[Bug 1559600] Re: crash in libcrypto.so.1.0.0
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openvpn in Ubuntu. https://bugs.launchpad.net/bugs/1559600 Title: crash in libcrypto.so.1.0.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1559600/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1554556] Re: dhclient crashes during startup
Closing based on comment #7. ** Changed in: isc-dhcp (Ubuntu) Status: Confirmed => Fix Released ** Changed in: bind9 (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1554556 Title: dhclient crashes during startup To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1554556/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1549609] Re: Stack Corruption in PCRE 8.35
Thanks for the bug report, Craig. We are aware of the issues fixed in 8.38 but we've prioritized them as 'low' since the issues require software that passes untrusted regexes to PCRE. We don't feel like this is common usage of PCRE. We track these issues in the Ubuntu CVE Tracker: http://people.canonical.com/~ubuntu-security/cve/pkg/pcre3.html ** Information type changed from Private Security to Public Security ** Package changed: php5 (Ubuntu) => pcre3 (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1549609 Title: Stack Corruption in PCRE 8.35 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcre3/+bug/1549609/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1546455] Re: Many instances of 'apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram" protocol=0' in syslog
Committed upstream: https://bazaar.launchpad.net/~apparmor- dev/apparmor/master/revision/3375 ** Also affects: apparmor Importance: Undecided Status: New ** Changed in: apparmor Importance: Undecided => Medium ** Changed in: apparmor Status: New => Fix Committed ** Changed in: apparmor Assignee: (unassigned) => Tyler Hicks (tyhicks) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1546455 Title: Many instances of 'apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram" protocol=0' in syslog To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1546455/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1546455] Re: Many instances of 'apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram" protocol=0' in syslog
Passed QRT's test-apparmor.py in an Xenial amd64 VM. ** Patch added: "apparmor_2.10-3ubuntu2.debdiff" https://bugs.launchpad.net/apparmor/+bug/1546455/+attachment/4574878/+files/apparmor_2.10-3ubuntu2.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1546455 Title: Many instances of 'apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram" protocol=0' in syslog To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1546455/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1546455] Re: Many instances of 'apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram" protocol=0' in syslog
Patch sent to the list: https://lists.ubuntu.com/archives/apparmor/2016-February/009328.html ** Changed in: apparmor (Ubuntu) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1546455 Title: Many instances of 'apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram" protocol=0' in syslog To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1546455/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1446906] Re: lxc container with postfix, permission denied on mailq
** Description changed:
+ [Impact]
+
+ * Users may encounter situations where they use applications, confined by
+AppArmor, that hit EACESS failures when attempting to operate on AF_UNIX
+stream sockets.
+
+ * These failures typically occur when the confined applications attempts to
+read from an AF_UNIX stream socket when the other end of the socket has
+already been closed.
+
+ * AppArmor is mistakenly denying the socket operations due to the socket
+shutdown operation making the sun_path no longer being available for
+AppArmor mediation after the socket is shutdown.
+
+ [Test Case]
+
+ The expected test case is:
+
+ $ sudo apt-get install postfix # installing in 'local only' config is fine
+ $ cat > bug-profile << EOF
+ profile bug-profile flags=(attach_disconnected) {
+network,
+file,
+ }
+ EOF
+ $ sudo apparmor_parser -r bug.profile
+ $ aa-exec -p bug-profile -- mailq
+ Mail queue is empty
+
+ A failed test case will see the mailq command exit with an error:
+
+ $ aa-exec -p bug-profile -- mailq
+ postqueue: warning: close: Permission denied
+
+ and these denials will be found in the syslog:
+
+ Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096168] audit: type=1400
audit(1453762589.727:29): apparmor="DENIED" operation="file_perm"
profile="bug-profile" name="public/showq" pid=4923 comm="postqueue"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
+ Jan 25 16:56:29 sec-vivid-amd64 kernel: [ 241.096175] audit: type=1400
audit(1453762589.727:30): apparmor="DENIED" operation="file_perm"
profile="bug-profile" name="public/showq" pid=4923 comm="postqueue"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
+
+ [Regression Potential]
+
+ * The changes are local to the path-based AF_UNIX stream socket mediation
code
+so that limits the regression potential to some degree.
+
+ * John Johansen authored the patch and I reviewed it. It is small and there's
+no obvious areas of concern to me regarding potential regressions.
+
+ [Other Info]
+
+ * None at this time
+
+ [Original bug report]
+
Hello,
on three Vivid host, all of them up-to-date, I have the problem
described here:
https://bugs.launchpad.net/ubuntu/utopic/+source/linux/+bug/1390223
That bug report shows the problem was fixed, but it is not (at least on
current Vivid)
-
ii linux-image-generic 3.19.0.15.14 amd64 Generic Linux kernel
image
ii lxc 1.1.2-0ubuntu3 amd64 Linux Containers
userspace tools
ii apparmor2.9.1-0ubuntu9 amd64 User-space parser
utility for AppArmor
-
Reproducible with:
$ sudo lxc-create -n test -t ubuntu
$ sudo lxc-start -n test
(inside container)
$ sudo apt-get install postfix
$ mailq
postqueue: warning: close: Permission denied
-
dmesg shows:
[82140.386109] audit: type=1400 audit(1429661150.086:17067):
apparmor="DENIED" operation="file_perm" profile="lxc-container-default"
name="public/showq" pid=27742 comm="postqueue" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
- ---
+ ---
ApportVersion: 2.17.2-0ubuntu1
Architecture: amd64
AudioDevicesInUse:
- USERPID ACCESS COMMAND
- /dev/snd/controlC0: zoolook1913 F pulseaudio
+ USERPID ACCESS COMMAND
+ /dev/snd/controlC0: zoolook1913 F pulseaudio
CurrentDesktop: Unity
DistroRelease: Ubuntu 15.04
HibernationDevice: RESUME=UUID=aa25401d-0553-43dc-b7c8-c530fe245fb6
InstallationDate: Installed on 2015-02-27 (53 days ago)
InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64
(20150218.1)
MachineType: LENOVO 20150
Package: linux (not installed)
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic
root=/dev/mapper/ubuntu--vg-root ro cgroup_enable=memory swapaccount=1 quiet
splash vt.handoff=7
ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
RelatedPackageVersions:
- linux-restricted-modules-3.19.0-15-generic N/A
- linux-backports-modules-3.19.0-15-generic N/A
- linux-firmware 1.143
+ linux-restricted-modules-3.19.0-15-generic N/A
+ linux-backports-modules-3.19.0-15-generic N/A
+ linux-firmware 1.143
Tags: vivid
Uname: Linux 3.19.0-15-generic x86_64
UpgradeStatus: Upgraded to vivid on 2015-03-29 (24 days ago)
UserGroups: adm docker libvirtd lpadmin sambashare sudo
_MarkForUpload: True
dmi.bios.date: 12/19/2012
dmi.bios.vendor: LENOVO
dmi.bios.version: 5ECN95WW(V9.00)
dmi.board.asset.tag: No Asset Tag
dmi.board.name: INVALID
dmi.board.vendor: LENOVO
dmi.board.version: 3194WIN8 STD SGL
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Lenovo G580
dmi.modalias:
[Bug 1513299] Re: package nginx-full (not installed) failed to install/upgrade: el subproceso instalado el script post-installation devolvió el código de salida de error 1
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1513299 Title: package nginx-full (not installed) failed to install/upgrade: el subproceso instalado el script post-installation devolvió el código de salida de error 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1513299/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1501491] Re: Unable to start containers after upgrade to 1.0.7-0ubuntu0.6 on trusty
The Ubuntu Security Team has produced some packages built with the proposed fix from Serge (thanks again, Serge!). They have not been tested by the Security Team yet but those affected by this bug may find the packages useful. They can be found in: https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages IMPORTANT: You should not add this PPA to your apt sources.list file. Please only pull down the specific binary packages. The Security Team uploads experimental packages to this PPA and we cannot provide any guarantees regarding the contents of this PPA. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1501491 Title: Unable to start containers after upgrade to 1.0.7-0ubuntu0.6 on trusty To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1501491/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
The regression should be fixed with lxc 1.0.7-0ubuntu0.6. See http://www.ubuntu.com/usn/usn-2753-2/ for more details. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1501310] Re: Unable to start containers after upgrade to 1.0.7-0ubuntu0.5 on trusty
Hi Tobias - Can you share what Ubuntu release you're using? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1501310 Title: Unable to start containers after upgrade to 1.0.7-0ubuntu0.5 on trusty To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1501310/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
Hello - Is anyone seeing this regression on a release other than 14.04 LTS (Trusty)? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476662 Title: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1498952] Re: package python-beautifulsoup 3.2.1-1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 127
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to beautifulsoup in Ubuntu. https://bugs.launchpad.net/bugs/1498952 Title: package python-beautifulsoup 3.2.1-1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 127 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/beautifulsoup/+bug/1498952/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1498254] Re: package postfix 2.11.0-1ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 75
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to postfix in Ubuntu. https://bugs.launchpad.net/bugs/1498254 Title: package postfix 2.11.0-1ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 75 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1498254/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1478087] Re: ISST-LTE: aureport -l couldn't print out login info on ubuntu 14.04.3
** Also affects: shadow (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: openssh (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: audit (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: lightdm (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: shadow (Ubuntu Vivid) Importance: Undecided Status: New ** Also affects: openssh (Ubuntu Vivid) Importance: Undecided Status: New ** Also affects: audit (Ubuntu Vivid) Importance: Undecided Status: New ** Also affects: lightdm (Ubuntu Vivid) Importance: Undecided Status: New ** Also affects: shadow (Ubuntu Wily) Importance: Undecided Status: New ** Also affects: openssh (Ubuntu Wily) Importance: Undecided Status: New ** Also affects: audit (Ubuntu Wily) Importance: Undecided Assignee: Taco Screen team (taco-screen-team) Status: New ** Also affects: lightdm (Ubuntu Wily) Importance: Undecided Status: New ** No longer affects: audit (Ubuntu Trusty) ** No longer affects: audit (Ubuntu Vivid) ** No longer affects: audit (Ubuntu Wily) ** Changed in: audit (Ubuntu) Status: New => Invalid ** Changed in: lightdm (Ubuntu Wily) Status: New => Triaged ** Changed in: lightdm (Ubuntu Vivid) Status: New => Triaged ** Changed in: lightdm (Ubuntu Trusty) Status: New => Triaged ** Changed in: openssh (Ubuntu Trusty) Status: New => Triaged ** Changed in: openssh (Ubuntu Vivid) Status: New => Triaged ** Changed in: openssh (Ubuntu Wily) Status: New => Triaged ** Changed in: shadow (Ubuntu Wily) Status: New => Fix Released ** Changed in: shadow (Ubuntu Vivid) Status: New => Triaged ** Changed in: shadow (Ubuntu Trusty) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1478087 Title: ISST-LTE: aureport -l couldn't print out login info on ubuntu 14.04.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1478087/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1478087] Re: ISST-LTE: aureport -l couldn't print out login info on ubuntu 14.04.3
I've created an upstream lightdm merge request to add login and logout auditing support: https://code.launchpad.net/~tyhicks/lightdm/auditing/+merge/269828 I've also submitted the (simple) changes needed in the openssh package to Debian since Colin keeps the Debian and Ubuntu openssh package in sync: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797727 ** Bug watch added: Debian Bug tracker #797727 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797727 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1478087 Title: ISST-LTE: aureport -l couldn't print out login info on ubuntu 14.04.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1478087/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1478087] Re: ISST-LTE: aureport -l couldn't print out login info on ubuntu 14.04.3
The bug is not in aureport or libaudit. aureport looks for AUDIT_USER_LOGIN events in the audit log but we're not generating them in login programs due to libaudit support not being enabled at build time or, in the case of lightdm, missing libaudit support. Note that we are generating an AUDIT_LOGIN event from the kernel upon login but aureport and friends are looking for AUDIT_USER_LOGIN events from userspace. This will require changes to a several packages. So far, I've been able to determine that openssh needs to be built with --enable-audit=linux and lightdm needs to be patched to generate AUDIT_USER_LOGIN events. The lightdm pam configs may also need updating for calling out to pam_loginuid.so but I'm not sure if that's required at this point. The shadow package was recently modified to enable libaudit support (https://launchpad.net/ubuntu/+source/shadow/1:4.1.5.1-1.1ubuntu5) so that change will need to be SRU'ed. The util-linux source package can generate AUDIT_USER_INFO events from its login program but we're using the login program from the shadow source package. After looking at the util-linux source, I don't see a reason to build it against libaudit at this time. ** Also affects: openssh (Ubuntu) Importance: Undecided Status: New ** Also affects: lightdm (Ubuntu) Importance: Undecided Status: New ** Also affects: shadow (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1478087 Title: ISST-LTE: aureport -l couldn't print out login info on ubuntu 14.04.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1478087/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1476769] Re: When activating OpenVPN without DHCP6, random traffic will be routed without VPN
Making this public since the Fedora bug is already public. It'll help to get more developers access to the report. ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openvpn in Ubuntu. https://bugs.launchpad.net/bugs/1476769 Title: When activating OpenVPN without DHCP6, random traffic will be routed without VPN To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1476769/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1470842] Re: lxc tools lock handling vulnerable to symlink attack
It is worth noting that I typoed the CVE ID in the changelog. CVE-2015-1131 should have been CVE-2015-1331. ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-1131 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-1131 ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-1334 ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-1131 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1470842 Title: lxc tools lock handling vulnerable to symlink attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1470842/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1470842] Re: lxc tools lock handling vulnerable to symlink attack
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1470842 Title: lxc tools lock handling vulnerable to symlink attack To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1470842/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1476691] [NEW] Containers are stopped during lxc package upgrade
Public bug reported: Starting in Ubuntu 15.04, while using systemd as init, running containers are being stopped when an lxc package upgrade occurs. In older Ubuntu releases, running containers are still up after lxc package upgrades. Serge reports that a simple `apt-get install --reinstall lxc` will reproduce this bug. Here's another reproducer where I did a no change rebuild of lxc 1.1.2-0ubuntu3 as 1.1.2-0ubuntu4~nochange1: tyhicks@sec-vivid-amd64:~$ sudo lxc-ls -f NAME STATEIPV4IPV6 GROUPS AUTOSTART -- somename RUNNING 10.0.3.135 - - NO tyhicks@sec-vivid-amd64:~$ sudo lxc-attach -n somename -- hostname somename tyhicks@sec-vivid-amd64:~$ sudo apt-get install lxc lxc-templates Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: liblxc1 python3-lxc Suggested packages: btrfs-tools lvm2 lxctl qemu-user-static The following packages will be upgraded: liblxc1 lxc lxc-templates python3-lxc 4 upgraded, 0 newly installed, 0 to remove and 4 not upgraded. Need to get 0 B/781 kB of archives. After this operation, 0 B of additional disk space will be used. Do you want to continue? [Y/n] y WARNING: The following packages cannot be authenticated! python3-lxc lxc-templates liblxc1 lxc Install these packages without verification? [y/N] y (Reading database ... 217273 files and directories currently installed.) Preparing to unpack .../python3-lxc_1.1.2-0ubuntu4~nochange1_amd64.deb ... Unpacking python3-lxc (1.1.2-0ubuntu4~nochange1) over (1.1.2-0ubuntu3) ... Preparing to unpack .../lxc-templates_1.1.2-0ubuntu4~nochange1_amd64.deb ... Unpacking lxc-templates (1.1.2-0ubuntu4~nochange1) over (1.1.2-0ubuntu3) ... Preparing to unpack .../liblxc1_1.1.2-0ubuntu4~nochange1_amd64.deb ... Unpacking liblxc1 (1.1.2-0ubuntu4~nochange1) over (1.1.2-0ubuntu3) ... Preparing to unpack .../lxc_1.1.2-0ubuntu4~nochange1_amd64.deb ... Unpacking lxc (1.1.2-0ubuntu4~nochange1) over (1.1.2-0ubuntu3) ... Processing triggers for man-db (2.7.0.2-5) ... Processing triggers for ureadahead (0.100.0-19) ... Setting up liblxc1 (1.1.2-0ubuntu4~nochange1) ... Setting up python3-lxc (1.1.2-0ubuntu4~nochange1) ... Setting up lxc (1.1.2-0ubuntu4~nochange1) ... Setting up lxc dnsmasq configuration. Setting up lxc-templates (1.1.2-0ubuntu4~nochange1) ... Processing triggers for libc-bin (2.21-0ubuntu4) ... tyhicks@sec-vivid-amd64:~$ sudo lxc-ls -f NAME STATEIPV4 IPV6 GROUPS AUTOSTART somename STOPPED - - - NO tyhicks@sec-vivid-amd64:~$ sudo lxc-attach -n somename -- hostname lxc-attach: attach.c: lxc_attach: 632 failed to get the init pid ** Affects: lxc (Ubuntu) Importance: High Status: Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1476691 Title: Containers are stopped during lxc package upgrade To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476691/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1213934] Re: [MIR] python-oauth2
From IRC, Chuck thinks that python-oauthlib is sufficient: 14:52 tyhicks zul: so python-oauthlib is sufficient and we can mark the python-oauth2 MIR as won't fix? 14:52 zul tyhicks: should be Marking this MIR as Won't Fix since we no longer need python-oauth2 in main. ** Changed in: python-oauth2 (Ubuntu) Status: Incomplete = Won't Fix -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-oauth2 in Ubuntu. https://bugs.launchpad.net/bugs/1213934 Title: [MIR] python-oauth2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-oauth2/+bug/1213934/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1470888] Re: package openvswitch-pki 2.0.2-0ubuntu0.14.04.2 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openvswitch in Ubuntu. https://bugs.launchpad.net/bugs/1470888 Title: package openvswitch-pki 2.0.2-0ubuntu0.14.04.2 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvswitch/+bug/1470888/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1461004] Re: package bind9 1:9.9.5.dfsg-3ubuntu0.2 failed to install/upgrade: le sous-processus script post-installation installé a retourné une erreur de sortie d'état 1
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1461004 Title: package bind9 1:9.9.5.dfsg-3ubuntu0.2 failed to install/upgrade: le sous-processus script post-installation installé a retourné une erreur de sortie d'état 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1461004/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1350947] Re: apparmor: no working rule to allow making a mount private
As a result of the slave versus make-slave revelation, I've created
two upstream AppArmor bugs. The first is for the AppArmor documentation
being wrong about the acceptable mount option strings (bug #1401619).
The second is for the AppArmor parser accepting unknown mount option
strings (bug #1401621).
Since the fix for this specific bug will come as an lxc update, I'm
going to mark the AppArmor tasks in this bug as invalid and use the two
bugs mentioned above.
** Changed in: apparmor
Status: Confirmed = Invalid
** Changed in: linux (Ubuntu)
Status: Confirmed = Invalid
** Description changed:
+ NOTE: This bug will be fixed with an update to lxc. However, two
+ AppArmor bugs (bug #1401619 and bug #1401621) were identified as a
+ result of triaging this bug and they will both be fixed in upstream
+ AppArmor.
+
When the file system is mounted as MS_SHARED by default (such as under
systemd, or when the admin configures it so), things like schroot or LXC
need to make their guest mounts private. This currently fails under
utopic:
$ sudo lxc-create -t busybox -n c1
$ sudo mount --make-rshared /
$ sudo strace -fvvs1024 -e mount lxc-start -n c1
[...]
[pid 10749] mount(NULL, /, NULL, MS_SLAVE, NULL) = -1 EACCES (Permission
denied)
lxc-start: Permission denied - Failed to make / rslave
dmesg says:
audit: type=1400 audit(1406825005.687:551): apparmor=DENIED operation=mo
unt info=failed flags match error=-13 profile=/usr/bin/lxc-start
name=/ pid=8228 co
mm=lxc-start flags=rw, slave
(This happens for all mount points on your system, I'm just showing the
first one)
This will leave a couple of leaked mounts on your system. This is an
useful rune to clean them up:
$ for i in 1 2 3; do sudo umount `mount|grep lxc|awk '{print $3}'`; done
(needs to be done several times; check with mount |grep lxc that it's
clean)
I tried to allow that by adding this to /etc/apparmor.d/abstractions/lxc
/start-container:
mount options=(rw, slave) - **,
then reload the policy and rety with
$ sudo stop lxc; sudo start lxc; sudo lxc-start -n c1
(and again clean up the mounts with above rune)
I tried some variations of this, like
mount options in (rw, slave, rslave, shared, rshared) - **,
but none of them worked. The only things that do work are one of
mount,
mount - **,
but those are too lax to be an effective security restriction.
WORKAROUND
==
(Attention: insecure! Don't use for production machines)
Add this to /etc/apparmor.d/abstractions/lxc/start-container:
-mount,
-
+ mount,
ProblemType: Bug
DistroRelease: Ubuntu 14.10
Package: linux-image-3.16.0-6-generic 3.16.0-6.11
ProcVersionSignature: Ubuntu 3.16.0-6.11-generic 3.16.0-rc7
Uname: Linux 3.16.0-6-generic x86_64
ApportVersion: 2.14.5-0ubuntu1
Architecture: amd64
AudioDevicesInUse:
USERPID ACCESS COMMAND
/dev/snd/controlC0: martin 1665 F pulseaudio
CurrentDesktop: Unity
Date: Thu Jul 31 18:58:18 2014
EcryptfsInUse: Yes
InstallationDate: Installed on 2014-02-27 (154 days ago)
InstallationMedia: Ubuntu 14.04 LTS Trusty Tahr - Alpha amd64 (20140224)
MachineType: LENOVO 2324CTO
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.16.0-6-generic.efi.signed
root=UUID=a2b27321-0b55-44c9-af0d-6c939efa45ce ro quiet splash
init=/lib/systemd/systemd crashkernel=384M-:128M vt.handoff=7
RelatedPackageVersions:
linux-restricted-modules-3.16.0-6-generic N/A
linux-backports-modules-3.16.0-6-generic N/A
linux-firmware1.132
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 07/09/2013
dmi.bios.vendor: LENOVO
dmi.bios.version: G2ET95WW (2.55 )
dmi.board.asset.tag: Not Available
dmi.board.name: 2324CTO
dmi.board.vendor: LENOVO
dmi.board.version: 0B98401 Pro
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Not Available
dmi.modalias:
dmi:bvnLENOVO:bvrG2ET95WW(2.55):bd07/09/2013:svnLENOVO:pn2324CTO:pvrThinkPadX230:rvnLENOVO:rn2324CTO:rvr0B98401Pro:cvnLENOVO:ct10:cvrNotAvailable:
dmi.product.name: 2324CTO
dmi.product.version: ThinkPad X230
dmi.sys.vendor: LENOVO
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1350947
Title:
apparmor: no working rule to allow making a mount private
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1350947/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
Hi Serge - I'm still wanting a little more information. I tried to reproduce the bug myself and can't hit the AppArmor denial. I assume that it must be specific to Charles' local trusty/wordpress charm. Charles and/or Curtis, can you explain what change occurred in juju-core that has caused the need to mount rpc_pipefs filesystems inside the container? Serge, as far as allowing rpc_pipefs inside the container, I don't know how safe that would be off the top of my head. I looked at the other filesystems that are allowed by the container-base abstraction and was surprised to see debugfs was allowed. I can't imagine that allowing rpc_pipefs could be more dangerous that debugfs, but that also doesn't mean that we should allow rpc_pipefs. I need to spend some time today understanding more about rpc_pipefs. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1319525] Re: juju-local LXC containers hang due to App Armor Denial of rpc_fsbind request with local charms
I've marked this bug as affecting lxc, since the fix/workaround that Charles and I came up with involves modifying abstractions/lxc /container-base. ** Changed in: lxc (Ubuntu) Importance: Undecided = Medium ** Changed in: lxc (Ubuntu) Status: New = Confirmed ** Changed in: lxc (Ubuntu) Assignee: (unassigned) = Tyler Hicks (tyhicks) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1319525] Re: juju-local LXC containers hang due to App Armor Denial of rpc_fsbind request with local charms
Would it be possible to attach your local wordpress charm? ** Also affects: lxc (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1319525] Re: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms
** Summary changed: - juju-local LXC containers hang due to App Armor Denial of rpc_fsbind request with local charms + juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1319525 Title: juju-local LXC containers hang due to AppArmor denial of rpc_pipefs mount with local charms To manage notifications about this bug go to: https://bugs.launchpad.net/juju-core/+bug/1319525/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1313282] Re: apparmor=DENIED for freshclam (CLAMAV)
Here's a debdiff that updates the freshclam AppArmor profile to grant both read and write permissions for the clamd socket file. Both permissions are now required by AppArmor when applications connect() to UNIX domain sockets. ** Patch added: clamav_0.98.1+dfsg-5ubuntu2.debdiff https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1313282/+attachment/4099894/+files/clamav_0.98.1%2Bdfsg-5ubuntu2.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to clamav in Ubuntu. https://bugs.launchpad.net/bugs/1313282 Title: apparmor=DENIED for freshclam (CLAMAV) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1313282/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1313282] Re: apparmor=DENIED for freshclam (CLAMAV)
** Description changed: - Not sure if this is a bug, or by design (but I would like some - clarification) + [Description] - I recently upgraded my Ubuntu server to 14.04 LTS and notice some error messages regarding Apparmor and Freshclam. - So far I know I didn't had these error message with the previous version (13.10). + Freshclam is not able to notify clamd about new databases because AppArmor + prevents it from connecting to the clamd socket. Clamd will still detect the + database update and force reload, but freshclam should be able to notify clamd. + + AppArmor fixed a bug (LP: #1208988) in its path-based UNIX domain socket + mediation in Saucy. AppArmor now requires both read and write permissions for + those socket paths but freshclam's profile only grants write permission. + + I recently upgraded my Ubuntu server to 14.04 LTS and notice some error + messages regarding Apparmor and Freshclam. So far I know I didn't had these + error message with the previous version (13.10). Syslog reports: kernel: [ 113.304926] type=1400 audit(1398085083.946:37): apparmor=DENIED operation=connect profile=/usr/bin/freshclam name=/run/clamav/clamd.ctl pid=2372 comm=freshclam requested_mask=r denied_mask=r fsuid=110 ouid=110 Freshclam log reports: WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl - Any reason why freshclam may not read the clamd.ctl? - Of course clamd will detect database update and force reload. - But should freshclam not be able to notify clamd? + [Test Case] + + * Make sure that /etc/clamav/freshclam.conf contains this line: + + NotifyClamd /etc/clamav/clamd.conf + + * Manually remove the main database file + + $ sudo rm /var/lib/clamav/main.cvd + + * Run freshclam + + $ sudo freshclam + + * Verify the following: + + 1) It was successful + 2) There were no warnings about clamd not being notified (see Description) + 3) There were no AppArmor denials in the system logs (See Description) + + [Regression Potential] + + There is essentially no regression potential since we're only loosening up the + freshclam AppArmor profile by adding read permission on the clamd socket. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to clamav in Ubuntu. https://bugs.launchpad.net/bugs/1313282 Title: apparmor=DENIED for freshclam (CLAMAV) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1313282/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1313282] Re: apparmor=DENIED for freshclam (CLAMAV)
** Description changed: - [Description] + [Impact] Freshclam is not able to notify clamd about new databases because AppArmor prevents it from connecting to the clamd socket. Clamd will still detect the database update and force reload, but freshclam should be able to notify clamd. AppArmor fixed a bug (LP: #1208988) in its path-based UNIX domain socket mediation in Saucy. AppArmor now requires both read and write permissions for those socket paths but freshclam's profile only grants write permission. I recently upgraded my Ubuntu server to 14.04 LTS and notice some error messages regarding Apparmor and Freshclam. So far I know I didn't had these error message with the previous version (13.10). Syslog reports: kernel: [ 113.304926] type=1400 audit(1398085083.946:37): apparmor=DENIED operation=connect profile=/usr/bin/freshclam name=/run/clamav/clamd.ctl pid=2372 comm=freshclam requested_mask=r denied_mask=r fsuid=110 ouid=110 Freshclam log reports: WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl [Test Case] * Make sure that /etc/clamav/freshclam.conf contains this line: - NotifyClamd /etc/clamav/clamd.conf + NotifyClamd /etc/clamav/clamd.conf * Manually remove the main database file - $ sudo rm /var/lib/clamav/main.cvd + $ sudo rm /var/lib/clamav/main.cvd * Run freshclam - $ sudo freshclam + $ sudo freshclam * Verify the following: - 1) It was successful - 2) There were no warnings about clamd not being notified (see Description) - 3) There were no AppArmor denials in the system logs (See Description) + 1) It was successful and printed Clamd successfully notified about the +update. + 2) There were no warnings about clamd not being notified (see Impact) + 3) There were no AppArmor denials in the system logs (see Impact) [Regression Potential] There is essentially no regression potential since we're only loosening up the freshclam AppArmor profile by adding read permission on the clamd socket. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to clamav in Ubuntu. https://bugs.launchpad.net/bugs/1313282 Title: apparmor=DENIED for freshclam (CLAMAV) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1313282/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1135780] Re: ntp apparmor denied read of /usr/share/samba/upcase.dat
Hello - I sat down to fix this bug in Trusty, but it is already fixed.
Here's my reasoning:
* Starting in Trusty, /usr/share/samba/{low,up}case.dat was moved to
/usr/share/samba/codepages/{low,up}case.dat
* The ntpd profile has #include abstractions/nameservice
* The nameservice abstraction has #include abstractions/winbind
* Starting in Trusty, the winbind abstraction has
/usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
The denials should no longer be happening in Trusty so I'm going to mark
this as Fix Released. Thanks for the bug report!
** Changed in: ntp (Ubuntu)
Status: New = Fix Released
** Changed in: ntp (Ubuntu)
Assignee: (unassigned) = Tyler Hicks (tyhicks)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1135780
Title:
ntp apparmor denied read of /usr/share/samba/upcase.dat
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1135780/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1135780] Re: ntp apparmor denied read of /usr/share/samba/upcase.dat
FWIW, the upstream apparmor commit that fixed this is r2382 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1135780 Title: ntp apparmor denied read of /usr/share/samba/upcase.dat To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1135780/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1298611] Re: [FFe] apparmor signal and ptrace mediation
Here's the lightdm debdiff to allow the guest session to start with AppArmor signal and ptrace mediation. It is tested on Trusty amd64. ** Patch added: lightdm_1.9.14-0ubuntu2.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1298611/+attachment/4064056/+files/lightdm_1.9.14-0ubuntu2.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1298611 Title: [FFe] apparmor signal and ptrace mediation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1298611/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1298611] Re: [FFe] apparmor signal and ptrace mediation
Here's an updated libvirt debdiff. I rebase Jamie's debdiff on top of the libvirt that was uploaded to the archive yesterday. ** Patch added: libvirt_1.2.2-0ubuntu9.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1298611/+attachment/4064063/+files/libvirt_1.2.2-0ubuntu9.debdiff ** Patch removed: libvirt_1.2.2-0ubuntu8.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1298611/+attachment/4055646/+files/libvirt_1.2.2-0ubuntu8.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1298611 Title: [FFe] apparmor signal and ptrace mediation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1298611/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1298611] Re: [FFe] apparmor signal and ptrace mediation
Here's the apparmor debdiff. The testing performed in described in the bug description. Let me know if there are any questions. ** Patch added: apparmor_2.8.95~2430-0ubuntu4.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1298611/+attachment/4064098/+files/apparmor_2.8.95%7E2430-0ubuntu4.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1298611 Title: [FFe] apparmor signal and ptrace mediation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1298611/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1296681] Re: failed to change apparmor profile to lxc-container-default
*** This bug is a duplicate of bug 1296459 *** https://bugs.launchpad.net/bugs/1296459 ** This bug is no longer a duplicate of bug 1295774 ERROR processing policydb rules for profile lxc-container-default, failed to load ** This bug has been marked a duplicate of bug 1296459 Upgrade from 2.8.0-0ubuntu38 to 2.8.95~2430-0ubuntu2 breaks LXC containers -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1296681 Title: failed to change apparmor profile to lxc-container-default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1296681/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1294284] Re: LXC Ubuntu containers do not start in Ubuntu 14.04
*** This bug is a duplicate of bug 1296459 *** https://bugs.launchpad.net/bugs/1296459 I believe this issue was solved with apparmor 2.8.95~2430-0ubuntu3. It contains a fix for a regression in how apparmor_parser generates AppArmor policy containing mount rules. I'm going to mark this bug as a duplicate of the bug I listed in the AppArmor changelog. Please respond if upgrading to apparmor 2.8.95~2430-0ubuntu3 does not fix your issue. ** This bug has been marked a duplicate of bug 1296459 Upgrade from 2.8.0-0ubuntu38 to 2.8.95~2430-0ubuntu2 breaks LXC containers -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1294284 Title: LXC Ubuntu containers do not start in Ubuntu 14.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1294284/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1298611] Re: [FFe] apparmor signal and ptrace mediation
I've added tasks for lightdm and lxc. The lightdm guest session abstraction needs to be updated for signal and ptrace mediation and I'm currently working on that. In previous IRC discussions, stgraber mentioned that he had a handle on what was needed for the lxc policy so I've assigned him but I can obviously help out as needed. ** Also affects: lightdm (Ubuntu) Importance: Undecided Status: New ** Changed in: lightdm (Ubuntu) Status: New = In Progress ** Changed in: lightdm (Ubuntu) Assignee: (unassigned) = Tyler Hicks (tyhicks) ** Changed in: lightdm (Ubuntu) Importance: Undecided = High ** Changed in: apparmor (Ubuntu) Status: Confirmed = In Progress ** Also affects: lxc (Ubuntu) Importance: Undecided Status: New ** Changed in: lxc (Ubuntu) Assignee: (unassigned) = Stéphane Graber (stgraber) ** Changed in: lxc (Ubuntu) Importance: Undecided = High -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/1298611 Title: [FFe] apparmor signal and ptrace mediation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1298611/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1236065] Re: Crypto support missing in Saucy
** Bug watch added: Debian Bug tracker #696390 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696390 ** Also affects: ntp (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696390 Importance: Unknown Status: Unknown ** Changed in: ntp (Ubuntu) Status: In Progress = Confirmed ** Changed in: ntp (Ubuntu) Assignee: Tyler Hicks (tyhicks) = (unassigned) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1236065 Title: Crypto support missing in Saucy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1236065/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1236065] [NEW] Crypto support missing in Saucy
Public bug reported: From the ntp_1:4.2.6.p5+dfsg-2ubuntu3 buildlog: checking for openssl library directory... /usr/lib/x86_64-linux-gnu checking for openssl include directory... no checking if we will use crypto... no I noticed this after the QRT test test-ntp.py had some unexpected failures due to ntp-keygen not working: # ntp-keygen -p test /usr/sbin/ntp-keygen: illegal option -- p ... Looking through the source, the -p option is wrapped with #ifdef OPENSSL. The same preprocessor conditional is used throughout the ntp source to enable/disable crypto support. Debian bug #696390 has the needed fix. ** Affects: ntp (Ubuntu) Importance: High Assignee: Tyler Hicks (tyhicks) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1236065 Title: Crypto support missing in Saucy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1236065/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1236065] Re: Crypto support missing in Saucy
Here's the debdiff between what's currently in Saucy and the update I'm proposing with the debdiff above. The merge from Debian testing only pulls in the fix for this bug. ** Patch added: old-saucy-to-new.debdiff https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1236065/+attachment/3863145/+files/old-saucy-to-new.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1236065 Title: Crypto support missing in Saucy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1236065/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1236065] Re: Crypto support missing in Saucy
Merge ntp 1:4.2.6.p5+dfsg-3 from Debian testing. I've verified that QRT's test-ntp.py now passes. Here's the relevant snippet from the build log: checking for openssl library directory... /usr/lib/x86_64-linux-gnu checking for openssl include directory... /usr/include checking if we will use crypto... yes checking if linking with -lcrypto alone works... yes ** Patch added: ntp_4.2.6.p5+dfsg-3ubuntu1.debdiff https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1236065/+attachment/3863144/+files/ntp_4.2.6.p5%2Bdfsg-3ubuntu1.debdiff ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1236065 Title: Crypto support missing in Saucy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1236065/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 971314] Re: 1:4.2.6.p3+dfsg-1ubuntu3 on Precise generates a memory corruption
*** This bug is a duplicate of bug 941968 *** https://bugs.launchpad.net/bugs/941968 ** This bug has been marked a duplicate of bug 941968 lockfile-create hangs inside lxc containers (potential buffer overflow?) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/971314 Title: 1:4.2.6.p3+dfsg-1ubuntu3 on Precise generates a memory corruption To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/971314/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 941968] Re: lockfile-create hangs inside lxc containers (potential buffer overflow?)
The problem is with string handling in liblockfile's lockfile_create_save_tmplock(). I'll start work on getting a debdiff prepared. ** Also affects: liblockfile (Ubuntu) Importance: Undecided Status: New ** Changed in: liblockfile (Ubuntu) Assignee: (unassigned) = Tyler Hicks (tyhicks) ** Changed in: liblockfile (Ubuntu) Importance: Undecided = Medium ** Changed in: liblockfile (Ubuntu) Status: New = In Progress ** Changed in: lockfile-progs (Ubuntu) Status: New = Invalid -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/941968 Title: lockfile-create hangs inside lxc containers (potential buffer overflow?) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/liblockfile/+bug/941968/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1039420] Re: NTP security vulnerability because not using authentication by default
After reading the thread on ubuntu-hardened and doing some research of my own, a lack of instructions does not seem to be the primary problem here. It sounds like an external infrastructure problem since the public NTP pool does not guarantee that their servers support NTP authentication. I'm marking this bug as confirmed with an importance of wishlist. If anyone has suggestions on working around the lack of NTP authentication support across the entire public NTP pool, please leave a comment. Thanks! ** Changed in: ntp (Ubuntu) Importance: Undecided = Wishlist ** Changed in: ntp (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1039420 Title: NTP security vulnerability because not using authentication by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1039420/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1034489] Re: open-vm-dkms 2011.07.19-450511-0ubuntu1: open-vm-tools kernel module failed to build
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a regular (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Visibility changed to: Public ** This bug is no longer flagged as a security vulnerability -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to open-vm-tools in Ubuntu. https://bugs.launchpad.net/bugs/1034489 Title: open-vm-dkms 2011.07.19-450511-0ubuntu1: open-vm-tools kernel module failed to build To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1034489/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1029506] Re: package clamav-milter 0.97.3+dfsg-2.1ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a regular (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Visibility changed to: Public ** This bug is no longer flagged as a security vulnerability -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to clamav in Ubuntu. https://bugs.launchpad.net/bugs/1029506 Title: package clamav-milter 0.97.3+dfsg-2.1ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1029506/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1026991] Re: package amavisd-new-postfix 1:2.6.5-0ubuntu3.1 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a regular (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Visibility changed to: Public ** This bug is no longer flagged as a security vulnerability -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to amavisd-new in Ubuntu. https://bugs.launchpad.net/bugs/1026991 Title: package amavisd-new-postfix 1:2.6.5-0ubuntu3.1 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/amavisd-new/+bug/1026991/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1026797] Re: Default /usr/share/doc serving should be removed (CVE-2012-0216)
This CVE is being tracked in the Ubuntu CVE tracker: http://people.ubuntu.com/~ubuntu-security/cve/CVE-2012-0216 ** Changed in: apache2 (Ubuntu) Importance: Undecided = Low ** Changed in: apache2 (Ubuntu) Status: New = Triaged ** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1026797 Title: Default /usr/share/doc serving should be removed (CVE-2012-0216) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1026797/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1027061] Re: Postfix upgrade to 2.9.3-2~12.04.1 changes configuration files
** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to postfix in Ubuntu. https://bugs.launchpad.net/bugs/1027061 Title: Postfix upgrade to 2.9.3-2~12.04.1 changes configuration files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1027061/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1027061] Re: Postfix upgrade to 2.9.3-2~12.04.1 changes configuration files
Thanks for having a look, Scott. I'm unsubscribing ubuntu-security and marking this as a regular, non-security bug. ** This bug is no longer flagged as a security vulnerability -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to puppet in Ubuntu. https://bugs.launchpad.net/bugs/1027061 Title: Postfix upgrade to 2.9.3-2~12.04.1 changes configuration files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/1027061/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 986485] Re: package samba 2:3.5.8~dfsg-1ubuntu2.4 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
** Visibility changed to: Public ** This bug is no longer flagged as a security vulnerability ** Visibility changed to: Public ** This bug is no longer flagged as a security vulnerability -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/986485 Title: package samba 2:3.5.8~dfsg-1ubuntu2.4 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/986485/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 978458] Re: CVE-2012-1182: root credential remote code execution
Here is my proposed debdiff for Precise. I'll need a sponsor for this to make it into the release. I've built a package locally with this debdiff. I sanity checked it using the 'umt compare-log', 'umt compare-bin', and 'umt check' tools. I tested it with the reproducers from ZDI, as well as test-samba.py in the qa-regression-testing project. The reproducers were mitigated with the update and tset-samba.py passed successfully. ** Patch added: samba_3.6.3-2ubuntu2.debdiff https://bugs.launchpad.net/ubuntu/+source/samba/+bug/978458/+attachment/3054702/+files/samba_3.6.3-2ubuntu2.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/978458 Title: CVE-2012-1182: root credential remote code execution To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/978458/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 978458] Re: CVE-2012-1182: root credential remote code execution
Thanks Jelmer! You've probably already noticed, but jdstrand has sponsored it. I was wondering if we could generate the PIDL generated code at build time, but I decided against it for sake of making cherry-picking from upstream stable branches easy in the future. Upstream has reran the PIDL compiler and committed that as a change, so any new security backports that they do will be based upon the regenerated code. It seems like it would be in our best interest to follow what upstream did. Any thoughts? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/978458 Title: CVE-2012-1182: root credential remote code execution To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/978458/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 978458] Re: CVE-2012-1182: root credential remote code execution
Ok, now I see that the 3.6 upstream branch places the samba3-idl target underneath 'make all', so I assume that they are now relying on the code generation to happen at build time. Can you confirm this, Jelmer? If that's the case, then we probably do want to follow that convention in our 3.6.x and later packages (currently only found in Precise). The reason is that if we don't do it at build time, but upstream does, one of their patches that we cherry-pick could theoritically need to be ran through PIDL to make proper changes. I _think_ that's the case, but I'm still not quite knowldgeable on the PIDL compiler to know for sure. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/978458 Title: CVE-2012-1182: root credential remote code execution To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/978458/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 978708] Re: [Precise] puppet is vulnerable to CVE-2012-1906 and CVE-2012-1986 through CVE-2012-1989
The diff between the output of 'cd /usr/share/puppet-testsuite rake spec unit' ran under puppet-2.7.11-1ubuntu1 and puppet-2.7.11-1ubuntu2 (which is simply the debdiff attached above applied). Note that there are many false positives from failed Windows tests. I'm not sure why these tests are being ran, but it looks like Puppet.features.microsoft_windows is not testing out to be false. ** Patch added: puppet-2.7.11-1ubuntu2_rake-spec-unit.diff https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/978708/+attachment/3045160/+files/puppet-2.7.11-1ubuntu2_rake-spec-unit.diff ** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to puppet in Ubuntu. https://bugs.launchpad.net/bugs/978708 Title: [Precise] puppet is vulnerable to CVE-2012-1906 and CVE-2012-1986 through CVE-2012-1989 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/978708/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 978458] Re: CVE-2012-1182: root credential remote code execution
Thanks, Ryan! We are aware of the issue and we are currently working on an update. ** Changed in: samba (Ubuntu) Status: New = Confirmed ** Changed in: samba (Ubuntu) Assignee: (unassigned) = Tyler Hicks (tyhicks) ** Changed in: samba (Ubuntu) Importance: Undecided = High -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/978458 Title: CVE-2012-1182: root credential remote code execution To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/978458/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 969937] Re: package libmysqlclient16 5.1.61-0ubuntu0.10.04.1 failed to install/upgrade: trying to overwrite '/usr/lib/libmysqlclient.so.16.0.0', which is also in package mysql-cluster-client-5.1
** Visibility changed to: Public ** This bug is no longer flagged as a security vulnerability ** Visibility changed to: Public ** This bug is no longer flagged as a security vulnerability -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-dfsg-5.1 in Ubuntu. https://bugs.launchpad.net/bugs/969937 Title: package libmysqlclient16 5.1.61-0ubuntu0.10.04.1 failed to install/upgrade: trying to overwrite '/usr/lib/libmysqlclient.so.16.0.0', which is also in package mysql- cluster-client-5.1 0:7.0.9-1ubuntu7 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-dfsg-5.1/+bug/969937/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 968411] Re: [Precise] nova is vulnerable to CVE-2012-1585
Debdif against 2012.1~rc1-0ubuntu2. Tested using the in-tree test suite. The new tests, added by the patch in the debdiff, successfully pass. ** Patch added: nova_2012.1~rc1-0ubuntu3.debdiff https://bugs.launchpad.net/ubuntu/+source/nova/+bug/968411/+attachment/2962061/+files/nova_2012.1%7Erc1-0ubuntu3.debdiff ** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/968411 Title: [Precise] nova is vulnerable to CVE-2012-1585 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/968411/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 896723] Re: package samba 2:3.5.8~dfsg-1ubuntu2.3 failed to install/upgrade: ErrorMessage: package samba is not ready for configuration cannot configure (current status `half-installed')
** Visibility changed to: Public ** This bug is no longer flagged as a security vulnerability ** Visibility changed to: Public ** This bug is no longer flagged as a security vulnerability -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/896723 Title: package samba 2:3.5.8~dfsg-1ubuntu2.3 failed to install/upgrade: ErrorMessage: package samba is not ready for configuration cannot configure (current status `half-installed') To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/896723/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 843701] Re: CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure
Thanks again for the tomcat5.5 Hardy branch, James! As you probably noticed, I touched up the changelog a little bit to add in the upstream author and a link to the upstream patch. Everything else looked great and the updated package should now be available. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat6 in Ubuntu. https://bugs.launchpad.net/bugs/843701 Title: CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat5.5/+bug/843701/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 843701] Re: CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure
** Changed in: tomcat5.5 (Ubuntu Hardy) Status: Confirmed = In Progress ** Changed in: tomcat5.5 (Ubuntu Hardy) Assignee: (unassigned) = Tyler Hicks (tyhicks) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat6 in Ubuntu. https://bugs.launchpad.net/bugs/843701 Title: CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat5.5/+bug/843701/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 843701] Re: CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure
** Changed in: tomcat6 (Ubuntu Hardy) Status: In Progress = Invalid ** Changed in: tomcat6 (Ubuntu Lucid) Status: In Progress = Fix Committed ** Changed in: tomcat6 (Ubuntu Maverick) Status: In Progress = Fix Committed ** Changed in: tomcat6 (Ubuntu Natty) Status: In Progress = Fix Committed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat6 in Ubuntu. https://bugs.launchpad.net/bugs/843701 Title: CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat5.5/+bug/843701/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
