affects: mysql-8.0 (Ubuntu) Importance: Undecided Assignee: Rafael David Tinoco (rafaeldtinoco) Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862364 Title: mysql-8.0 FTBFS (focal) because of hardcoded date in test To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1862364/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1817336] Re: [MIR] runc
I reviewed runc 1.0.0~rc8+git20190923.3e425f80-0ubuntu1 as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability. runc, a lightweight universal container runtime, is a CLI tool for spawning and running containers according to the Open Container Initiative (OCI) specification. The runc .deb package contains lots of vendored code. This was already discussed in the previous comments. - CVE History: - CVE-2019-19921 - Race condition on volume mounting. Not fixed yet in upstream. - CVE-2019-16884 - Apparmor bypass. Currently fixed in eoan and focal. - CVE-2019-5736 - mishandling of file-descriptor, related to /proc/self/exe, may allow attacker to obtain host root access. Fixed in all active releases. - CVE-2016-9962 - privilege escalation allowed when opening a file-descriptor. Fixed in all active releases. - CVE-2016-3697 - privilege escalation because of improperly handling of usernames. Fixed in all active releases. - Build-Depends - debhelper, - dh-golang, - go-md2man, - golang-any, - libapparmor-dev, - libseccomp-dev, - pkg-config, - protobuf-compiler - No pre/post inst/rm scripts - No init scripts - No systemd units - No dbus services - No setuid binaries - binaries in PATH - /usr/sbin/recvtty - recvtty is a reference implementation of a consumer of runC's --console-socket API. - /usr/sbin/runc - the command-line client for running containers. - No sudo fragments - No udev rules - unit tests / autopkgtests - unit tests can be found under libcontainer/ and they test multiple functionalities of the code. They make use of Go's unit test framework. Unit tests are run during the package build. - Integrations tests provide end-to-end testing of runc, they can be found under tests/ and under libcontainer/. - No cron jobs - Build logs: - No build errors - No meaningful lintian failures - Processes spawned - libcontainer/nsenter/nsexec.c:276: execve(app, argv, envp); It try to call /proc//uid_map or /pro//gid_map Apparently the pid is retrieved from the environment variable _LIBCONTAINER_INITPIPE, "which was opened by the parent and kept open across the fork-exec of the `nsexec()` init" - libcontainer/nsenter/cloned_binary.c:512: fexecve(execfd, argv, environ); Looks like it calls /proc/self/exe - Memory management - A few .c file doing memory management, seems ok. - and a vendored secccomp code in golang doing a calloc. - File IO - A few file IO in the C code of libcontainer, looks ok. - Logging - make use of the errors package in some places. - but mostly uses logrus (vendored code) - Environment variable usage - _LIBCONTAINER_INITPIPE - CLONED_BINARY_ENV - _LIBCONTAINER_STATEDIR - Use of privileged functions - Seth took a look on those and the only relevant finding was reported here: https://github.com/opencontainers/runc/issues/2214 - Nothing troublesome. - Use of cryptography / random number sources: - Vendored godbus has a sha1 auth implementation. - Use of temp files - Some tests make use of /tmp and libcontainer uses /tmp when it wants to mount rootfs on tmpfs and also while cloning binaries. - Use of networking - you can pass an AF_UNIX socket to runc so you can have a detached terminal. - nsexec also creates socket to make communication between parent and child process. - No use of WebKit - No use of PolicyKit - Coverity issues: - 6 Issues listed by Coverity, all of them in vendored code. - 4 issues related to null pointer dereference - 1 issue of sha1 used in vendored godbus code - 1 issue related to unchecked return value Security team ACK for promoting runc to main. ** Bug watch added: github.com/opencontainers/runc/issues #2214 https://github.com/opencontainers/runc/issues/2214 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3697 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-9962 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-16884 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-19921 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-5736 ** Changed in: runc (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1817336 Title: [MIR] runc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/runc/+bug/1817336/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1859100] Re: mysql-server FTBFS (focal) because of build tests
Thanks, I will try to test or at least let the build running on xnox's proposed mysql version. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1859100 Title: mysql-server FTBFS (focal) because of build tests To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1859100/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
** Changed in: openjpeg2 (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
I reviewed openjpeg2 2.3.1-1 as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability. openjpeg2 is a library to encode and decode JPEG 2000 images. JPEG 2000 is an image compression standard and coding system. OpenJPEG dates back from 2005 and has become the JPEG 2000 reference software in 2015. - CVE History: - openjpeg has been assigned CVEs every year since 2012. For Xenial we still have some 2016 CVEs that we are unaware of the fix. There are also a couple of CVEs that don't have fix or we are unsure if they were solved: CVE-2018-16376, CVE-2018-20846, CVE-2019-6988 - Upstream is responsive and willing to fix security issues, but they still need to improve on how to communicate about the fixes. - Build-Depends: - cmake - debhelper - default-jdk - dh-apache2 - help2man - javahelper - libcurl4-gnutls-dev or libcurl-ssl-dev - libfcgi-dev - liblcms2-dev - libpng-dev - libtiff-dev - libxerces2-java - zlib1g-dev - postinst, prerm and postrm scripts automatically added - No init scripts - No systemd units - No dbus services - No setuid binaries - binaries in PATH - /usr/bin/opj_compress - This program reads in an image of a certain type and converts it to a JPEG2000 file. - /usr/bin/opj_decompress - This program reads in a JPEG2000 image and converts it to another image type. - /usr/bin/opj_dump - This program reads in a JPEG2000 image and dumps the contents to stdout. - /usr/bin/opj_jp3d_compress - compress into JP3D volume. - /usr/bin/opj_jp3d_decompress - decompress JP3D volume. - /usr/bin/opj_dec_server - server to decode JPT/JPP-stream and communicate locally with JPIP client, which is coded in java. - /usr/bin/opj_jpip_addxml - embed metadata into JP2 file. - /usr/bin/opj_jpip_test - test index code format of a JP2 file. - /usr/bin/opj_jpip_transcode - convert JPT/JPP-stream to JP2 or J2K. - /usr/bin/opj_server - JPIP server supporting HTTP connection and JPT/JPP-stream. - /usr/bin/opj_jpip_viewer - No sudo fragments - No udev rules - openjpeg2 has 1478 tests under tests/, including Google's oss-fuzzers setup. - some of those tests are CVEs reproducers. - No cron jobs - Build logs: - Multiple compiler warnings: /<>/src/lib/openjp2/openjpeg.c:1041:30: warning: cast between incompatible function types from int (*)(FILE *) {aka int (*)(struct _IO_FILE *)} to void (*)(void *) [-Wcast-function-type] /<>/src/bin/jp3d/opj_jp3d_decompress.c:488:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:111:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:118:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:119:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:130:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:131:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:132:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:133:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:300:9: warning: ignoring return value of fscanf, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:529:9: warning: ignoring return value of fgets, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:851:9: warning: ignoring return value of fgets, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:111:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:118:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:119:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:130:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:131:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:132:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result] /<>/src/bin/jp3d/convert.c:133:5: warning: ignoring return value of fread, declared with attribute warn_unused_result [-Wunused-result]
[Bug 1856456] Re: package systemd 242-7ubuntu3.2 failed to install/upgrade: package systemd is already installed and configured
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856456 Title: package systemd 242-7ubuntu3.2 failed to install/upgrade: package systemd is already installed and configured To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1856456/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856510] Re: Gtk-Message: 23:32:48.890: Failed to load module "canberra-gtk-module" (etherape:2564): libglade-WARNING **: 23:32:48.893: Could not load support for `gnome': libgnome.so: Ne peut o
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856510 Title: Gtk-Message: 23:32:48.890: Failed to load module "canberra-gtk-module" (etherape:2564): libglade-WARNING **: 23:32:48.893: Could not load support for `gnome': libgnome.so: Ne peut ouvrir le fichier d'objet partagé: Aucun fichier ou dossier de ce type (etherape:2564): libglade-WARNING **: 23:32:48.977: unknown widget class 'GnomeCanvas' (etherape:2564): Gtk-WARNING **: 23:32:48.977: gtk_scrolled_window_add(): cannot add non scrollable widget use gtk_scrolled_window_add_with_viewport() instead EtherApe-INFO: 23:32:48.988: sctp protocol not supported EtherApe-INFO: 23:32:48.988: ddp protocol not supported EtherApe-INFO: 23:32:48.988: ddp protocol not supported EtherApe-INFO: 23:32:48.989: ddp protocol not supported EtherApe-INFO: 23:32:48.989: ddp protocol not supported (etherape:2564): GLib-GObject-WARNING **: 23:32:48.990: invalid cast from 'GtkLabel' to 'GnomeCanvas' (etherape:2564): GnomeCanvas- CRITICAL **: 23:32:48.990: gnome_canvas_root: assertion 'GNOME_IS_CANVAS (canvas)' failed (etherape:2564): GnomeCanvas- CRITICAL **: 23:32:48.990: gnome_canvas_item_new: assertion 'GNOME_IS_CANVAS_GROUP (parent)' failed ** ERROR:diagram.c:250:addref_canvas_obj: assertion failed: (obj) Abandon (core dumped) unexpected EOF in read_all() critical: read_all() failed on control socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/etherape/+bug/1856510/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856597] Re: sepackage mysql-server-5.7 5.7.28-0ubuntu0.18.04.4 failed to install/upgrade: instalado mysql-server-5.7 paquete post-installation guión el subproceso devolvió un error con estado de
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856597 Title: sepackage mysql-server-5.7 5.7.28-0ubuntu0.18.04.4 failed to install/upgrade: instalado mysql-server-5.7 paquete post-installation guión el subproceso devolvió un error con estado de salida 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1856597/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856771] Re: package samba 2:4.3.11+dfsg-0ubuntu0.16.04.24 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856771 Title: package samba 2:4.3.11+dfsg-0ubuntu0.16.04.24 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1856771/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856997] Re: Nvidia driver is not working / not supported
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856997 Title: Nvidia driver is not working / not supported To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1856997/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856944] Re: package login 1:4.2-3.1ubuntu5.4 failed to install/upgrade: package architecture (amd64) does not match system (i386)
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856944 Title: package login 1:4.2-3.1ubuntu5.4 failed to install/upgrade: package architecture (amd64) does not match system (i386) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1856944/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1857059] Re: encontre un error y me vanearon
Thank you for using Ubuntu and taking the time to report a bug. Your report should contain, at a minimum, the following information so we can better find the source of the bug and work to resolve it. Submitting the bug about the proper source package is essential. For help see https://wiki.ubuntu.com/Bugs/FindRightPackage . Additionally, in the report please include: 1) The release of Ubuntu you are using, via 'cat /etc/lsb-release' or System -> About Ubuntu. 2) The version of the package you are using, via 'dpkg -l PKGNAME | cat' or by checking in Synaptic. 3) What happened and what you expected to happen. The Ubuntu community has also created debugging procedures for a wide variety of packages at https://wiki.ubuntu.com/DebuggingProcedures . Following the debugging instructions for the affected package will make your bug report much more complete. Thanks! ** Information type changed from Private Security to Public ** Changed in: apache2 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1857059 Title: encontre un error y me vanearon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1857059/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856979] Re: GIT 2.x vulnerabilities
Actually marking it as Fixed Released. ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856979 Title: GIT 2.x vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1856979/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855768] Re: Ubuntu-security CVE-2019-18224 web page shows incorrect info about libidn2-0 status
Hi Srdjan, Awesome, thanks! I will give it a try. Yes, the analysis seems correct to me. So I encourage you to file a bug on Trivy Github and let them verify what's going on. If possible, keep us updated on the outcomes of your bug report. I appreciate it! Thanks, Eduardo -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1855768 Title: Ubuntu-security CVE-2019-18224 web page shows incorrect info about libidn2-0 status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1855768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855768] Re: Ubuntu-security CVE-2019-18224 web page shows incorrect info about libidn2-0 status
Also, I am not aware of this Trivy tool, but could you give us more information on what you are seeing? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1855768 Title: Ubuntu-security CVE-2019-18224 web page shows incorrect info about libidn2-0 status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1855768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855768] Re: Ubuntu-security CVE-2019-18224 web page shows incorrect info about libidn2-0 status
Hi Srdjan, Thanks for taking the time to report this issue and help making Ubuntu better. The USN you mentioned, applied the fix to the source package libidn2 (https://packages.ubuntu.com/source/bionic/libidn2) You can see on the mentioned page that this source package generates multiple binary packages, including: idn2 and libidn2-0. So, on the USN page that you mentioned we are referring to those binary packages, but on the CVE page we are only dealing with source package names. So we already have the released in the lines for libidn2. The lines that you are referring that are marked as DNE, is for the libidn2-0 source package (https://packages.ubuntu.com/source/xenial/libidn2-0), which only exists on Ubuntu Xenial (16.04) and Trusty (14.04), and that's why it is marked as DNE (Do Not Exist) in the CVE page. So this is just a confusion between source packages and binary packages. Binary packages is what you install on a apt-get install command. Source packages is where we apply the fix, and where the binary packages will be generated from. Hope I didn't get you more confused on this. Thanks ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855768 Title: Ubuntu-security CVE-2019-18224 web page shows incorrect info about libidn2-0 status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1855768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854707] Re: tcpdump vulnerability
*** This bug is a duplicate of bug 1847520 *** https://bugs.launchpad.net/bugs/1847520 ** Also affects: tcpdump (Ubuntu) Importance: Undecided Status: New ** No longer affects: phpmyadmin (Ubuntu) ** This bug has been marked a duplicate of bug 1847520 33 Upstream CVEs patched ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854707 Title: tcpdump vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tcpdump/+bug/1854707/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854530] Re: package pcp 4.3.4-1build1 failed to install/upgrade: installed pcp package post-installation script subprocess returned error exit status 1
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854530 Title: package pcp 4.3.4-1build1 failed to install/upgrade: installed pcp package post-installation script subprocess returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcp/+bug/1854530/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854525] Re: package libglib-perl 3:1.320-2 failed to install/upgrade: package libglib-perl is not ready for configuration cannot configure (current status 'half-installed')
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854525 Title: package libglib-perl 3:1.320-2 failed to install/upgrade: package libglib-perl is not ready for configuration cannot configure (current status 'half-installed') To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libglib-perl/+bug/1854525/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854498] Re: package libpng12-0 1.2.54-1ubuntu1 failed to install/upgrade: trying to overwrite shared '/usr/share/doc/libpng12-0/changelog.Debian.gz', which is different from other instances of p
*** This bug is a duplicate of bug 1799215 *** https://bugs.launchpad.net/bugs/1799215 Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854498 Title: package libpng12-0 1.2.54-1ubuntu1 failed to install/upgrade: trying to overwrite shared '/usr/share/doc/libpng12-0/changelog.Debian.gz', which is different from other instances of package libpng12-0:amd64 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libpng/+bug/1854498/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854373] Re: CVE affecting phpMyAdmin 4.x
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-18622 ** Also affects: phpmyadmin (Ubuntu) Importance: Undecided Status: New ** No longer affects: tcpdump (Ubuntu) ** Tags added: community-security ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854373 Title: CVE affecting phpMyAdmin 4.x To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/phpmyadmin/+bug/1854373/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854120] Re: Screen contents visible briefly on lock screen on resolution change
@vanvugt, could you please take a look on this and assign it to the correct package. It might be a duplicate of another ticket. Thanks! ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854120 Title: Screen contents visible briefly on lock screen on resolution change To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-docs/+bug/1854120/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1850032] Re: scanbd prevents HP printers to work correctly with HPLIP
** Also affects: cups (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1850032 Title: scanbd prevents HP printers to work correctly with HPLIP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1850032/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1853545]
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures ** Tags added: community-security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1853545 Title: discover did not ask for a password on an update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/discover/+bug/1853545/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1853371] Re: discover did not ask for a password on an update
*** This bug is a duplicate of bug 1853545 *** https://bugs.launchpad.net/bugs/1853545 ** This bug has been marked a duplicate of bug 1853545 discover did not ask for a password on an update -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1853371 Title: discover did not ask for a password on an update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/discover/+bug/1853371/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1853760] Re: php 7.2 has dependency problems and they are not letting to update apache2 and php7.2 * modules
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1853760 Title: php 7.2 has dependency problems and they are not letting to update apache2 and php7.2 * modules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php7.2/+bug/1853760/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1851738] Re: cqrlog cant be remove , cant download other apps because of it
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1851738 Title: cqrlog cant be remove ,cant download other apps because of it To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1851738/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1853696] Re: linux corrompido
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1853696 Title: linux corrompido To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1853696/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 711061] Re: [MIR] openjpeg2
** Changed in: openjpeg2 (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1847701] Re: Buffer Overflow Write when libntlm generates NTLM request
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1847701 Title: Buffer Overflow Write when libntlm generates NTLM request To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libntlm/+bug/1847701/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1847831] Re: pppp
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1847831 Title: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1847831/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1847520] Re: 33 Upstream CVEs patched
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1847520 Title: 33 Upstream CVEs patched To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tcpdump/+bug/1847520/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1847960] Re: After returning from suspend the screen content (with all previously opened programs, like code editor) is shown for 1 second before displaying login form
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1847960 Title: After returning from suspend the screen content (with all previously opened programs, like code editor) is shown for 1 second before displaying login form To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/1847960/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1848076] Re: libc programme was unable to get updated
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1848076 Title: libc programme was unable to get updated To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1848076/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1841978] Re: package login 1:4.2-3.1ubuntu5 failed to install/upgrade: package login is already installed and configured
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1841978 Title: package login 1:4.2-3.1ubuntu5 failed to install/upgrade: package login is already installed and configured To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1841978/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1815483] Re: [MIR] libhandy
I reviewed libhandy 0.0.10-1 as checked into eoan. This shouldn't be considered a full audit but rather a quick gauge of maintainability. libhandy is a library full of GTK widgets for mobile phones. The aim of libhandy is to help with developing UI for mobile devices using GTK/GNOME. - No CVE History: - Build-Depends - debhelper-compat - dh-sequence-gir - gtk-doc-tools - libgirepository1.0-dev - libgladeui-dev - libglib2.0-doc - libgnome-desktop-3-dev - libgtk-3-doc - libgtk-3-dev - libxml2-utils - meson - pkg-config - valac - No pre/post inst/rm scripts - No init scripts - No systemd units - No dbus services - No setuid binaries - No binaries in PATH - No sudo fragments - No udev rules - Unit tests / autopkgtests - under tests/ there are quite a few tests available testing different widgets - autopkgtests passing on: https://autopkgtest.ubuntu.com/packages/libh/libhandy https://ci.debian.net/packages/libh/libhandy/ - No cron jobs - Build logs: - Some compiler warnings: update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults WARNING: Use the 'pie' kwarg instead of passing '-fpie' manually to 'test-action-row' WARNING: Use the 'pie' kwarg instead of passing '-fpie' manually to 'test-arrows' WARNING: Use the 'pie' kwarg instead of passing '-fpie' manually to 'test-combo-row' WARNING: Use the 'pie' kwarg instead of passing '-fpie' manually to 'test-dialer' WARNING: Use the 'pie' kwarg instead of passing '-fpie' manually to 'test-dialer-cycle-button' WARNING: Use the 'pie' kwarg instead of passing '-fpie' manually to 'test-dialog' WARNING: Use the 'pie' kwarg instead of passing '-fpie' manually to 'test-expander-row' WARNING: Use the 'pie' kwarg instead of passing '-fpie' manually to 'test-header-bar' WARNING: Use the 'pie' kwarg instead of passing '-fpie' manually to 'test-header-group' WARNING: Use the 'pie' kwarg instead of passing '-fpie' manually to 'test-preferences-group' WARNING: Use the 'pie' kwarg instead of passing '-fpie' manually to 'test-preferences-page' WARNING: Use the 'pie' kwarg instead of passing '-fpie' manually to 'test-preferences-row' WARNING: Use the 'pie' kwarg instead of passing '-fpie' manually to 'test-preferences-window' WARNING: Use the 'pie' kwarg instead of passing '-fpie' manually to 'test-search-bar' WARNING: Use the 'pie' kwarg instead of passing '-fpie' manually to 'test-squeezer' WARNING: Use the 'pie' kwarg instead of passing '-fpie' manually to 'test-string-utf8' WARNING: Use the 'pie' kwarg instead of passing '-fpie' manually to 'test-value-object' WARNING: Use the 'pie' kwarg instead of passing '-fpie' manually to 'test-view-switcher' WARNING: Use the 'pie' kwarg instead of passing '-fpie' manually to 'test-view-switcher-bar' html/HdyViewSwitcher.html:135: warning: no link for: "PangoEllipsizeMode" -> (PangoEllipsizeMode). html/HdyViewSwitcher.html:543: warning: no link for: "PANGO-ELLIPSIZE-NONE:CAPS" -> (PANGO_ELLIPSIZE_NONE) - No processes spawned - Memory management - It looks safe - No File IO - No Logging - No Environment variable usage - No Use of privileged functions - No Use of cryptography - No Use of temp files - No Use of networking - No Use of WebKit - No Use of PolicyKit - No significant cppcheck results - We don't have Coverity results so far, as we are having issues with coverity + meson. - A few FIXME around the code, mostly on src/hdy-leaflet.c, nothing that would block the MIR This library is well maintained and GNOME apps should use even more libhandy in the future. Although this is still not a "stable" release, we don't have any objections on it going to main. I am not sure if you will want to wait for version 0.1.0 or will need to move ahead to get the current version into 19.10. If you are going to wait for the "stable" release, just let us know and we can review and compare the changes with the current audit. Security team ACK for promoting libhandy to main. ** Changed in: libhandy (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1815483 Title: [MIR] libhandy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libhandy/+bug/1815483/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1839531] Re: 14.04 LTS does not upgrade to 16.04 LTS
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1839531 Title: 14.04 LTS does not upgrade to 16.04 LTS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/1839531/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1839071] Re: numad sched_setaffinity bug
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1839071 Title: numad sched_setaffinity bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/numad/+bug/1839071/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814596] Re: DynamicUser can create setuid binaries when assisted by another process
** Changed in: systemd (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814596 Title: DynamicUser can create setuid binaries when assisted by another process To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1833479] Re: libjack-jackd2-0 double close on a failure to connect to jackd which causes crashes in multithreaded programs
** Changed in: jackd2 (Ubuntu) Status: New => Confirmed ** Changed in: jackd2 (Debian) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1833479 Title: libjack-jackd2-0 double close on a failure to connect to jackd which causes crashes in multithreaded programs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jackd2/+bug/1833479/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1838067] Re: made Ubuntu very slow then crash
** Changed in: clamtk (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1838067 Title: made Ubuntu very slow then crash To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamtk/+bug/1838067/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1838795] Re: package linux-image-extra-4.4.0-57-generic 4.4.0-57.78 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1838795 Title: package linux-image-extra-4.4.0-57-generic 4.4.0-57.78 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1838795/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1838879] Re: Nvidia MX130 Video
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1838879 Title: Nvidia MX130 Video To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1838879/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1836496]
Thanks Julian! The packages will be available in a few minutes in security-proposed https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages?field.name_filter=redis_filter=published_filter= If you could also test them would be great. I will be pushing them to archive tomorrow first time in the morning. Thanks again -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1836496 Title: CVE-2019-10192 CVE-2019-10193 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/redis/+bug/1836496/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1836496] Re: CVE-2019-10192 CVE-2019-10193
** Changed in: redis (Ubuntu) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1836496 Title: CVE-2019-10192 CVE-2019-10193 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/redis/+bug/1836496/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1836496] Re: CVE-2019-10192 CVE-2019-10193
** Changed in: redis (Ubuntu) Assignee: (unassigned) => Eduardo dos Santos Barretto (ebarretto) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1836496 Title: CVE-2019-10192 CVE-2019-10193 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/redis/+bug/1836496/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1833745] Re: [MIR] required new dependency of appstream
** Changed in: lmdb (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1833745 Title: [MIR] required new dependency of appstream To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lmdb/+bug/1833745/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1833745] Re: [MIR] required new dependency of appstream
I reviewed lmdb 0.9.23-0ubuntu1 as checked into eoan. This shouldn't be considered a full audit but rather a quick gauge of maintainability. lmdb is a software library that provides a high-performance embedded transactional database in the form a key-value store. - No CVE History - Build-Depends - debhelper - doxygen - No pre/post inst/rm scripts - No init scripts - No systemd units - No dbus services - No setuid binaries - binaries in PATH - /usr/bin/mdb_copy - /usr/bin/mdb_dump - /usr/bin/mdb_load - /usr/bin/mdb_stat - No sudo fragments - No udev rules - A couple of tests available in the source code: - mtest.c: tests for main DB. It's the only test executed during build (./mtest && ./mdb_stat testdb) - mtest2.c: tests for subDB - mtest3.c: tests for sorted duplicated DBs - mtest4.c: tests for sorted duplicated DBs with fixed-size keys - mtest5.c: tests for sorted duplicated DBs using cursor_put - mtest6.c: tests for DB splits and merges - No cron jobs - Build logs: - Lots of warnings during build, mostly related to doxygen macro definitions - The warnings are attached. - No Processes spawned - Memory management - Lots of dynamic memory allocation and memory copying. In general they look safe, they are checking for NULL, strings are also NUL terminated and they are freeing memory after use. - Lots of File IO - some paths come from argv but buffer is allocated dynamically based on user's input. - Logging - Binaries in path are logging only to stderr - No Environment variable usage - No Use of privileged functions - No Use of cryptography / random number sources - srand used in test code - No Use of temp files - No Use of networking - No Use of WebKit - No Use of PolicyKit - No significant cppcheck results - Coverity results - Some NULL pointer derefence - Some pthread lock not being unlocked - Use after free - Resource leak - Out-of-bounds access - I will be forwarding this to upstream to get more feedback if any of them is a high priority issue. - Talked to upstream and they confirmed all are false positives. The code is well maintained and upstream is responsive. Security team ACK for promoting lmdb to main. ** Attachment added: "build warnings" https://bugs.launchpad.net/ubuntu/+source/lmdb/+bug/1833745/+attachment/5275933/+files/log.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1833745 Title: [MIR] required new dependency of appstream To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lmdb/+bug/1833745/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835213] Re: CVE-2019-13132
Thanks Luca for all the help and contribution, the fix is released. Feel free to contact us in case of new issues. ** Changed in: zeromq3 (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835213 Title: CVE-2019-13132 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/zeromq3/+bug/1835213/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820233] Re: [MIR] zope.component as dependency of mailman3
I reviewed zope.component 4.3.0-1 as checked into eoan. This shouldn't be considered a full audit but rather a quick gauge of maintainability. Zope is a free and open source web application server written in the object-oriented programming language “Python”. zope.component is a framework that provides facilities for defining, registering and looking up components. The project didn't receive a commit for the past 8 months but it is still maintained and the code is mature. - No CVE History: - Build-Depends - dh-python - python-all - python-persistent - python-setuptools - python-zope.configuration - python-zope.event - python-zope.interface - python-zope.proxy - python-zope.security - python3-all - python3-persistent - python3-setuptools - python3-zope.configuration - python3-zope.event - python3-zope.interface - python3-zope.proxy - python3-zope.security - prerm and postinst added automatically - No init scripts - No systemd units - No dbus services - No setuid binaries - No binaries in PATH - No sudo fragments - No udev rules - unit tests on src/zope/component/tests/ - There are lots of tests, some of them also check coverage. - No cron jobs - Build logs: dpkg-scanpackages: warning: Packages in archive but missing from override file: dpkg-scanpackages: warning: sbuild-build-depends-core-dummy dpkg-scanpackages: warning: Packages in archive but missing from override file: dpkg-scanpackages: warning: sbuild-build-depends-core-dummy sbuild-build-depends-zope.component-dummy dpkg-source: warning: extracting unsigned source package (zope.component_4.3.0-1.dsc) warning: no previously-included files matching '*.dll' found anywhere in distribution warning: no previously-included files matching '*.pyc' found anywhere in distribution warning: no previously-included files matching '*.pyo' found anywhere in distribution warning: no previously-included files matching '*.so' found anywhere in distribution warning: no previously-included files matching 'coverage.xml' found anywhere in distribution warning: no previously-included files matching '*.dll' found anywhere in distribution warning: no previously-included files matching '*.pyc' found anywhere in distribution warning: no previously-included files matching '*.pyo' found anywhere in distribution warning: no previously-included files matching '*.so' found anywhere in distribution warning: no previously-included files matching 'coverage.xml' found anywhere in distribution warning: no previously-included files matching '*.dll' found anywhere in distribution warning: no previously-included files matching '*.pyc' found anywhere in distribution warning: no previously-included files matching '*.pyo' found anywhere in distribution warning: no previously-included files matching '*.so' found anywhere in distribution warning: no previously-included files matching 'coverage.xml' found anywhere in distribution warning: no previously-included files matching '*.dll' found anywhere in distribution warning: no previously-included files matching '*.pyo' found anywhere in distribution warning: no previously-included files matching '*.so' found anywhere in distribution warning: no previously-included files matching 'coverage.xml' found anywhere in distribution warning: no previously-included files matching '*.dll' found anywhere in distribution warning: no previously-included files matching '*.pyo' found anywhere in distribution warning: no previously-included files matching '*.so' found anywhere in distribution warning: no previously-included files matching 'coverage.xml' found anywhere in distribution warning: no previously-included files matching '*.dll' found anywhere in distribution warning: no previously-included files matching '*.pyo' found anywhere in distribution warning: no previously-included files matching '*.so' found anywhere in distribution warning: no previously-included files matching 'coverage.xml' found anywhere in distribution dpkg-gencontrol: warning: package python-zope.component: substitution variable ${python:Provides} unused, but is defined dpkg-gencontrol: warning: package python-zope.component: substitution variable ${python:Versions} unused, but is defined dpkg-scanpackages: warning: Packages in archive but missing from override file: dpkg-scanpackages: warning: sbuild-build-depends-core-dummy sbuild-build-depends-lintian-dummy sbuild-build-depends-zope.component-dummy - No processes spawned (only in tests) - No memory management - No file IO - No logging - No environment variable usage - No use of privileged functions - No Use of cryptography - No use of temp files - No use of networking - No use of WebKit - No use of PolicyKit - No Coverity issues Security team ACK for promoting zope.component to main. ** Changed in: zope.component (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member
[Bug 1832679] Re: package python-secretstorage 2.3.1-2 failed to install/upgrade: le sous-processus script post-installation installé a retourné une erreur de sortie d'état 1
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832679 Title: package python-secretstorage 2.3.1-2 failed to install/upgrade: le sous-processus script post-installation installé a retourné une erreur de sortie d'état 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-secretstorage/+bug/1832679/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822013] Re: extplorer package exposes /usr/ (and /etc/extplorer/) directory over HTTP
** Changed in: extplorer (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822013 Title: extplorer package exposes /usr/ (and /etc/extplorer/) directory over HTTP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/extplorer/+bug/1822013/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1775776] Re: GNU bc crashes on some inputs
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1775776 Title: GNU bc crashes on some inputs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bc/+bug/1775776/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1751920] Re: USN-3537-2: partially applies to MariaDB too
Setting mariadb-10.1 to 'Fix Released' as Bionic (1:10.1.34-0ubuntu0.18.04.1) and newer releases already contain the fixes for those CVEs. ** Changed in: mariadb-10.1 (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1751920 Title: USN-3537-2: partially applies to MariaDB too To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.0/+bug/1751920/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1778341] Re: 100.0% finished but not written to disk
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1778341 Title: 100.0% finished but not written to disk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/amule/+bug/1778341/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1829557] Re: package file 1:5.25-2ubuntu1 failed to install/upgrade: package file is not ready for configuration cannot configure (current status 'half-installed')
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1829557 Title: package file 1:5.25-2ubuntu1 failed to install/upgrade: package file is not ready for configuration cannot configure (current status 'half-installed') To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/file/+bug/1829557/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1821957] Re: Turning off a monitor unlocks the computer
** Changed in: gnome-screensaver (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1821957 Title: Turning off a monitor unlocks the computer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntubudgie/+bug/1821957/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1831713] Re: Security update to libpam-u2f from Yubico
** Changed in: pam-u2f (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1831713 Title: Security update to libpam-u2f from Yubico To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-u2f/+bug/1831713/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832041] Re: The mouse stops working
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832041 Title: The mouse stops working To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1832041/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830464] Re: Installer crashes at grub installation, i tried twice both the time crashed while grub installation, FYI there is working internet connection
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830464 Title: Installer crashes at grub installation, i tried twice both the time crashed while grub installation, FYI there is working internet connection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub-installer/+bug/1830464/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1829407] Re: package linux-image-4.18.0-15-generic 4.18.0-15.16~18.04.1 failed to install/upgrade: installed linux-image-4.18.0-15-generic package pre-removal script subprocess returned error exi
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1829407 Title: package linux-image-4.18.0-15-generic 4.18.0-15.16~18.04.1 failed to install/upgrade: installed linux-image-4.18.0-15-generic package pre- removal script subprocess returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-signed-hwe/+bug/1829407/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830570] Re: nao consigo instalar no meu pc
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830570 Title: nao consigo instalar no meu pc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub-installer/+bug/1830570/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832114] Re: install error
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832114 Title: install error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1832114/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832122] Re: Installation applet crashed during install
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832122 Title: Installation applet crashed during install To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1832122/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832163] Re: Me acaban de dar BANNN SIN NINGUNA RAZON POR QUE ESTABA JUGANDO SKYWAR Y DE REPENDE ME DIERON BAN Llevo 3 años sin jugar me meto a un servidor a recordad los viejos tiempo y me dan b
** Changed in: apache2 (Ubuntu) Status: Incomplete => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832163 Title: Me acaban de dar BANNN SIN NINGUNA RAZON POR QUE ESTABA JUGANDO SKYWAR Y DE REPENDE ME DIERON BAN Llevo 3 años sin jugar me meto a un servidor a recordad los viejos tiempo y me dan ban! Me gustaria que me lo quitaran y Andemas no entendi por que EL THANOS ME DIO BAN AHH YA VEO ACABO DE LEER DICE QUE USO HACK!! MIRA RIDUCULO YO NO TENGO HACCK ! quitenle el ban a mi personaje que no hice nada malo jugue legal me llamo izzuzzu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1832163/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832163] Re: Me acaban de dar BANNN SIN NINGUNA RAZON POR QUE ESTABA JUGANDO SKYWAR Y DE REPENDE ME DIERON BAN Llevo 3 años sin jugar me meto a un servidor a recordad los viejos tiempo y me dan b
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832163 Title: Me acaban de dar BANNN SIN NINGUNA RAZON POR QUE ESTABA JUGANDO SKYWAR Y DE REPENDE ME DIERON BAN Llevo 3 años sin jugar me meto a un servidor a recordad los viejos tiempo y me dan ban! Me gustaria que me lo quitaran y Andemas no entendi por que EL THANOS ME DIO BAN AHH YA VEO ACABO DE LEER DICE QUE USO HACK!! MIRA RIDUCULO YO NO TENGO HACCK ! quitenle el ban a mi personaje que no hice nada malo jugue legal me llamo izzuzzu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1832163/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1825572] Re: April 2019 Oracle CPU might also affect MariaDB
Thanks Otto for providing the update for 18.04. We just released it and it should be available in the archive in some minutes. We appreciate all the work you've done. ** Changed in: mariadb-10.1 (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1825572 Title: April 2019 Oracle CPU might also affect MariaDB To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.0/+bug/1825572/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1820226] Re: [MIR] twitter-bootstrap3 as dependency of mailman3
On Mon, 2019-06-03 at 05:54 +, Christian Ehrhardt wrote: > > - There are different versions of twitter-bootstrap in the archive, > > after some > > search we have that > > [...] > > It is used in mailman-website where you can manage lists. It is > > unclear to > > me if the version 3 is a hard dependency. > > Yes it is, I have checked with upstream already for the same reason > (expect to be longer maintained) but the move seems to be non > trivial. > So for now it is a hard dependency on v3 > Thanks for confirming it! > [...] > > > - No security relevant warnings or errors > > dpkg-scanpackages: warning: Packages in archive but missing from > > override file: > > dpkg-scanpackages: warning: sbuild-build-depends-core-dummy > > dpkg-scanpackages: info: Wrote 1 entries to output Packages file. > > E: twitter-bootstrap3 changes: bad-distribution-in-changes-file > > unstable > > N: 4 tags overridden (1 error, 3 warnings) > > [...] > > > - Multiple (most from test code, which might be low priority) > > NULL_RETURNS from Coverity analysis, mostly related to jquery. > > > > > > Someone with better JS skills might want to check coverity results > > before we ACK/NACK. > > > > Christian could you please assign someone to take a look on those > > warnings? > > First of all thanks for the review Eduardo! > Looking at your summary I wondered which warnings you meant. > a) the few dpkg-scanpackage warnings > b) the coverity report to be looked at with JS skills > Sorry for not being so clear, the warnings here means the coverity report. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820226 Title: [MIR] twitter-bootstrap3 as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/twitter-bootstrap3/+bug/1820226/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820226] Re: [MIR] twitter-bootstrap3 as dependency of mailman3
I reviewed twitter-bootstrap3 3.4.0+dfsg-4 as checked into eoan. This shouldn't be considered a full audit but rather a quick gauge of maintainability. twitter-bootstrap3 is an open source toolkit for developing with HTML, CSS, and JS. - There are different versions of twitter-bootstrap in the archive, after some search we have that - twitter-bootstrap4: Highly maintained - twitter-bootstrap3: The 3.4.0 version landed in December 2018 and it shows that development is more focused in the 4.x version than in 3.x. See: https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/ After the 3.4.0 release we had 3.4.1 (Feb 2019) which fixed a security issue. So it seems that they are doing the minimum of giving at least security updates to version 3. (we might want to consider updating to 3.4.1) It is used in mailman-website where you can manage lists. It is unclear to me if the version 3 is a hard dependency. - CVE History: - 7 open CVEs - 1 still open in eoan CVE-2019-8331 (fixed in version 3.4.1) - All CVEs are XSS - Build-Depends - cssmin, - debhelper, - lcdf-typetools, - node-less, - node-source-map, - node-uglify, - pandoc - No pre/post inst/rm scripts - No init scripts - No systemd units - No dbus services - No setuid binaries - No binaries in PATH - No sudo fragments - No udev rules - Unit tests found in js/tests/ - unit/ contains the unit test files for each Bootstrap plugin - vendor/ contains jQuery - visual/ contains "visual" tests which are run interactively in real browsers and require manual verification - No cron jobs - Build logs: - No security relevant warnings or errors dpkg-scanpackages: warning: Packages in archive but missing from override file: dpkg-scanpackages: warning: sbuild-build-depends-core-dummy dpkg-scanpackages: info: Wrote 1 entries to output Packages file. E: twitter-bootstrap3 changes: bad-distribution-in-changes-file unstable N: 4 tags overridden (1 error, 3 warnings) - Processes spawned - Mostly on Grunt, a javascript task runner that is embedded in this package, or documentation - Memory management: looks like there's not much and seem ok. - No file IO - Logging only in Grunt - No use of environment variables - No use of privileged functions - No use of encryption - No temp files - No use of networking - Make use of WebKit - No PolicyKit - No shell scripts - Multiple (most from test code, which might be low priority) NULL_RETURNS from Coverity analysis, mostly related to jquery. Someone with better JS skills might want to check coverity results before we ACK/NACK. Christian could you please assign someone to take a look on those warnings? Attached goes the coverity output. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-8331 ** Attachment added: "coverity-bootstrap.txt" https://bugs.launchpad.net/ubuntu/+source/twitter-bootstrap3/+bug/1820226/+attachment/5268126/+files/coverity-bootstrap.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820226 Title: [MIR] twitter-bootstrap3 as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/twitter-bootstrap3/+bug/1820226/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1825572] Re: April 2019 Oracle CPU might also affect MariaDB
Hi Otto, You based your update on version 1:10.1.38-0ubuntu0.18.04.1. We currently have in the archive version 1:10.1.38-0ubuntu0.18.04.2. Could you please rebase your changes with what is in the archive? Thanks in advance! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1825572 Title: April 2019 Oracle CPU might also affect MariaDB To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.0/+bug/1825572/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1825572] Re: April 2019 Oracle CPU might also affect MariaDB
I will be handling it for the security team, thanks Otto. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1825572 Title: April 2019 Oracle CPU might also affect MariaDB To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.0/+bug/1825572/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820212] Re: [MIR] python-aiosmtpd as dependency of mailman3
I reviewed python-aiosmtpd version 1.2-3 as checked into eoan as of this writing. This shouldn't be considered a full audit but rather a quick gauge of maintainability. python-aiosmtpd is an asyncio based SMTP server. - Last commit from March - No CVE history - Build-depends: - debhelper, - dh-python, - openssl, - python3-all, - python3-docutils, - python3-setuptools, - python3-sphinx - postinst and prerm added automatically - No init scripts - No systemd services - No DBus services - No setuid - Binaries in PATH: /usr/bin/aiosmtpd - No sudo fragments - No udev rules - Some tests under aiosmtpd/tests/ - FTBS in debian (from 2017). A test randomly fails, seems to be related to a possible race condition in test code. See: https://github.com/aio-libs/aiosmtpd/issues/133 - test SMTP protocol - test SMTP over SSL/TLS - test server implementation - test LMTP protocol - No cron jobs - A lot of warnings in the build log: - Most warnings are about doc files - Some warnings that might be relevant to someone: test_message (aiosmtpd.tests.test_handlers.TestAsyncMessage) ... /<>/.pybuild/cpython3_3.7_aiosmtpd/build/aiosmtpd/controller.py:64: PendingDeprecationWarning: Task.all_tasks() is deprecated, use asyncio.all_tasks() instead test_setuid (aiosmtpd.tests.test_main.TestMain) ... /usr/lib/python3.7/asyncio/base_events.py:623: ResourceWarning: unclosed event loop <_UnixSelectorEventLoop running=False closed=False debug=False> ResourceWarning: Enable tracemalloc to get the object allocation traceback test_quit_with_arg (aiosmtpd.tests.test_smtp.TestSMTP) ... /usr/lib/python3.7/socket.py:660: ResourceWarning: unclosed ResourceWarning: Enable tracemalloc to get the object allocation traceback - No subprocess spawned - File IO only in setup_helpers.py (helper functions for setup.py). Path to file hardcoded in setup.py and conf.py. - Not so much logging done, mainly in smtp.py - uses logging module for logging debug and info messages - uses warnings module for logging warnings - apparently no logging in case of errors - Environment variable - make use of AIOSMTPD_CONTROLLER_TIMEOUT environment variable, expecting a float number - if variable not set, falls back to default '1.0' - no sanitization of input, but if a float number is not passed, will trigger exception - setuid() server to 'nobody' user. This shouldn't be done, 'nobody' should be strictly used for NFS. - Encryption - make use of SSL/TLS - Networking - SMTP server listens on a port specified on command line, or default port 8025. - No WebKit - No polkit - No shell scripts - No coverity issues This is not an ACK or a NACK, we will keep waiting on the setuid to 'nobody' issue. ** Bug watch added: github.com/aio-libs/aiosmtpd/issues #133 https://github.com/aio-libs/aiosmtpd/issues/133 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820212 Title: [MIR] python-aiosmtpd as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-aiosmtpd/+bug/1820212/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1823786] Re: [SRU] ffmpeg 3.4.6 for bionic
** Changed in: ffmpeg (Ubuntu Bionic) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1823786 Title: [SRU] ffmpeg 3.4.6 for bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1823786/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1823786] Re: [SRU] ffmpeg 3.4.6 for bionic
Hey there, we created a version based on 3.4.6 as asked, could you guys please run some tests with it? https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages?field.name_filter=ffmpeg_filter=published_filter= I appreciate. Thanks ** Changed in: ffmpeg (Ubuntu Bionic) Assignee: (unassigned) => Eduardo dos Santos Barretto (ebarretto) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1823786 Title: [SRU] ffmpeg 3.4.6 for bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1823786/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820211] Re: [MIR] python3-openid as dependency of mailman3
I reviewed python3-openid version 3.1.0-1 as checked into disco as of this writing. This shouldn't be considered a full audit but rather a quick gauge of maintainability. python3-openid is a set of python packages to support use of the OpenID decentralized identity system in your application. - No development or commit in the last 2 years. Some open issues but only one might get us worried. An user asks if python 3.7 is supported (which is the current version of python in disco). There's not much info if user saw an issue when running with python 3.7. https://github.com/necaris/python3-openid/issues/39 - No CVE history - Build-depends: - dh-python, - python3-all, - python3-setuptools - postinst and prerm added automatically - No init scripts - No dbus services - No setuid - No binaries in PATH - No sudo fragments - No udev rules - Some tests under openid/test/ - No cron jobs - No security relevant warnings: dpkg-scanpackages: warning: Packages in archive but missing from override file: dpkg-scanpackages: warning: sbuild-build-depends-core-dummy dpkg-scanpackages: warning: Packages in archive but missing from override file: dpkg-scanpackages: warning: sbuild-build-depends-core-dummy sbuild-build-depends-python3-openid-dummy dpkg-source: warning: extracting unsigned source package (python3-openid_3.1.0-1.dsc) warning: no files found matching 'NOTICE' warning: no files found matching 'CHANGELOG' warning: no files found matching 'README.md' under directory 'examples' warning: no files found matching '*.css' under directory 'doc' warning: no files found matching '*.html' under directory 'doc' dpkg-scanpackages: warning: Packages in archive but missing from override file: dpkg-scanpackages: warning: sbuild-build-depends-core-dummy sbuild-build-depends-lintian-dummy sbuild-build-depends-python3-openid-dummy - Subprocess spawned in contrib/openid-parse, it spawns "xsel -o -b" - File IO - a few file operations, look safe - Logging - logging in case of error or warning - uses logging module for logging errors and warning module for warnings - look safe - No environment variables (only in examples) - No privileged operations - Networking - SQLite3 connection - MySQL connection - PostgreSQL connection - fetches http request with pycurl - parses html - Encryption - makes use of pycurl for fetching http requests - No WebKit - No PolicyKit - No shell scripts - Coverity analysis: 1. False positive python3-openid-3.1.0/openid/fetchers.py:360 Checker: REVERSE_INULL python3-openid-3.1.0/openid/fetchers.py:356: deref: Accessing a property of "headers". python3-openid-3.1.0/openid/fetchers.py:360: check_after_deref: Null-checking "headers" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 2. Test code, so considering it low python3-openid-3.1.0/openid/test/__init__.py:170 Checker: UNREACHABLE python3-openid-3.1.0/openid/test/__init__.py:170: unreachable: This code cannot be reached: "return django.test.simple.r...". python3-openid-3.1.0/openid/test/test_association_response.py:331 Checker: FORWARD_NULL 3. Test code, so considering it low python3-openid-3.1.0/openid/test/test_association_response.py:330: 1. path: Condition "ret === None", taking true branch. python3-openid-3.1.0/openid/test/test_association_response.py:330: 2. null_check: Comparing "ret" to a null-like value implies that "ret" might be null-like. python3-openid-3.1.0/openid/test/test_association_response.py:331: 3. property_access: Accessing a property of null-like value "ret". 4. Test code, so considering it low python3-openid-3.1.0/openid/test/trustroot.py:42 Checker: FORWARD_NULL python3-openid-3.1.0/openid/test/trustroot.py:40: 1. path: Condition "tr === None", taking true branch. python3-openid-3.1.0/openid/test/trustroot.py:40: 2. null_check: Comparing "tr" to a null-like value implies that "tr" might be null-like. python3-openid-3.1.0/openid/test/trustroot.py:42: 3. property_access: Accessing a property of null-like value "tr". To sum up: 1. It would be nice if someone could verify the python issue. 2. Will we want to support a project that might have halted development or be abandoned? So before the ACK or NACK we would appreciate if someone could answer those questions. Thanks ** Bug watch added: github.com/necaris/python3-openid/issues #39 https://github.com/necaris/python3-openid/issues/39 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820211 Title: [MIR] python3-openid as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3-openid/+bug/1820211/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1825055] Re: hard disk faliure
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1825055 Title: hard disk faliure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1825055/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822418] Re: grub-efi
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822418 Title: grub-efi To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub-installer/+bug/1822418/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1823786] Re: [SRU] ffmpeg 3.4.6 for bionic
** Changed in: ffmpeg (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1823786 Title: [SRU] ffmpeg 3.4.6 for bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ffmpeg/+bug/1823786/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1821957] Re: Turning off a monitor unlocks the computer
** Information type changed from Private Security to Public Security ** Changed in: ubuntubudgie Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1821957 Title: Turning off a monitor unlocks the computer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntubudgie/+bug/1821957/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1824530] Re: Heap Buffer Overflow in UzpPassword
** Changed in: unzip (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1824530 Title: Heap Buffer Overflow in UzpPassword To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1824530/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1824817] Re: Security breach with CRTL+ALT+F7
*** This bug is a duplicate of bug 1806961 *** https://bugs.launchpad.net/bugs/1806961 ** This bug has been marked a duplicate of bug 1806961 Lock can be circumvented by switching tty when using lightdm ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1824817 Title: Security breach with CRTL+ALT+F7 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1824817/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1824604] Re: how to install ubuntu on predator helios
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1824604 Title: how to install ubuntu on predator helios To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1824604/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1824678] Re: package libqt5svg5:amd64 5.11.1-2 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configuration
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1824678 Title: package libqt5svg5:amd64 5.11.1-2 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configuration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qtsvg-opensource-src/+bug/1824678/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1824679] Re: package phpmyadmin 4:4.5.4.1-2ubuntu2.1 failed to install/upgrade: подпроцесс установлен сценарий post-removal возвратил код ошибки 10
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1824679 Title: package phpmyadmin 4:4.5.4.1-2ubuntu2.1 failed to install/upgrade: подпроцесс установлен сценарий post-removal возвратил код ошибки 10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/phpmyadmin/+bug/1824679/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1819912] Re: CVE-2019-9628 XML parser class fails to trap exceptions on malformed XML declaration
Thanks Etienne, Updated version was released for trusty, xenial, bionic and cosmic. Thanks again for the testing and for providing the debdiffs. Any problems just let us know. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1819912 Title: CVE-2019-9628 XML parser class fails to trap exceptions on malformed XML declaration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1819912] Re: CVE-2019-9628 XML parser class fails to trap exceptions on malformed XML declaration
Hi Etienne, Yes it helps, also any other usage cases that you can run will be much appreciated. Thanks, Eduardo -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1819912 Title: CVE-2019-9628 XML parser class fails to trap exceptions on malformed XML declaration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1819912] Re: CVE-2019-9628 XML parser class fails to trap exceptions on malformed XML declaration
Hi Etienne, I would appreciate if you could run some tests with the binaries that you can find below: https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages?field.name_filter=xmltooling_filter=published_filter= Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1819912 Title: CVE-2019-9628 XML parser class fails to trap exceptions on malformed XML declaration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1819912] Re: CVE-2019-9628 XML parser class fails to trap exceptions on malformed XML declaration
Hi Etienne, Thanks for taking the time to report this bug and helping to make Ubuntu better. I will be sponsoring it. I will be back to you later today and I would appreciate if you could run some tests on the built .debs. Thanks again -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1819912 Title: CVE-2019-9628 XML parser class fails to trap exceptions on malformed XML declaration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1819912] Re: CVE-2019-9628 XML parser class fails to trap exceptions on malformed XML declaration
** Changed in: xmltooling (Ubuntu Bionic) Assignee: (unassigned) => Eduardo dos Santos Barretto (ebarretto) ** Changed in: xmltooling (Ubuntu Bionic) Status: Confirmed => In Progress ** Also affects: xmltooling (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: xmltooling (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: xmltooling (Ubuntu Trusty) Status: New => In Progress ** Changed in: xmltooling (Ubuntu Xenial) Status: New => In Progress ** Changed in: xmltooling (Ubuntu Trusty) Assignee: (unassigned) => Eduardo dos Santos Barretto (ebarretto) ** Changed in: xmltooling (Ubuntu Xenial) Assignee: (unassigned) => Eduardo dos Santos Barretto (ebarretto) ** Changed in: xmltooling (Ubuntu) Assignee: Eduardo dos Santos Barretto (ebarretto) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1819912 Title: CVE-2019-9628 XML parser class fails to trap exceptions on malformed XML declaration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs