[Bug 2060992] Re: aws: Guest kernel support for clean boot on demand
The ACPICA patch is merged upstream: https://github.com/acpica/acpica/commit/b3496dece6de2709373ad7338698ce91dec5215d So I've reposted the kernel patches to reference the ACPICA commit ID: https://lore.kernel.org/lkml/20240412073530.496-1-dw...@infradead.org/ As before, the full set of patches is at https://git.infradead.org/users/dwmw2/linux.git/shortlog/refs/heads/psci-hibernate https://git.infradead.org/users/dwmw2/linux.git/shortlog/refs/heads/psci-hibernate-6.8 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060992 Title: aws: Guest kernel support for clean boot on demand To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-aws/+bug/2060992/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968790] Re: Webview for SAML does not allow Duo to use a Yubikey
NetworkManager-openconnect issues would be at https://gitlab.gnome.org/GNOME/NetworkManager-openconnect but most of the hard thinking ends up on the openconnect side. So what is the best solution here? The external browser mode is useful because we get the fully features of Chrome/Firefox and then the resulting SSO token is encrypted and passed back to the VPN client. But that HPKE encryption and the connection back over http://localhost:29786/ is kind of awful. The embedded browser mode avoids that because we are in control, and we can see the token directly as we're running the browser within our own NM-openconnect authentication GUI process. But obviously doesn't work for the openconnect CLI, as the external-browser mode does. Should we (can we) implement a Firefox/Chrome plugin to exfiltrate cookies, which might give us a way to do this "embedded mode" with a *real* browser? Or should we just go and implement webauthn/CTAP2 support in WebKit? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968790 Title: Webview for SAML does not allow Duo to use a Yubikey To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-openconnect/+bug/1968790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968790] Re: Webview for SAML does not allow Duo to use a Yubikey
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/release/notes/release- notes- anyconnect-4-10.html#Cisco_Reference.dita_07f4a7eb-b660-4a09-844c-c3ed481aebc0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968790 Title: Webview for SAML does not allow Duo to use a Yubikey To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-openconnect/+bug/1968790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968790] Re: Webview for SAML does not allow Duo to use a Yubikey
Can we take this to https://gitlab.com/openconnect/openconnect/-/issues please? I think you want to enable the "external browser" support which we added in OpenConnect 9.01. cf. https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/webvpn-configure-users.html#topic_3D9C418D1A6D489FBC88F760215AFD26 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968790 Title: Webview for SAML does not allow Duo to use a Yubikey To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-openconnect/+bug/1968790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1969734] Re: [Jammy] NetworkManager-openconnect 1.2.6 not compatible with openconnect 8.20
We considered this a regression in OpenConnect and it is fixed in the 9.01 release. We also made NetworkManager more resilient but don't wait for that. ** Also affects: openconnect (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1969734 Title: [Jammy] NetworkManager-openconnect 1.2.6 not compatible with openconnect 8.20 To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager-openconnect/+bug/1969734/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1934980] Re: NetworkManager does not use openconnect GlobalProtect VPN's DNS
What does "nmcli con show" say for the offending connection? Does NM know the DNS server? Is this just a case of Ubuntu's NM not working correctly with its systemd DNS setup? If you connect with openconnect on the command line and add the `-v` option, do you see DNS servers? I have a feeling Ubuntu's vpnc-script may not be working correctly for DNS either, so I'm less interested in whether it *works* and asking for the debug output. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1934980 Title: NetworkManager does not use openconnect GlobalProtect VPN's DNS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1934980/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1870745] Re: Routes not being added by nm-openconnect-server-openconnect-helper
Can you file this upstream at https://gitlab.com/OpenConnect/OpenConnect/issues please? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1870745 Title: Routes not being added by nm-openconnect-server-openconnect-helper To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-openconnect/+bug/1870745/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1647285] Re: SSL trust not system-wide
On Thu, 2020-03-19 at 09:44 +, Olivier Tilloy wrote: > It looks like symlinking firefox and thunderbird's own copies of > libnssckbi.so to the system-wide p11-kit-trust.so is the proper way to > fix this bug, as far as Mozilla's products are concerned. > > Before I proceed to doing this, I'd welcome comments from the security > team on this approach though, as I suspect I don't understand all the > implications. > > (an alternative would be building firefox/thunderbird against the > system-wide nss, but firefox currently requires 3.50, which isn't yet in > focal, and I suspect that requirement is being bumped often, so that > wouldn't really work with our distribution model) Right, don't bother trying to replace NSS just for this (although really, having a single version of NSS on the system *would* be nice). The interface to libnssckbi.so is a standard PKCS#11 library, and it's perfectly reasonable to replace that in each of firefox/thunderbird/chromium individually. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1647285 Title: SSL trust not system-wide To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1857624] Re: Option Protocol gp (Palo Alto GlobalProtect) missing on GUI
Rather than the hard-coded GP support, it would be better to merge the later fix which just gets the list of protocols directly from libopenconnect. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1857624 Title: Option Protocol gp (Palo Alto GlobalProtect) missing on GUI To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager-openconnect/+bug/1857624/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1609700]
Now https://gitlab.gnome.org/GNOME/gnome-shell/issues/2105 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1609700 Title: username is not saved in openconnect connection dialog To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1609700/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1609700]
*** Bug 1705711 has been marked as a duplicate of this bug. *** -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1609700 Title: username is not saved in openconnect connection dialog To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1609700/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1609700]
According to https://bugs.launchpad.net/bugs/1609700 this bug has reoccurred in f30. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1609700 Title: username is not saved in openconnect connection dialog To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1609700/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1609700]
Please test the Fedora 30 build with that commit reverted, at https://koji.fedoraproject.org/koji/taskinfo?taskID=36857342 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1609700 Title: username is not saved in openconnect connection dialog To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1609700/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1609700]
I wonder if this regression is caused by https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=009f7560867e939 ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1609700 Title: username is not saved in openconnect connection dialog To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1609700/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1609700]
That build seems not to fix it. I tried to build locally to bisect, but can't seem to get the local build to work at all. May have to leave this to the NM maintainers. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1609700 Title: username is not saved in openconnect connection dialog To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1609700/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1838838] Re: username is not saved in openconnect connection dialog
** Package changed: network-manager-openconnect (Ubuntu) => gnome-shell (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1838838 Title: username is not saved in openconnect connection dialog To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-shell/+bug/1838838/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1838838] Re: username is not saved in openconnect connection dialog
I moved it to NetworkManager because that's where the regression is. There's not a lot we can do about it in NetworkManager-openconnect. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1838838 Title: username is not saved in openconnect connection dialog To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1838838/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1838838] Re: username is not saved in openconnect connection dialog
** Package changed: network-manager-openconnect (Ubuntu) => network- manager (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1838838 Title: username is not saved in openconnect connection dialog To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1838838/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1647285] Re: SSL trust not system-wide
@kvasko yes, it works here. Are you sure that's the version of libnssckbi.so that is being used? There are lots; I've replaced them all... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1647285 Title: SSL trust not system-wide To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
I have worked out the problem with the new NetworkManager which required me to set ipv4.dns-priority=-1 (which, in turn, messes things up for those with fresh installs that don't get the new NetworkManager). The new NM sets ipv4.dns-search=~. automatically for full-tunnel VPNs but it doesn't also set ipv4.dns-priority=-1. This means that any DNS domain on a local network which isn't also explicitly matched by the VPN config, is considered "more specific" and gets used instead of the VPN. This is wrong; NetworkManager should also set ipv4.dns-priority=-1 for full-tunnel VPNs. The reason this was consistently problematic for our users is that we have set up /etc/dhcp/dhclient.conf to *override* the domains given by the local network to include the root of our corporate AD domain "DOM.COMPANY.COM", because various non-FQDN hostnames in AD would otherwise cause problems. This realisation does give me a way out of my current problem, until a newer version of NM correctly sets the priority automatically. Instead of manually configuring ipv4.dns-priority=-1 and breaking things for older NM, I can manually configure ipv4.dns- search=dom.company.com;company.com which works for everyone. And there *are* no other search domains which get leaked now, because our DHCP config doesn't let them get discovered. (Deliberately ignoring RDNSS here because if you live in the 21st century and have IPv6, you still get to use that anyway even when you're on a full-tunnel Legacy IP VPN. Nobody tell the IT folks please.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Any word on when this CVE will be fixed? In the meantime I have put the 1.10.14-0ubuntu2 package into an apt repository at http://david.woodhou.se/cve-2018-1000135/ for users who need it. I couldn't work out how to copy it into a PPA without rebuilding it. In the short term can someone please at least confirm that no new update will be shipped for Bionic which *doesn't* fix this, so that I don't have to play games with keeping a package in that repository "newer" than the latest in bionic-updates? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
> That's weird, do you understand why? The update was deleted so you should be > back to initial > situation, we had no change to the previous package build Other package changes? Certainly systemd-resolver although we don't use that (because of a previous VPN DNS leak problem) we use dnsmasq. My original thought was that it was the VPN config change that we'd made to cope with the new NM, but testing seems to show it isn't that. Now we have a failure mode which some people had *occasionally* reported before, where even VPN lookups which *must* go to the VPN, for the company domain, are not. This was just occasional before; now it seems to happen all the time. I haven't done a thorough investigation since just putting the updated NM back has been enough to fix it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Do we have any idea when this will be fixed? Most of my users used to get away with the DNS leakage and it was "only" a security problem but stuff actually worked. Then the NM and other updates were shipped, we set ipv4.dns-priority=-1 and ipv4.dns-search=~. and it all worked fine. Then the NM update was pulled, and new installations aren't working at all, even if we don't set the DNS config as described. There's nothing that works for us except "dig out the package that has now been unpublished, and install that". An ETA for having this properly working again would be very much appreciated. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
@ddstreet We don't use systemd-resolver here. It's fairly trivial to set up a VPN service; the openconnect 'make check' uses ocserv automatically, for example. You shouldn't have difficulty reproducing this locally. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
And (in case any of my colleagues are paying attention and inclined to do it before the next time I get to spend any real time in front of a computer, next week), without the dns-priority and dns-search settings that made it work again after the recent NM update. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Till, you want that for the case where dnsmasq is being used and is misbehaving? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
On the 1.10.14 regression simply making those dns-priority/dns- search settings the *default* behaviour for a full-tunnel VPN would appear to be the correct thing to do (i.e. use the DNS of a full-tunnel VPN for *all* lookups), and I think it should resolve the problems people were seeing. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Dammit, "completely unnecessary in bionic but inherited from xenial"... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
On the switch to using dnsmasq: that decision predates my tenure so I have limited visibility. I can try to get our IT team to expend effort in moving to systemd-resolved and see what breaks. It may even be completely unnecessary in xenial, and is merely inherited to make our bionic setups less different. I completely agree with the general observation that they should be filing bugs upstream and not working around them. But if I tell them that, I suspect they're going to point at this security regression in Xenial that still isn't fixed 14 months later, and tell me that working around things locally is much more effective. Right now, I don't know that I can tell them they're wrong. Let's show them the process works, *then* I'll tell them they have to use it :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
This is Bionic. After last week's update to 1.10.14-0ubuntu2 all my VPN users (who are using dnsmasq) reported that DNS supported working for them while they were on the VPN. Some internal names were looked up correctly, others weren't. I resolved it for them as follows: $ sudo nmcli con modify "$COMPANY VPN" ipv4.dns-priority -1 ipv4.dns- search ~. This matches the observations I made in comment #18 on 2019-02-04. I believe that with 1.10.6 all $company.com DNS did get sent to the VPN and it was lookups outside the company search domains which were leaked. So it was mostly functional, but insecure. Since 1.10.14 it got worse and many (but not all) of the $company.com lookups are being leaked too. Which is a functional problem. (For Xenial, my advice to users has been the same since March 2018 when this ticket was first filed: tell apt to hold network-manager_1.2.2-0ubuntu0.16.04.4_amd64.deb and don't let it get updated until/unless the regression is fixed.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
We aren't using systemd-resolver for various historical reasons; we are using dnsmasq which should be expected to work. It isn't, but we have manually added the dns-priority=-1;dns-search=~. settings which make it work, as an emergency deployment when the latest NM update broke things for everyone. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
These systems are using dnsmasq not systemd-resolver. This was done for historical reasons; I'm not sure of the specific bug which caused that choice. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
I am receiving reports that it isn't fixed in 18.04 either. Users are still seeing DNS lookups on the local network, until they manually edit the VPN config to include: [ipv4] dns-priority=-1 dns-search=~.; I thought that wasn't going to be necessary? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 543183]
Are you referring to my comment 16? You do need your distribution to ship p11-kit-trust.so in place of Mozilla's libnssckbi.so, so it has a consistent set of trusted CAs with the rest of the system. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/543183 Title: Updating system certificates requires rebuild To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/543183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1824312] Re: segfault connecting to cisco vpn
On Thu, 2019-04-11 at 09:45 +, J Prino wrote: > I agree however there's no 8.02 version for openconnect (disco). Can > libopenconnect be fixed? You are using *different* versions of openconnect vs. libopenconnect. By all means update them both. Together. But don't try to run different builds of each. We provide a stable ABI from libopenconnect to "external" projects like NetworkManager-openconnect. But openconnect itself, the command-line tool, uses "private" data structures which are not part of that stable ABI. That's why it complains when it's run against a different version of libopenconnect to the one that was built at the same time. Get rid of the old versions, rebuild, install openconnect *and* libopenconnect together, and it should be fine. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1824312 Title: segfault connecting to cisco vpn To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-openconnect/+bug/1824312/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1824312] [NEW] segfault connecting to cisco vpn
On Thu, 2019-04-11 at 09:09 +, J Prino wrote: > NetworkManager WARNING: This version of openconnect is v8.02-1 but > NetworkManager the libopenconnect library is v8.02 I stopped reading here :) > kernel openconnect[30840]: segfault at 1 ip 7f5b62cda521 > sp 7ffd5496df88 error 4 in libc-2.29.so[7f5b62b79000+173000] -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1824312 Title: segfault connecting to cisco vpn To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-openconnect/+bug/1824312/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822467] Re: OpeonConnect fails with generic TLS Fatal Alert Error
Er, the latter. On request from the reported, after he attached a tcpdump. I've deleted that and made it public again. And also granted you permissions on the gitlab project so you should be able to see it anyway (amongst other things). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822467 Title: OpeonConnect fails with generic TLS Fatal Alert Error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1822467/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822467] Re: OpeonConnect fails with generic TLS Fatal Alert Error
Is this https://gitlab.com/openconnect/openconnect/issues/21 ? ** Bug watch added: gitlab.com/openconnect/openconnect/issues #21 https://gitlab.com/openconnect/openconnect/issues/21 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822467 Title: OpeonConnect fails with generic TLS Fatal Alert Error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1822467/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1821055] [NEW] CSD validation doesn't work with DNS round-robin
Public bug reported: OpenConnect 8.02 fixes an issue with so-called Cisco Secure Desktop. The client is supposed to post a report to the VPN server, but DNS round-robin sometimes means that the report is posted to a server other than the one which OpenConnect is actually trying to log into. This is causing frequent and hard-to-diagnose issues with login when CSD is in use. Please could you update. ** Affects: openconnect (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1821055 Title: CSD validation doesn't work with DNS round-robin To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1821055/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1764047] Re: Unable to switch realm on authentication dialog
There are other important fixes in 8.0x including for CVE-2018-20319 and the CSD handling to make it resilient to round-robin DNS changes. A simple update to 8.02 might be the better option. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-20319 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1764047 Title: Unable to switch realm on authentication dialog To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager-openconnect/+bug/1764047/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
@seb128 please see "In 16.04 the NetworkManager package used to carry this patch..." in the bug description above. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Is there a 16.04 package? This was a regression there caused by an earlier update. I have users reporting the same bizarre behaviour I wasn't able to clearly describe before — essentially, DNS being sent out seemingly random interfaces (sometimes VPN, sometimes local). My advice to just install this package *and* manually set dns-priority=-1,dns-search=~. and get on with life even though you really shouldn't have to manually set the latter, doesn't work for the 16.04 users... And yes, when other things stop being on fire I need to undo those settings and try to work out what's going wrong. We aren't using systemd-resolve here because historically it also hasn't worked right while dnsmasq did. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Not sure what happened there. It was looking up *some* names in the $COMPANY.com domain on the VPN, but others not, consistently. I couldn't see a pattern. I have manually set ipv4.dns-search="~." and ipv4.dns-priority=-1 and now it does seem to be behaving. However, this shouldn't be necessary. This VPN has non-split routing and shouldn't it have non-split DNS too, by default? I shouldn't have to change the configuration, just to get back to the secure behaviour which used to work. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
Hm, that didn't last long. Now it isn't looking up *anything* in the VPN domains. It's all going to the local VPN server. I don't know what changed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
network-manager-1.10.14-0ubuntu1 does seem to fix the DNS problem here; thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1647285] Re: SSL trust not system-wide
Any progress on fixing this? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1647285 Title: SSL trust not system-wide To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1764877] Re: glamorgl Xv causes xvimagesink failure
** Description changed: - On Ubuntu 16.04 with xserver-xorg-1:7.7+13ubuntu3, xvimagesink fails for + On Ubuntu 16.04 with xorg-server-hwe-16.04-1.19.5, xvimagesink fails for certain sizes of image. Originally seen when receiving a meeting screen share in Pidgin, reproducible as follows: $ gst-launch-1.0 -v videotestsrc ! video/x-raw,width=905,height=720 ! xvimagesink The problem is actually in glamor_xv.c, fixed by the following upstream patch: https://cgit.freedesktop.org/xorg/xserver/commit/?id=12a6b189fb17894d2c3851b70a396bbf41f444c6 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1764877 Title: glamorgl Xv causes xvimagesink failure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/1764877/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1764877] Re: glamorgl Xv causes xvimagesink failure
** Description changed: - On Ubuntu 16.04 with xserver-xorg-2:1.17.2-2, xvimagesink fails for + On Ubuntu 16.04 with xserver-xorg-1:7.7+13ubuntu3, xvimagesink fails for certain sizes of image. Originally seen when receiving a meeting screen share in Pidgin, reproducible as follows: $ gst-launch-1.0 -v videotestsrc ! video/x-raw,width=905,height=720 ! xvimagesink The problem is actually in glamor_xv.c, fixed by the following upstream patch: https://cgit.freedesktop.org/xorg/xserver/commit/?id=12a6b189fb17894d2c3851b70a396bbf41f444c6 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1764877 Title: glamorgl Xv causes xvimagesink failure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/1764877/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1764877] [NEW] glamorgl Xv causes xvimagesink failure
Public bug reported: On Ubuntu 16.04 with xserver-xorg-2:1.17.2-2, xvimagesink fails for certain sizes of image. Originally seen when receiving a meeting screen share in Pidgin, reproducible as follows: $ gst-launch-1.0 -v videotestsrc ! video/x-raw,width=905,height=720 ! xvimagesink The problem is actually in glamor_xv.c, fixed by the following upstream patch: https://cgit.freedesktop.org/xorg/xserver/commit/?id=12a6b189fb17894d2c3851b70a396bbf41f444c6 ** Affects: xorg-server (Ubuntu) Importance: Undecided Status: New ** Tags: patch xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1764877 Title: glamorgl Xv causes xvimagesink failure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/1764877/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1762710] [NEW] gnutls_server_name_set() doesn't honour input length
Public bug reported: gnutls_server_name_set(sess, GNUTLS_NAME_DNS, "stophere.please", 8); Length 8. That's supposed to set the SNI to "stophere". It doesn't in 16.04's 3.4.10-4ubuntu1.4 See attached test case. This was supposed to be fixed upstream with commit c1334fee5ee, I thought. ** Affects: gnutls28 (Ubuntu) Importance: Undecided Status: New ** Attachment added: "test case" https://bugs.launchpad.net/bugs/1762710/+attachment/5109245/+files/dtls.c -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1762710 Title: gnutls_server_name_set() doesn't honour input length To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1762710/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] Re: Full-tunnel VPN DNS leakage regression
This is CVE-2018-1000135. For some reason the 'Link to CVE' option above doesn't seem to work. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000135 ** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2018-1000135 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1754671] [NEW] Full-tunnel VPN DNS leakage regression
*** This bug is a security vulnerability *** Public security bug reported: In 16.04 the NetworkManager package used to carry this patch: http://bazaar.launchpad.net/~network-manager/network-manager/ubuntu/view/head:/debian/patches/Filter-DNS-servers-to-add-to-dnsmasq-based-on-availa.patch It fixed the DNS setup so that when I'm on the VPN, I am not sending unencrypted DNS queries to the (potentially hostile) local nameservers. This patch disappeared in an update. I think it was present in 1.2.2-0ubuntu0.16.04.4 but was dropped some time later. This security bug exists upstream too: https://bugzilla.gnome.org/show_bug.cgi?id=746422 It's not a *regression* there though, as they didn't fix it yet (unfortunately!) ** Affects: network-manager (Ubuntu) Importance: High Status: Confirmed ** Tags: regression-update xenial ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754671 Title: Full-tunnel VPN DNS leakage regression To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1754671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 666446] Re: NetworkManager VPN should offer an option to use *only* VPN nameservers
I don't think this should be considered a 'feature request'. If you have a full-tunnel VPN, your employer will *expect* all your network traffic to go via the VPN as if you were dialled directly into the corporate network. Allowing some of the DNS traffic to "escape" to be seen by potentially malicious local DNS servers is utterly wrong. In particular I don't agree this is a 'feature request' for 16.04 because it *used* to work there. You fixed it once with this patch: http://bazaar.launchpad.net/~network-manager/network-manager/ubuntu/view/head:/debian/patches/Filter-DNS-servers-to-add-to-dnsmasq-based-on-availa.patch That patch got dropped in an update, so this isn't just a security problem but also a regression in 16.04. cf. https://bugzilla.gnome.org/show_bug.cgi?id=746422 https://bugzilla.redhat.com/show_bug.cgi?id=1553634 ** Bug watch added: GNOME Bug Tracker #746422 https://bugzilla.gnome.org/show_bug.cgi?id=746422 ** Bug watch added: Red Hat Bugzilla #1553634 https://bugzilla.redhat.com/show_bug.cgi?id=1553634 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/666446 Title: NetworkManager VPN should offer an option to use *only* VPN nameservers To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/666446/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1752176] [NEW] Voice calls fail without gst-plugins-bad installed
Public bug reported: Pidgin requires the "liveadder" element from gstreamer1.0-plugins-bad, and has no error handling for the case where it isn't present: https://developer.pidgin.im/ticket/17290 Perhaps the package should depend on gstreamer1.0-plugins-bad to avoid this failure mode. ** Affects: pidgin (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1752176 Title: Voice calls fail without gst-plugins-bad installed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1752176/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1751038] Re: Labelled buttons missing from Pidgin search dialogs
** Patch added: "0001-Ensure-labelled-buttons-are-shown-for-search-results.patch" https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1751038/+attachment/5060326/+files/0001-Ensure-labelled-buttons-are-shown-for-search-results.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1751038 Title: Labelled buttons missing from Pidgin search dialogs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1751038/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1751039] Re: Search results in finch updated incorrectly
** Patch added: "0001-Fix-Finch-search-results-display-17238.patch" https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1751039/+attachment/5060327/+files/0001-Fix-Finch-search-results-display-17238.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1751039 Title: Search results in finch updated incorrectly To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1751039/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1751046] [NEW] Pidgin rewrites buddy icons on each startup
Public bug reported: Every time Pidgin starts up, it rewrites all the buddy icon files for no good reason. Fixed in 2.13 by #17259: https://developer.pidgin.im/ticket/17259 ** Affects: pidgin (Ubuntu) Importance: Undecided Status: New ** Description changed: Every time Pidgin starts up, it rewrites all the buddy icon files for no good reason. - Fixed in 2.13 by #17259: https://developer.pidgin.im/ticket/17238 + Fixed in 2.13 by #17259: https://developer.pidgin.im/ticket/17259 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1751046 Title: Pidgin rewrites buddy icons on each startup To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1751046/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1751037] Re: Mute status not updated
** Patch added: "0001-Pidgin-Indicate-mute-unmute-status-when-changed-remo.patch" https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1751037/+attachment/5060325/+files/0001-Pidgin-Indicate-mute-unmute-status-when-changed-remo.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1751037 Title: Mute status not updated To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1751037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1751046] Re: Pidgin rewrites buddy icons on each startup
** Patch added: "0001-Do-not-rewrite-custom-buddy-icons-already-in-the-cac.patch" https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1751046/+attachment/5060328/+files/0001-Do-not-rewrite-custom-buddy-icons-already-in-the-cac.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1751046 Title: Pidgin rewrites buddy icons on each startup To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1751046/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1751039] [NEW] Search results in finch updated incorrectly
Public bug reported: Finch doesn't clear the previous search results when they are updated in real time. Fixed upstream by #17238: https://developer.pidgin.im/ticket/17238 Please could you pull this fix into the packages, even if 2.13 isn't released in time. ** Affects: pidgin (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1751039 Title: Search results in finch updated incorrectly To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1751039/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1751037] [NEW] Mute status not updated
Public bug reported: When I am on an audio call and the remote end mutes me, that is not correctly displayed in the local UI. Fixed in Pidgin 2.13 by #17273: https://developer.pidgin.im/ticket/17273 Please could you pull this fix into the packages, even if 2.13 isn't released in time. ** Affects: pidgin (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1751037 Title: Mute status not updated To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1751037/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1751038] [NEW] Labelled buttons missing from Pidgin search dialogs
Public bug reported: Pidgin fails to display buttons with custom labels in search dialogs. Fixed in 2.13 by #17188: https://developer.pidgin.im/ticket/17188 (by cherry-picking an existing fix from the master branch for #14821). Please could you pull this fix into the packages, even if 2.13 isn't released in time. ** Affects: pidgin (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1751038 Title: Labelled buttons missing from Pidgin search dialogs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1751038/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1710626] [NEW] Cannot use non-ASCII password on certificate
Public bug reported: This ought to work, but doesn't: $ openconnect -v -c ~/git/openconnect/tests/certs/user-key-nonascii-password.p12 facebook.com --key-password ĂŻ POST https://facebook.com/ Attempting to connect to server 31.13.92.36:443 Connected to 31.13.92.36:443 Using certificate file /home/local/ANT/dwmw/git/openconnect/tests/certs/user-key-nonascii-password.p12 Failed to process PKCS#12 file: The given password contains invalid characters. Loading certificate failed: No certificate found in file Loading certificate failed. Aborting. Failed to open HTTPS connection to facebook.com Failed to obtain WebVPN cookie ** Affects: softhsm2 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1710626 Title: Cannot use non-ASCII password on certificate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/softhsm2/+bug/1710626/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1710626] Re: Cannot use non-ASCII password on certificate
The above was on Ubuntu 16.04 with 3.4.10-4ubuntu1.3 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1710626 Title: Cannot use non-ASCII password on certificate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/softhsm2/+bug/1710626/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1710618] [NEW] SoftHSM2 package doesn't provide p11-kit module file
Public bug reported: PKCS#11 modules should generally install a module file for p11-kit so that they appear automatically to applications. (cf. https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/1649796 ) The SoftHSM2 package doesn't do this. Amongst other things, this causes 'make check' to fail when building OpenConnect. ** Affects: softhsm2 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1710618 Title: SoftHSM2 package doesn't provide p11-kit module file To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/softhsm2/+bug/1710618/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1647285] Re: SSL trust not system-wide
cf. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741005 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704180 https://lists.freedesktop.org/archives/p11-glue/2013-June/000331.html ** Bug watch added: Debian Bug tracker #741005 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741005 ** Bug watch added: Debian Bug tracker #704180 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704180 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1647285 Title: SSL trust not system-wide To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 420411] Re: vpn connection handshake times out too soon
This appears to still be broken in 16.04. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/420411 Title: vpn connection handshake times out too soon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/420411/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1647285] Re: SSL trust not system-wide
I believe NSS wants these patches backported from 3.30: https://bugzilla.mozilla.org/show_bug.cgi?id=1334976 Firefox has its own copy of NSS which I think as of Firefox 54 should be fine. Thunderbird also needs fixing, I think. ** Bug watch added: Mozilla Bugzilla #1334976 https://bugzilla.mozilla.org/show_bug.cgi?id=1334976 ** Also affects: thunderbird (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1647285 Title: SSL trust not system-wide To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1647285] Re: SSL trust not system-wide
I believe we need to update p11-kit to v0.23.4 to make the key pinning work correctly in the recommended configuration, by adding the CKA_NSS_MOZILLA_CA_POLICY attribute. https://bugs.freedesktop.org/show_bug.cgi?id=99453 https://bugzilla.mozilla.org/show_bug.cgi?id=1324096 ** Bug watch added: freedesktop.org Bugzilla #99453 https://bugs.freedesktop.org/show_bug.cgi?id=99453 ** Bug watch added: Mozilla Bugzilla #1324096 https://bugzilla.mozilla.org/show_bug.cgi?id=1324096 ** Also affects: p11-kit (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1647285 Title: SSL trust not system-wide To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1673015] Re: openconnect config file import cannot handle "(null)" values
https://git.gnome.org/browse/network-manager- openconnect/commit/?id=f58893e15fc7 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1673015 Title: openconnect config file import cannot handle "(null)" values To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-openconnect/+bug/1673015/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1673015] Re: openconnect config file import cannot handle "(null)" values
Arguably the problem here is that you have, literally, "(null)" as the string in the config file. IF you have a file with that name, you should be permitted to use that. This is a bug in the *EXPORT* not the import. We shouldn't (ideally) special-case that filename on import. Although we might now have to, purely for compatibility. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1673015 Title: openconnect config file import cannot handle "(null)" values To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-openconnect/+bug/1673015/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1666623] [NEW] Windows disappear on disconnecting external monitor
Public bug reported: When I undock my laptop and the external displays are disconnected, sometimes the windows which were on those displays end up on my laptop's internal display. This is useful. Often, however, they don't. I can still see them in the panel, and I can click on them to bring them back... but nothing happens. They are somewhere off-screen and I cannot find any way to recover those windows except to kill the application and restart it. Often when this happens, even redocking the laptop and bringing those displays back doesn't actually get the windows back — those monitors are empty when they come back, or have only a subset of the "missing" windows. This is an HP EliteBook 850 G3 running Ubuntu 16.04. ** Affects: compiz-plugins-main (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/123 Title: Windows disappear on disconnecting external monitor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/compiz-plugins-main/+bug/123/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1664934] Re: Public key's random art is not displayed correctly
I think this is already fixed as part of https://bugzilla.gnome.org/show_bug.cgi?id=770880 isn't it? ** Bug watch added: GNOME Bug Tracker #770880 https://bugzilla.gnome.org/show_bug.cgi?id=770880 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1664934 Title: Public key's random art is not displayed correctly To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-openconnect/+bug/1664934/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1500826] Re: Missing --no-dtls option
If it really is resolved by using --no-dtls then show output with DTLS enabled and with '-vv' on the command line. Make sure you're using up- to-date GnuTLS and OpenConnect though. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1500826 Title: Missing --no-dtls option To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager-openconnect/+bug/1500826/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1651847] [NEW] Cannot decrypt S/MIME messages
Public bug reported: In Ubuntu 16.04 with Evolution 3.18, I obtained a new S/MIME cert from Comodo and sent myself an encrypted email. Evolution can't decrypt its own message, reporting 'Could not parse S/MIME message: security library: invalid algorithm. (-8186) - Decoder failed'. The same message could be decrypted OK by Evolution 3.22 on Fedora 25. A reply sent from there could also not be decrypted by Ubuntu's version. ** Affects: evolution (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1651847 Title: Cannot decrypt S/MIME messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1651847/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1651451] Re: NSS Shared System Database non-functional
This of course means that even if I wanted to work around bug 1647285 (where apps using NSS don't honour the system SSL trust settings) by manually adding the company certs to /etc/pki/nssdb, applications can't even use *that*... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1651451 Title: NSS Shared System Database non-functional To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1651451/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1651451] [NEW] NSS Shared System Database non-functional
Public bug reported: Ubuntu 16.04 appears to ship with libnsssysinit.so configured in /etc/pki/nssdb as it should be, but the library isn't *present*. So when applications such as Evolution attempt to open it, they fail: (evolution:20974): camel-WARNING **: Failed to initialize NSS SQL database in sql:/etc/pki/nssdb: NSS error -8126 For background, see https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX and https://wiki.mozilla.org/NSS_Shared_DB ** Affects: nss (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1651451 Title: NSS Shared System Database non-functional To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1651451/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648901] Re: SPNEGO crash on mechanism failure
Yes, that fixes the crash. Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648901 Title: SPNEGO crash on mechanism failure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1648901/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648901] Re: SPNEGO crash on mechanism failure
On 16.04. Apologies, I looked but couldn't see where Launchpad expects me to enter that information. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648901 Title: SPNEGO crash on mechanism failure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1648901/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648901] Re: SPNEGO crash on mechanism failure
Sure, I can attempt to test. It needs Kerberos to fail, while another mechanism is possible. So fix up the packaging errors noted in bug 1648898 so that GSS-NTLMSSP is actually registered properly, then just KRB5CCNAME=/dev/null google-chrome $SOME_URL_WHICH_USES_NEGOTIATE_AUTH -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648901 Title: SPNEGO crash on mechanism failure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1648901/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1643566] Re: [i915_bpo] Intermittent display outage with external monitor
Not sure if this is a related issue. HP 850 G3 laptop with docking station, external VGA connected. If the display blanks for more than an instant, the external display doesn't come back on until I undock and redock. This is OK: $ xset dpms force off; xset dpms force on This, on the other hand, leaves me with no external display: $ xset dpms force off; sleep 0.1 ; xset dpms force on Also possibly related or the same problem: if I dock with the VGA cable unplugged, and plug the VGA cable in, the external display is detected. Unplug, and it goes away. Plug it in for a second time and it's not detected again until I undock and redock, just like after a screen blank. This persists after updating to 4.8.0-32-generic #34~16.04.1-Ubuntu -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1643566 Title: [i915_bpo] Intermittent display outage with external monitor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1643566/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1609700] Re: username is not saved in openconnect connection dialog
This is actually a NetworkManager bug. As noted in bug 1648905 it's fixed upstream by https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=nm-1-2=bb45adeda0bf427ada23b09daf970b0757e82d60 ** Also affects: network-manager (Ubuntu) Importance: Undecided Status: New ** Bug watch added: Red Hat Bugzilla #1332491 https://bugzilla.redhat.com/show_bug.cgi?id=1332491 ** Also affects: fedora via https://bugzilla.redhat.com/show_bug.cgi?id=1332491 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1609700 Title: username is not saved in openconnect connection dialog To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1609700/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648905] Re: VPN username and settings not saved
*** This bug is a duplicate of bug 1609700 *** https://bugs.launchpad.net/bugs/1609700 Actually, this is probably a duplicate of bug 1609700 ** This bug has been marked a duplicate of bug 1609700 username is not saved in openconnect connection dialog -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648905 Title: VPN username and settings not saved To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1648905/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648905] Re: VPN username and settings not saved
When do we get a fix for 16.04? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648905 Title: VPN username and settings not saved To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1648905/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1649796] [NEW] Missing p11-kit module file for opensc-pkcs11.so
Public bug reported: I inserted my Yubikey, ensured that the opensc-pkcs11 package was installed, and attempted to connect to the VPN as described at http://www.infradead.org/openconnect/pkcs11.html $ openconnect -c 'pkcs11:manufacturer=piv_II;id=%01' vpn.example.com It didn't work. The OpenSC package is missing the p11-kit .module file which should live in $(pkg-config --variable=p11_module_configs p11-kit-1) and tell applications how to find it. Once I create the missing module file, things start to work correctly. ** Affects: opensc (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1649796 Title: Missing p11-kit module file for opensc-pkcs11.so To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/1649796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1649270] Re: Crash in gnutls_x509_privkey_import_pkcs8()
Testing on Fedora (GnuTLS 3.5.7) shows that GnuTLS returns the wrong error code in this situation but doesn't crash. So probably a separate bug: https://bugzilla.redhat.com/show_bug.cgi?id=1404192 ** Bug watch added: Red Hat Bugzilla #1404192 https://bugzilla.redhat.com/show_bug.cgi?id=1404192 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1649270 Title: Crash in gnutls_x509_privkey_import_pkcs8() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1649270/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1649270] Re: Crash in gnutls_x509_privkey_import_pkcs8()
And indeed openconnect fails too: $ openconnect -c tests/certs/ec-cert.pem -k tests/certs/ec-key- pkcs8-pbes2-sha1.pem auth.startssl.com It doesn't show up in the openconnect 'make check' because adding '--key-password password' to the command line actually fixes it; it's something to do with the password callback or decryption attempt loop. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1649270 Title: Crash in gnutls_x509_privkey_import_pkcs8() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1649270/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1649270] Re: Crash in gnutls_x509_privkey_import_pkcs8()
Without debugging symbols I can at least strace it. The last file opened was openconnect/tests/certs/ec-key-pkcs8-pbes2-sha1.pem -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1649270 Title: Crash in gnutls_x509_privkey_import_pkcs8() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1649270/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1649227] Re: TPM support
Isn't that true of Kerberos too? Or do you not build with GSSAPI support either? I really ought to add that to 'openconnect --version' output. Perhaps when addressing the OpenSSL 1.1 build problems, we could port it to GnuTLS instead? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1649227 Title: TPM support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1649227/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1649270] [NEW] Crash in gnutls_x509_privkey_import_pkcs8()
Public bug reported: $ git clone git://git.infradead.org/users/dwmw2/openconnect.git $ nm-connection-editor Add a Wifi connection, use EAP-TLS and click the button to select a private key. Navigate to the openconnect/tests/certs/ directory. Watch it segfault instead of displaying the contents of that directory in the file browser. Thread 1 "nm-connection-e" received signal SIGSEGV, Segmentation fault. __memset_avx2 () at ../sysdeps/x86_64/multiarch/memset-avx2.S:161 161 ../sysdeps/x86_64/multiarch/memset-avx2.S: No such file or directory. (gdb) bt #0 __memset_avx2 () at ../sysdeps/x86_64/multiarch/memset-avx2.S:161 #1 0x71ddff1d in gnutls_memset () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30 #2 0x71e13a96 in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30 #3 0x71e1673f in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30 #4 0x71e17d6e in gnutls_x509_privkey_import_pkcs8 () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30 #5 0x76ccdc48 in ?? () from /usr/lib/x86_64-linux-gnu/libnm.so.0 #6 0x76c8c3e5 in ?? () from /usr/lib/x86_64-linux-gnu/libnm.so.0 #7 0x76c8c4ff in ?? () from /usr/lib/x86_64-linux-gnu/libnm.so.0 #8 0x76cc7fc3 in nm_utils_file_is_private_key () from /usr/lib/x86_64-linux-gnu/libnm.so.0 #9 0x00440913 in ?? () #10 0x7742f6a1 in gtk_file_filter_filter () from /usr/lib/x86_64-linux-gnu/libgtk-3.so.0 #11 0x77432135 in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-3.so.0 #12 0x77432aae in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-3.so.0 #13 0x77432ccc in ?? () from /usr/lib/x86_64-linux-gnu/libgtk-3.so.0 #14 0x768f8237 in ?? () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0 #15 0x7692eb43 in ?? () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0 #16 0x7692eb79 in ?? () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0 #17 0x7638d05a in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 Apologies for lack of debugging symbols; it wasn't clear how to install those. And it's trivially reproducible on Ubuntu 16.04. ** Affects: gnutls28 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1649270 Title: Crash in gnutls_x509_privkey_import_pkcs8() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1649270/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1647285] Re: SSL trust not system-wide
The Mozilla bugs you link are a bit of a red herring. They refer to an abortive attempt by Mozilla/NSS to have a 'shared system database' in sql:/etc/pki/nssdb. The idea is that applications specify that as their NSS database and although it's obviously read-only, it automatically adds the user's database from ~/.pki/nssdb as a writeable token. This gets a step towards consistency for all NSS-using applications — but as those bugs note, not even Mozilla's own products are actually using it. You should support that anyway, but it isn't the focus of this bug. The fix here (which has been working in Fedora for years, since you ask for existing approaches) is to replace NSS's built-in trust root module libnssckbi.so with a symlink to p11-kit-trust.so. Then you get the system's configured trust roots, instead of whatever's hard-coded into that particular instance of libnssckbi.so (and you're shipping multiple potentially different ones of those!) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1647285 Title: SSL trust not system-wide To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1649227] [NEW] TPM support
Public bug reported: Please enable TPM and Yubikey support in the OpenConnect build. $ openconnect -c .key.pem -k .key.tss vpn.example.com POST https://vpn.example.com/ Attempting to connect to server [fec0::1]:443 This version of OpenConnect was built without TPM support Loading certificate failed. Aborting. ** Affects: openconnect (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1649227 Title: TPM support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1649227/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648898] Re: Installed package does not work
Even when I fix that so the module gets loaded, it still doesn't seem to work. $ KRB5CCNAME=/dev/null curl -v --negotiate -u : $SERVER ... > GET / HTTP/1.1 > Authorization: Negotiate YEAGBisGAQUFAqA2MDSgDjA... ... < HTTP/1.1 401 Unauthorized * gss_init_sec_context() failed: Not a user credential type. < WWW-Authenticate: Negotiate oYIBDzCCAQugAwoBAaEMBgorBgEEAY... What should happen here, of course, is that the request is resubmitted with the NTLMSSP response: > Authorization: Negotiate oYIBxTCCAcGgAwoBAaKCAaQEg But gss-ntlmssp bailed out with that 'Not a user credential type' error. I'm testing with a simple $NTLM_USER_FILE set; not via winbind. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648898 Title: Installed package does not work To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gss-ntlmssp/+bug/1648898/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648905] [NEW] VPN username and settings not saved
Public bug reported: The OpenConnect VPN auth-dialog doesn't remember usernames and other settings. See discussion (and fix) in https://bugzilla.redhat.com/show_bug.cgi?id=1332491 ** Affects: network-manager (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648905 Title: VPN username and settings not saved To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1648905/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648901] [NEW] SPNEGO crash on mechanism failure
Public bug reported: Chrome (and other things) crash when Kerberos fails to authenticate: https://bugs.chromium.org/p/chromium/issues/detail?id=554905 This was fixed in MIT krb5 in January: https://github.com/krb5/krb5/pull/385 Thread 22 "Chrome_IOThread" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffdd687700 (LWP 14851)] spnego_gss_inquire_context (minor_status=0x7fffdd68573c, context_handle=0x0, src_name=0x7fffdd685670, targ_name=0x7fffdd685668, lifetime_rec=0x7fffdd685738, mech_type=0x7fffdd685660, ctx_flags=0x7fffdd685734, locally_initiated=0x7fffdd685730, opened=0x7fffdd68572c) at ../../../../src/lib/gssapi/spnego/spnego_mech.c:2315 2315../../../../src/lib/gssapi/spnego/spnego_mech.c: No such file or directory. (gdb) bt #0 spnego_gss_inquire_context (minor_status=0x7fffdd68573c, context_handle=0x0, src_name=0x7fffdd685670, targ_name=0x7fffdd685668, lifetime_rec=0x7fffdd685738, mech_type=0x7fffdd685660, ctx_flags=0x7fffdd685734, locally_initiated=0x7fffdd685730, opened=0x7fffdd68572c) at ../../../../src/lib/gssapi/spnego/spnego_mech.c:2315 #1 0x7fffef72be54 in gss_inquire_context (minor_status=0x7fffdd68573c, context_handle=, src_name=0x7fffdd685788, targ_name=0x7fffdd685750, lifetime_rec=0x7fffdd685738, mech_type=0x7fffdd685780, ctx_flags=0x7fffdd685734, locally_initiated=0x7fffdd685730, opened=0x7fffdd68572c) at ../../../../src/lib/gssapi/mechglue/g_inq_context.c:114 ** Affects: krb5 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648901 Title: SPNEGO crash on mechanism failure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1648901/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648898] [NEW] Installed package does not work
Public bug reported: The gss-ntlmssp package installs a file in /etc/gss/mech.d which is supposed to make it get loaded. It doesn't work for two reason. Firstly, it gets completely ignored because its filename doesn't end in ".conf". Secondly, it contains an incorrect entry for the shared library path. So we end up doing this: stat("/usr/lib/x86_64-linux-gnu/gss/${prefix}/lib/x86_64-linux-gnu/gssntlmssp/gssntlmssp.so", 0x7ffca5870a90) = -1 ENOENT (No such file or directory) ** Affects: gss-ntlmssp (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648898 Title: Installed package does not work To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gss-ntlmssp/+bug/1648898/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 893024] Re: Support 802.1x auth requirement detection and fallback
https://bugzilla.gnome.org/show_bug.cgi?id=723084 ** Bug watch added: GNOME Bug Tracker #723084 https://bugzilla.gnome.org/show_bug.cgi?id=723084 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/893024 Title: Support 802.1x auth requirement detection and fallback To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/893024/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648616] Re: Firefox uses its own version of NSS, incompatible with system version
Setting aside the wisdom of that response, and my surprise at discovering that the distribution even *permits* you to ship your own copy of certain libraries — *especially* security-critical libraries — in your own package instead of using the system's version doesn't that mean you should be shipping your own version of things like certutil and modutil, given that you now not only have your own copy of the libraries, but you even have a speshul different database format to the one that the system NSS uses, so you aren't even compatible with /usr/bin/certtool. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648616 Title: Firefox uses its own version of NSS, incompatible with system version To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1648616/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648634] [NEW] opencryptoki breaks p11-kit
Public bug reported: When opencryptoki is installed, it creates a symlink from /etc/pkcs11 to /var/lib/opencryptoki, which is readable only by root. This means that anything using p11-kit to find the PKCS#11 modules which are configured to be available in the system (which is basically any well-behaved application) now breaks: $ openconnect -c 'pkcs11:token=eToken;id=%01' server.example.com POST https://server.example.com/ Attempting to connect to server [fec0::1]:443 p11-kit: couldn't open config file: /etc/pkcs11/pkcs11.conf: Permission denied Error loading certificate from PKCS#11: PKCS #11 initialization error. Loading certificate failed. Aborting. $ p11tool --list-tokens p11-kit: couldn't open config file: /etc/pkcs11/pkcs11.conf: Permission denied pkcs11_init: PKCS #11 initialization error. ** Affects: opencryptoki (Ubuntu) Importance: Undecided Status: New ** Affects: p11-kit (Ubuntu) Importance: Undecided Status: New ** Also affects: p11-kit (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648634 Title: opencryptoki breaks p11-kit To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1648634/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648616] Re: Firefox uses its own version of NSS, incompatible with system version
** Also affects: thunderbird (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648616 Title: Firefox uses its own version of NSS, incompatible with system version To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1648616/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs