[Bug 1474971] [NEW] missing parameter to status in upstart pre-stop script which is not needed regardless

[J G Miller]

Public bug reported:

PRETTY_NAME="Ubuntu 14.04.2 LTS"
SUPPORT_URL="http://help.ubuntu.com/";
VERSION="14.04.2 LTS, Trusty Tahr"

Package: xinetd
Origin: Ubuntu
Maintainer: Ubuntu Core Developers 
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Version: 1:2.3.15-3ubuntu1

In the provided upstart configuration file /etc/init/xinetd.conf, there
is the pre-stop script

pre-stop script
  xinetd_pid=$(status | awk '/stop\/pre-stop/ { print $NF }')
  [ -n "${xinetd_pid}" ] || exit 0
  kill -QUIT "${xinetd_pid}"
end script

The status command as written will always echo the message

status: missing job name
Try `status --help' for more information.

which will go to stderr and so the variable xinetd_pid will always be
blank.

This is because the jobname parameter has been omitted from  the status
command and thus the xinetd process is never killed.

Therefore the line should read

 xinetd_pid=$(status xinetd | awk '/stop\/pre-stop/ { print $NF }')

However because xinetd is running in non-daemon mode, upstart knows the
pid of the running xinetd so successfully kills it.

Therefore the pre-stop script which is broken is  not needed regardless and 
after removing the pre-stop script and testing with
start, stop, status and checking with ps, the xinetd process is successfully 
stopped and started, demonstrating that this snippet
should be removed because it is broken and pointless.

** Affects: xinetd (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to xinetd in Ubuntu.
https://bugs.launchpad.net/bugs/1474971

Title:
  missing parameter to status in upstart pre-stop script which is not
  needed regardless

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xinetd/+bug/1474971/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1335137] [NEW] libsasl2-dev does not include pkg-config file libsasl2.pc

[J G Miller]

Public bug reported:

PRETTY_NAME="Ubuntu 14.04 LTS"
VERSION="14.04, Trusty Tahr"

Package: libsasl2-dev
Origin: Ubuntu
Maintainer: Ubuntu Developers 
Source: cyrus-sasl2
Version: 2.1.25.dfsg1-17build1
Description: Cyrus SASL - development files for authentication abstraction 
library
Original-Maintainer: Debian Cyrus SASL Team 



The libsasl2-dev package does not include a much needed  pkg-config file 
libsasl2.pc

/usr/lib/pkgconfig/libsasl2.pc

Please include pkg-config .pc files in all (as appropriate) dev
packages.


Also consider that version 2.1.26 has been available for nearly 18 months

from http://www.cyrusimap.org/mediawiki/index.php/Downloads

cyrus-sasl-2.1.26.tar.gz5098 KB 2012-11-19  12:00:00h

but Ubuntu is still stuck on version 2.1.25 from  2011-09-13

** Affects: cyrus-sasl2 (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1335137

Title:
  libsasl2-dev does not include pkg-config file libsasl2.pc

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1335137/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1325674] [NEW] w3m supports insecure cypher suites

[J G Miller]

*** This bug is a security vulnerability ***

Public security bug reported:


PRETTY_NAME="Ubuntu 14.04 LTS"
VERSION="14.04, Trusty Tahr"

Package: w3m
Priority: optional
Section: text
Origin: Ubuntu
Maintainer: Ubuntu Developers 
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Version: 0.5.3-15
Supported: 5y

Using w3m to visit the site



reveals the following security issue  --

QUOTE

 Insecure Cipher Suites

Bad Your client supports cipher suites that are known to be insecure:

  * TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: This cipher uses keys smaller than 
128 bits in its encryption.
  * TLS_DHE_DSS_WITH_DES_CBC_SHA: This cipher uses keys smaller than 128 bits 
in its encryption.
  * TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: This cipher uses keys smaller than 
128 bits in its encryption.
  * TLS_DHE_RSA_WITH_DES_CBC_SHA: This cipher uses keys smaller than 128 bits 
in its encryption.
  * TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: This cipher uses keys smaller than 128 
bits in its encryption.
  * TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: This cipher uses keys smaller than 128 
bits in its encryption.
  * TLS_RSA_EXPORT_WITH_RC4_40_MD5: This cipher uses keys smaller than 128 bits 
in its encryption.
  * TLS_RSA_WITH_DES_CBC_SHA: This cipher uses keys smaller than 128 bits in 
its encryption.

UNQUOTE

** Affects: w3m (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: security vulnerability

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to w3m in Ubuntu.
https://bugs.launchpad.net/bugs/1325674

Title:
  w3m supports insecure cypher suites

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/w3m/+bug/1325674/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1302886] [NEW] w3m -- ssl security check reveals flaws

[J G Miller]

*** This bug is a security vulnerability ***

Public security bug reported:


PRETTY_NAME="Ubuntu 13.10"
VERSION="13.10, Saucy Salamander"

Package: w3m
Origin: Ubuntu
Maintainer: Ubuntu Developers 
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Architecture: i386
Multi-Arch: foreign
Version: 0.5.3-11


Using w3m to browse the SSL checking site  

 https://www.howsmyssl.com/

reveals the following two security issues --


Version
Improvable

Your client is using TLS 1.1. It would be better to be TLS 1.2, but at
least it isn't susceptible to the BEAST attack. But, it also doesn't
have the AES-GCM cipher suite available.


Insecure Cipher Suites
Bad

Your client supports cipher suites that are known to be insecure:

  • TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: This cipher uses keys smaller than 
128 bits in its encryption.
  • TLS_DHE_DSS_WITH_DES_CBC_SHA: This cipher uses keys smaller than 128 bits 
in its encryption.
  • TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: This cipher uses keys smaller than 
128 bits in its encryption.
  • TLS_DHE_RSA_WITH_DES_CBC_SHA: This cipher uses keys smaller than 128 bits 
in its encryption.
  • TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: This cipher uses keys smaller than 128 
bits in its encryption.
  • TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: This cipher uses keys smaller than 128 
bits in its encryption.
  • TLS_RSA_EXPORT_WITH_RC4_40_MD5: This cipher uses keys smaller than 128 bits 
in its encryption.
  • TLS_RSA_WITH_DES_CBC_SHA: This cipher uses keys smaller than 128 bits in 
its encryption.

** Affects: w3m (Ubuntu)
 Importance: Undecided
 Status: New

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to w3m in Ubuntu.
https://bugs.launchpad.net/bugs/1302886

Title:
  w3m -- ssl security check reveals flaws

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/w3m/+bug/1302886/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1205875] Re: apparmor.d profile for usr.sbin.ntpd -- access to samba gencache and capability block_suspend

[J G Miller]

Serge Hallyn asked "Can you show your ntp configuration?"

Here is the /etc/ntp.conf file


#/*#
#|
#|  file : /etc/ntp.conf.net
#|
#*---*#
#
restrict192.168.11.0mask 255.255.255.0  nomodify notrap
#
restrict192.168.11.12
#
restrict127.0.0.1
#
#.#
#
logconfig   =clockall +peerall +syncall +sysall
#
#.#
#
driftfile   /var/log/ntpd/ntpstats/ntp.drift
#
logfile /var/log/ntpd/ntpd.log
#
statsdir/var/log/ntpd/ntpstats/
#
#.#
#
statistics  clockstats loopstats peerstats
#
filegen clockstats  file clockstats type dayenable
filegen loopstats   file loopstats  type dayenable
filegen peerstats   file peerstats  type dayenable
#
#.#
#
server  another_host.my_local_domain
#
server  127.127.1.0
fudge   127.127.1.0 stratum 10
#
#*#


where another_host.my_local_domain is the FQDN of my ntp server on another 
machine on my internal network 192.168.11.0 so there are no overt references to 
SAMBA hosts, BUT nsswitch.conf has


#*#
#|
#|  file : /etc/nsswitch.conf
#|
#*---*#
#
group:  compat
passwd: compat
shadow: compat
#
#.#
#
hosts:  files   mdns4_minimal   [NOTFOUND=return]   winsnis 
dns mdns4
#
networks:   nis files
#
#.#
.#
files ... etc

which may explain why CIFS/SAMBA becomes involved.

Also, as a footnote, gencache.tdb is present and world readable, but
obviously not world writeable

 ll /run/samba/gencache.tdb

416 -rw-r--r-- 1 root root 425984 2013-09-22 10:37
/run/samba/gencache.tdb

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1205875

Title:
  apparmor.d profile for usr.sbin.ntpd -- access to samba gencache and
  capability block_suspend

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1205875/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1205875] [NEW] apparmor.d profile for usr.sbin.ntpd -- access to samba gencache and capability block_suspend

[J G Miller]

Public bug reported:

PRETTY_NAME="Ubuntu quantal (12.10)"
VERSION="12.10, Quantal Quetzal"

Package: ntp
Priority: optional
Section: net
Installed-Size: 1384
Origin: Ubuntu
Maintainer: Ubuntu Developers 
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Architecture: i386
Version: 1:4.2.6.p3+dfsg-1ubuntu5

In the system auth log files and dmesg the following apparmor messages
are seen --

type=1400 audit(1375004313.012:40): apparmor="DENIED" operation="open"
parent=1 profile="/usr/sbin/ntpd" name="/run/samba/gencache.tdb"
pid=2540 comm="ntpd" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0

type=1400 audit(1375004313.016:41): apparmor="DENIED"
operation="capable" parent=1 profile="/usr/sbin/ntpd" pid=2540
comm="ntpd" pid=2540 comm="ntpd" capability=36  capname="block_suspend"

type=1400 audit(1375004322.652:42): apparmor="DENIED"
operation="capable" parent=1 profile="/usr/sbin/ntpd" pid=2540
comm="ntpd" pid=2540 comm="ntpd" capability=36  capname="block_suspend"


Does ntpd really need WRITE privileges on /run/samba/gencache.tdb ?   Should 
not READ be sufficient?

Also why does ntpd need block_suspend capability?

At a minimum read access to the gencache should be enabled for ntp in
its profile, and probably read+write in the samba profile which is also
missing  for usr.sbin.smbd in the samba  2:3.6.6-3ubuntu5 package.

** Affects: ntp (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1205875

Title:
  apparmor.d profile for usr.sbin.ntpd -- access to samba gencache and
  capability block_suspend

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1205875/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 691737] Re: Dangling symlinks in /usr/lib/odbc created by installing unixodbc -- missing library files

[J G Miller]

Thank you for your response and the good news that this bug has been
fixed in a later release.

As far as I am aware the dangling symlinks are not causing a problem
with the functionality of the package.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to unixodbc in ubuntu.
https://bugs.launchpad.net/bugs/691737

Title:
  Dangling symlinks in /usr/lib/odbc created by installing unixodbc --
  missing library files

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 691737] [NEW] Dangling symlinks in /usr/lib/odbc created by installing unixodbc -- missing library files

[J G Miller]

Public bug reported:

Binary package hint: unixodbc


  Ubuntu 10.04 LTS (Lucid Lynx)‎:

  Package: unixodbc
  Architecture: i386
  Version: 2.2.11-21

Package unixodbc claims to contain the files libnn.so and libodbctxt.so,
but after installing the package, the directory

 /usr/lib/odbc

contains two dangling symbolid links

0 lrwxrwxrwx   1 root root 14 2010-06-03 21:51 libnn.so -> libnn.so.1.0.0
0  lrwxrwxrwx   1 root root 19 2010-06-03 21:51 libodbctxt.so -> 
libodbctxt.so.1.0.0

apt-file search indicates that no package contains libnn.so.1.0.0 or
libodbctxt.so.1.0.0, so either

1) the package unixodbc should contain these library files and does not
because the packager forgot to include them in building the deb package

or

2) the package unixodbc should not create these symbolic links to non-
existent library files

** Affects: unixodbc (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to unixodbc in ubuntu.
https://bugs.launchpad.net/bugs/691737

Title:
  Dangling symlinks in /usr/lib/odbc created by installing unixodbc -- missing 
library files

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs