[Freeipa] [Bug 2055830] Re: please remove dogtag-pki from noble
Removing packages from noble: dogtag-pki 11.2.1-2 in noble dogtag-pki 11.2.1-2 in noble amd64 dogtag-pki 11.2.1-2 in noble arm64 dogtag-pki 11.2.1-2 in noble armhf dogtag-pki 11.2.1-2 in noble i386 dogtag-pki 11.2.1-2 in noble ppc64el dogtag-pki 11.2.1-2 in noble riscv64 dogtag-pki 11.2.1-2 in noble s390x dogtag-pki-console-theme 11.2.1-2 in noble amd64 dogtag-pki-console-theme 11.2.1-2 in noble arm64 dogtag-pki-console-theme 11.2.1-2 in noble armhf dogtag-pki-console-theme 11.2.1-2 in noble i386 dogtag-pki-console-theme 11.2.1-2 in noble ppc64el dogtag-pki-console-theme 11.2.1-2 in noble riscv64 dogtag-pki-console-theme 11.2.1-2 in noble s390x dogtag-pki-server-theme 11.2.1-2 in noble amd64 dogtag-pki-server-theme 11.2.1-2 in noble arm64 dogtag-pki-server-theme 11.2.1-2 in noble armhf dogtag-pki-server-theme 11.2.1-2 in noble i386 dogtag-pki-server-theme 11.2.1-2 in noble ppc64el dogtag-pki-server-theme 11.2.1-2 in noble riscv64 dogtag-pki-server-theme 11.2.1-2 in noble s390x pki-base 11.2.1-2 in noble amd64 pki-base 11.2.1-2 in noble arm64 pki-base 11.2.1-2 in noble armhf pki-base 11.2.1-2 in noble i386 pki-base 11.2.1-2 in noble ppc64el pki-base 11.2.1-2 in noble riscv64 pki-base 11.2.1-2 in noble s390x pki-base-java 11.2.1-2 in noble amd64 pki-base-java 11.2.1-2 in noble arm64 pki-base-java 11.2.1-2 in noble armhf pki-base-java 11.2.1-2 in noble i386 pki-base-java 11.2.1-2 in noble ppc64el pki-base-java 11.2.1-2 in noble riscv64 pki-base-java 11.2.1-2 in noble s390x pki-ca 11.2.1-2 in noble amd64 pki-ca 11.2.1-2 in noble arm64 pki-ca 11.2.1-2 in noble armhf pki-ca 11.2.1-2 in noble i386 pki-ca 11.2.1-2 in noble ppc64el pki-ca 11.2.1-2 in noble riscv64 pki-ca 11.2.1-2 in noble s390x pki-console 11.2.1-2 in noble amd64 pki-console 11.2.1-2 in noble arm64 pki-console 11.2.1-2 in noble armhf pki-console 11.2.1-2 in noble i386 pki-console 11.2.1-2 in noble ppc64el pki-console 11.2.1-2 in noble riscv64 pki-console 11.2.1-2 in noble s390x pki-javadoc 11.2.1-2 in noble amd64 pki-javadoc 11.2.1-2 in noble arm64 pki-javadoc 11.2.1-2 in noble armhf pki-javadoc 11.2.1-2 in noble i386 pki-javadoc 11.2.1-2 in noble ppc64el pki-javadoc 11.2.1-2 in noble riscv64 pki-javadoc 11.2.1-2 in noble s390x pki-kra 11.2.1-2 in noble amd64 pki-kra 11.2.1-2 in noble arm64 pki-kra 11.2.1-2 in noble armhf pki-kra 11.2.1-2 in noble i386 pki-kra 11.2.1-2 in noble ppc64el pki-kra 11.2.1-2 in noble riscv64 pki-kra 11.2.1-2 in noble s390x pki-ocsp 11.2.1-2 in noble amd64 pki-ocsp 11.2.1-2 in noble arm64 pki-ocsp 11.2.1-2 in noble armhf pki-ocsp 11.2.1-2 in noble i386 pki-ocsp 11.2.1-2 in noble ppc64el pki-ocsp 11.2.1-2 in noble riscv64 pki-ocsp 11.2.1-2 in noble s390x pki-server 11.2.1-2 in noble amd64 pki-server 11.2.1-2 in noble arm64 pki-server 11.2.1-2 in noble armhf pki-server 11.2.1-2 in noble ppc64el pki-server 11.2.1-2 in noble riscv64 pki-server 11.2.1-2 in noble s390x pki-tks 11.2.1-2 in noble amd64 pki-tks 11.2.1-2 in noble arm64 pki-tks 11.2.1-2 in noble armhf pki-tks 11.2.1-2 in noble i386 pki-tks 11.2.1-2 in noble ppc64el pki-tks 11.2.1-2 in noble riscv64 pki-tks 11.2.1-2 in noble s390x pki-tools 11.2.1-2 in noble amd64 pki-tools 11.2.1-2 in noble arm64 pki-tools 11.2.1-2 in noble armhf pki-tools 11.2.1-2 in noble ppc64el pki-tools 11.2.1-2 in noble riscv64 pki-tools 11.2.1-2 in noble s390x pki-tps 11.2.1-2 in noble amd64 pki-tps 11.2.1-2 in noble arm64 pki-tps 11.2.1-2 in noble armhf pki-tps 11.2.1-2 in noble i386 pki-tps 11.2.1-2 in
[Freeipa] [Bug 2028413] Please test proposed package
Hello Bryce, or anyone else affected, Accepted bind-dyndb-ldap into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/bind-dyndb- ldap/11.9-5ubuntu0.22.04.4 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-jammy. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2028413 Title: MRE updates of bind9 for focal, jammy and lunar Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Focal: Triaged Status in bind9 source package in Focal: Triaged Status in bind-dyndb-ldap source package in Jammy: Fix Committed Status in bind9 source package in Jammy: Fix Committed Status in bind-dyndb-ldap source package in Lunar: Fix Committed Status in bind9 source package in Lunar: Fix Committed Bug description: This bug tracks an update for the bind9 package, moving to versions: * lunar (23.04): bind9 9.18.18 * jammy (22.04): bind9 9.18.18 * focal (20.04): bind9 9.16.43 These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates. [Upstream changes] 9.18.13-9.18.18 for lunar and jammy: Updates: Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. Mark dialup and heartbeat-interval options as deprecated. Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. Mark TKEY mode 2 as deprecated. Mark delegation-only and root-delegation-only as deprecated. Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. Bug Fixes: Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. Fix the ability to read HMAC-MD5 key files (LP: #2015176). Fix stability issues with the catalog zone implementation. Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. Do not return delegation from cache after stale-answer-client-timeout. Fix failure to auto-tune clients-per-query limit in some situations. Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. Bring rndc read timeout back to 60 seconds from 30. Treat libuv returning ISC_R_INVALIDPROTO as a network error. Clean up empty-non-terminal NSEC3 records. Fix log file rotation cleanup for absolute file path destinations. Fix various catalog zone processing crashes. Fix transfer hang when downloading large zones over TLS. Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone. Delay DNSSEC key queries until all zones have finished loading. CVE Fixes - already available as patches: CVE-2023-2828 CVE-2023-2911 For full release notes, see: https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for- bind-9-18-18 While there are behavioral changes in this release, I was unable to find any backwards-incompatible changes. Some features were marked as deprecated, but are still usable as they were before. Other changes are related to performance and timeout management, neither of which should change how bind9 works, but are worth keeping an eye on in case any regressions arise. [Test Plan] DEP-8 test results: simpletest PASS validation FLAKY non-zero exit status 1 zonetest PASS dyndb-ldap PASS
[Freeipa] [Bug 2028413] Re: MRE updates of bind9 for focal, jammy and lunar
Hello Bryce, or anyone else affected, Accepted bind-dyndb-ldap into lunar-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/bind-dyndb- ldap/11.10-4ubuntu0.3 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- lunar to verification-done-lunar. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-lunar. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: bind-dyndb-ldap (Ubuntu Lunar) Status: In Progress => Fix Committed ** Changed in: bind-dyndb-ldap (Ubuntu Jammy) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2028413 Title: MRE updates of bind9 for focal, jammy and lunar Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Focal: Triaged Status in bind9 source package in Focal: Triaged Status in bind-dyndb-ldap source package in Jammy: Fix Committed Status in bind9 source package in Jammy: Fix Committed Status in bind-dyndb-ldap source package in Lunar: Fix Committed Status in bind9 source package in Lunar: Fix Committed Bug description: This bug tracks an update for the bind9 package, moving to versions: * lunar (23.04): bind9 9.18.18 * jammy (22.04): bind9 9.18.18 * focal (20.04): bind9 9.16.43 These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates. [Upstream changes] 9.18.13-9.18.18 for lunar and jammy: Updates: Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. Mark dialup and heartbeat-interval options as deprecated. Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. Mark TKEY mode 2 as deprecated. Mark delegation-only and root-delegation-only as deprecated. Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. Bug Fixes: Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. Fix the ability to read HMAC-MD5 key files (LP: #2015176). Fix stability issues with the catalog zone implementation. Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. Do not return delegation from cache after stale-answer-client-timeout. Fix failure to auto-tune clients-per-query limit in some situations. Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. Bring rndc read timeout back to 60 seconds from 30. Treat libuv returning ISC_R_INVALIDPROTO as a network error. Clean up empty-non-terminal NSEC3 records. Fix log file rotation cleanup for absolute file path destinations. Fix various catalog zone processing crashes. Fix transfer hang when downloading large zones over TLS. Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone. Delay DNSSEC key queries until all zones have finished loading. CVE Fixes - already available as patches: CVE-2023-2828 CVE-2023-2911 For full release notes, see: https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for- bind-9-18-18 While there are behavioral changes in this release, I was unable to find any backwards-incompatible changes. Some features were marked as deprecated, but are still usable as they were before. Other changes are related to performance and timeout management, neither of which should change how bind9 works, but are worth
[Freeipa] [Bug 2028413] Re: MRE updates of bind9 for focal, jammy and lunar
Hello Bryce, or anyone else affected, Accepted bind9 into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/bind9/1:9.18.18-0ubuntu0.22.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-jammy. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: bind9 (Ubuntu Jammy) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-jammy ** Changed in: bind9 (Ubuntu Lunar) Status: In Progress => Fix Committed ** Tags added: verification-needed-lunar -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2028413 Title: MRE updates of bind9 for focal, jammy and lunar Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Focal: Triaged Status in bind9 source package in Focal: Triaged Status in bind-dyndb-ldap source package in Jammy: In Progress Status in bind9 source package in Jammy: Fix Committed Status in bind-dyndb-ldap source package in Lunar: In Progress Status in bind9 source package in Lunar: Fix Committed Bug description: This bug tracks an update for the bind9 package, moving to versions: * lunar (23.04): bind9 9.18.18 * jammy (22.04): bind9 9.18.18 * focal (20.04): bind9 9.16.43 These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates. [Upstream changes] 9.18.13-9.18.18 for lunar and jammy: Updates: Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. Mark dialup and heartbeat-interval options as deprecated. Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. Mark TKEY mode 2 as deprecated. Mark delegation-only and root-delegation-only as deprecated. Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. Bug Fixes: Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. Fix the ability to read HMAC-MD5 key files (LP: #2015176). Fix stability issues with the catalog zone implementation. Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. Do not return delegation from cache after stale-answer-client-timeout. Fix failure to auto-tune clients-per-query limit in some situations. Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. Bring rndc read timeout back to 60 seconds from 30. Treat libuv returning ISC_R_INVALIDPROTO as a network error. Clean up empty-non-terminal NSEC3 records. Fix log file rotation cleanup for absolute file path destinations. Fix various catalog zone processing crashes. Fix transfer hang when downloading large zones over TLS. Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone. Delay DNSSEC key queries until all zones have finished loading. CVE Fixes - already available as patches: CVE-2023-2828 CVE-2023-2911 For full release notes, see: https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for- bind-9-18-18 While there are behavioral changes in this release, I was unable to find any backwards-incompatible changes. Some features were marked as deprecated, but are still usable as they were before. Other changes are related to performance and timeout management,
[Freeipa] [Bug 2032650] Please test proposed package
Hello Andreas, or anyone else affected, Accepted bind9 into lunar-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/bind9/1:9.18.18-0ubuntu0.23.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- lunar to verification-done-lunar. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-lunar. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2032650 Title: Add DEP8 tests for bind-dyndb-ldap integration Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Jammy: Fix Released Status in bind9 source package in Jammy: Fix Committed Status in bind-dyndb-ldap source package in Lunar: Fix Committed Status in bind9 source package in Lunar: Fix Committed Status in bind-dyndb-ldap source package in Mantic: Fix Released Status in bind9 source package in Mantic: Fix Released Bug description: [ Impact ] bind-dyndb-ldap breaks very frequently with bind9 updates. Both must have DEP8 tests so these breakages can be caught before a release. [ Test Plan ] For both packages, the test plan consists in having the new dyndb-ldap DEP8 test run and succeed. [ Where problems could occur ] With this new DEP8 change, a bind9 update can be blocked by a bind-dyndb-ldap failure to build or run with it. While this is exactly the intent (not leave a broken bind-dyndb-ldap package in the release), there is a history indicating that bind- dyndb-ldap can be late in catching up to bind9 changes. We may reach a situation where an important bind9 security update, for example, will be blocked by a failing dyndb-ldap test, and it may be difficult to fix bind-dyndb-ldap in time, specially if the security update is under embargo and the bind-dyndb-ldap developers do not yet have details of the changes. [ Other Info ] The same test is to be applied to the bind9 package, and is already in mantic. But SRUs for DEP8 changes only are frowned upon, so the plan is to upload it to proposed and block it there, but AFTER bind-dyndb-ldap has been released. The tight coupling between bind9 and bind-dyndb-ldap is problematic (see [1], [2] and [3]). The moment a new bind9 hits proposed with this test, it fill fail until a new bind-dyndb-ldap is rebuilt with that proposed version. One option would perhaps to accept a one-time DEP8-only change for bind9, so that we can upload both packages together, instead of leaving this in proposed with a blocking tag, to be picked up by the next bind9 "real" update? 1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014503 2. https://pagure.io/bind-dyndb-ldap/issue/225 3. https://salsa.debian.org/dns-team/bind9/-/merge_requests/21 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2032650/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2028413] Please test proposed package
Hello Bryce, or anyone else affected, Accepted bind9 into lunar-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/bind9/1:9.18.18-0ubuntu0.23.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- lunar to verification-done-lunar. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-lunar. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2028413 Title: MRE updates of bind9 for focal, jammy and lunar Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Focal: Triaged Status in bind9 source package in Focal: Triaged Status in bind-dyndb-ldap source package in Jammy: In Progress Status in bind9 source package in Jammy: Fix Committed Status in bind-dyndb-ldap source package in Lunar: In Progress Status in bind9 source package in Lunar: Fix Committed Bug description: This bug tracks an update for the bind9 package, moving to versions: * lunar (23.04): bind9 9.18.18 * jammy (22.04): bind9 9.18.18 * focal (20.04): bind9 9.16.43 These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates. [Upstream changes] 9.18.13-9.18.18 for lunar and jammy: Updates: Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. Mark dialup and heartbeat-interval options as deprecated. Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. Mark TKEY mode 2 as deprecated. Mark delegation-only and root-delegation-only as deprecated. Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. Bug Fixes: Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. Fix the ability to read HMAC-MD5 key files (LP: #2015176). Fix stability issues with the catalog zone implementation. Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. Do not return delegation from cache after stale-answer-client-timeout. Fix failure to auto-tune clients-per-query limit in some situations. Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. Bring rndc read timeout back to 60 seconds from 30. Treat libuv returning ISC_R_INVALIDPROTO as a network error. Clean up empty-non-terminal NSEC3 records. Fix log file rotation cleanup for absolute file path destinations. Fix various catalog zone processing crashes. Fix transfer hang when downloading large zones over TLS. Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone. Delay DNSSEC key queries until all zones have finished loading. CVE Fixes - already available as patches: CVE-2023-2828 CVE-2023-2911 For full release notes, see: https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for- bind-9-18-18 While there are behavioral changes in this release, I was unable to find any backwards-incompatible changes. Some features were marked as deprecated, but are still usable as they were before. Other changes are related to performance and timeout management, neither of which should change how bind9 works, but are worth keeping an eye on in case any regressions arise. [Test Plan] DEP-8 test results: simpletest PASS validation FLAKY non-zero exit status 1 zonetest PASS dyndb-ldap PASS validation is
[Freeipa] [Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration
Hello Andreas, or anyone else affected, Accepted bind9 into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/bind9/1:9.18.18-0ubuntu0.22.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-jammy. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: bind9 (Ubuntu Jammy) Status: In Progress => Fix Committed ** Tags added: verification-needed-jammy ** Changed in: bind9 (Ubuntu Lunar) Status: In Progress => Fix Committed ** Tags removed: verification-done-lunar ** Tags added: verification-needed-lunar -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2032650 Title: Add DEP8 tests for bind-dyndb-ldap integration Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Jammy: Fix Released Status in bind9 source package in Jammy: Fix Committed Status in bind-dyndb-ldap source package in Lunar: Fix Committed Status in bind9 source package in Lunar: Fix Committed Status in bind-dyndb-ldap source package in Mantic: Fix Released Status in bind9 source package in Mantic: Fix Released Bug description: [ Impact ] bind-dyndb-ldap breaks very frequently with bind9 updates. Both must have DEP8 tests so these breakages can be caught before a release. [ Test Plan ] For both packages, the test plan consists in having the new dyndb-ldap DEP8 test run and succeed. [ Where problems could occur ] With this new DEP8 change, a bind9 update can be blocked by a bind-dyndb-ldap failure to build or run with it. While this is exactly the intent (not leave a broken bind-dyndb-ldap package in the release), there is a history indicating that bind- dyndb-ldap can be late in catching up to bind9 changes. We may reach a situation where an important bind9 security update, for example, will be blocked by a failing dyndb-ldap test, and it may be difficult to fix bind-dyndb-ldap in time, specially if the security update is under embargo and the bind-dyndb-ldap developers do not yet have details of the changes. [ Other Info ] The same test is to be applied to the bind9 package, and is already in mantic. But SRUs for DEP8 changes only are frowned upon, so the plan is to upload it to proposed and block it there, but AFTER bind-dyndb-ldap has been released. The tight coupling between bind9 and bind-dyndb-ldap is problematic (see [1], [2] and [3]). The moment a new bind9 hits proposed with this test, it fill fail until a new bind-dyndb-ldap is rebuilt with that proposed version. One option would perhaps to accept a one-time DEP8-only change for bind9, so that we can upload both packages together, instead of leaving this in proposed with a blocking tag, to be picked up by the next bind9 "real" update? 1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014503 2. https://pagure.io/bind-dyndb-ldap/issue/225 3. https://salsa.debian.org/dns-team/bind9/-/merge_requests/21 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2032650/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1987276] Re: certmonger - libcrypto issues with openssl3
Hello Diego, or anyone else affected, Accepted certmonger into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/certmonger/0.79.14+git20211010-2ubuntu1.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-jammy. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: certmonger (Ubuntu Jammy) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-jammy -- You received this bug notification because you are a member of FreeIPA, which is subscribed to certmonger in Ubuntu. https://bugs.launchpad.net/bugs/1987276 Title: certmonger - libcrypto issues with openssl3 Status in certmonger package in Ubuntu: Fix Released Status in certmonger source package in Jammy: Fix Committed Bug description: [Impact] Requesting SCEP certificates crashes certmonger when it's built with OpenSSL 3, and it needs a patch backported to fix this. [Test case] Check that the SCEP requests succeed without the daemon crashing. [Where things could go wrong] This patch has been upstream for several months now, and this part of certmonger hasn't seen any additional commits since, so it's safe to say that adding this shouldn't regress things. -- I just want to let you know that this bug is still present from 22.04 onwards (anything that uses libssl3 as default) - bug is being tracked in https://pagure.io/certmonger/issue/244 - I already tested the patch provided and it works, but I would love to see an updated package on the official repository. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/1987276/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2003586] Re: MRE Updates 9.18.12 / 9.16.36
Hello Lena, or anyone else affected, Accepted bind9 into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/bind9/1:9.18.12-0ubuntu0.22.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-jammy. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: bind9 (Ubuntu Jammy) Status: In Progress => Fix Committed ** Tags added: verification-needed-jammy -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2003586 Title: MRE Updates 9.18.12 / 9.16.36 Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Focal: New Status in bind9 source package in Focal: New Status in bind-dyndb-ldap source package in Jammy: In Progress Status in bind9 source package in Jammy: Fix Committed Status in bind-dyndb-ldap source package in Kinetic: In Progress Status in bind9 source package in Kinetic: Fix Committed Bug description: This bug tracks an update for the bind9 package, moving to versions: * Kinetic (22.10): bind9 9.18.12 * Jammy (22.04): bind9 9.18.12 * Focal (20.04): bind9 9.16.36 These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates. [Upstream changes] For bind9 9.18.2-9.18.12, major changes include: CVE fixes (These already existed as patches but are now included as part of upstream): CVE-2022-1183 CVE-2022-2795 CVE-2022-2881 CVE-2022-2906 CVE-2022-3080 CVE-2022-38178 CVE-2022-3094 CVE-2022-3736 CVE-2022-3924 Features: update-quota option named -V shows supported cryptographic algorithms Additional info given for recursion not available and query (cache) '...' denied outputs Jammy only (Kinetic already has these): Catalog Zones schema version 2 support in named DNS error support Stale Answer and Stale NXDOMAIN Answer remote TLS certificate verification support reusereport option Bug Fixes: https://gitlab.isc.org/isc-projects/bind9/-/issues/3178 https://gitlab.isc.org/isc-projects/bind9/-/issues/3636 https://gitlab.isc.org/isc-projects/bind9/-/issues/3772 https://gitlab.isc.org/isc-projects/bind9/-/issues/3752 https://gitlab.isc.org/isc-projects/bind9/-/issues/3678 https://gitlab.isc.org/isc-projects/bind9/-/issues/3637 https://gitlab.isc.org/isc-projects/bind9/-/issues/3739 https://gitlab.isc.org/isc-projects/bind9/-/issues/3743 https://gitlab.isc.org/isc-projects/bind9/-/issues/3725 https://gitlab.isc.org/isc-projects/bind9/-/issues/3693 https://gitlab.isc.org/isc-projects/bind9/-/issues/3683 https://gitlab.isc.org/isc-projects/bind9/-/issues/3727 https://gitlab.isc.org/isc-projects/bind9/-/issues/3638 https://gitlab.isc.org/isc-projects/bind9/-/issues/3183 https://gitlab.isc.org/isc-projects/bind9/-/issues/3721 https://gitlab.isc.org/isc-projects/bind9/-/issues/3707 https://gitlab.isc.org/isc-projects/bind9/-/issues/3591 https://gitlab.isc.org/isc-projects/bind9/-/issues/3598 https://gitlab.isc.org/isc-projects/bind9/-/issues/3247 https://gitlab.isc.org/isc-projects/bind9/-/issues/2895 https://gitlab.isc.org/isc-projects/bind9/-/issues/3584 https://gitlab.isc.org/isc-projects/bind9/-/issues/3627 https://gitlab.isc.org/isc-projects/bind9/-/issues/3563 https://gitlab.isc.org/isc-projects/bind9/-/issues/3603 https://gitlab.isc.org/isc-projects/bind9/-/issues/3542 https://gitlab.isc.org/isc-projects/bind9/-/issues/3557 https://gitlab.isc.org/isc-projects/bind9/-/issues/2982 https://gitlab.isc.org/isc-projects/bind9/-/issues/3439 https://gitlab.isc.org/isc-projects/bind9/-/issues/3438 https://gitlab.isc.org/isc-projects/bind9/-/issues/2918 https://gitlab.isc.org/isc-projects/bind9/-/issues/3462 https://gitlab.isc.org/isc-projects/bind9/-/issues/3400
[Freeipa] [Bug 2003586] Re: MRE Updates 9.18.12 / 9.16.36
Hello Lena, or anyone else affected, Accepted bind9 into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/bind9/1:9.18.12-0ubuntu0.22.10.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: bind9 (Ubuntu Kinetic) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-kinetic -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2003586 Title: MRE Updates 9.18.12 / 9.16.36 Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Focal: New Status in bind9 source package in Focal: New Status in bind-dyndb-ldap source package in Jammy: In Progress Status in bind9 source package in Jammy: In Progress Status in bind-dyndb-ldap source package in Kinetic: In Progress Status in bind9 source package in Kinetic: Fix Committed Bug description: This bug tracks an update for the bind9 package, moving to versions: * Kinetic (22.10): bind9 9.18.12 * Jammy (22.04): bind9 9.18.12 * Focal (20.04): bind9 9.16.36 These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates. [Upstream changes] For bind9 9.18.2-9.18.12, major changes include: CVE fixes (These already existed as patches but are now included as part of upstream): CVE-2022-1183 CVE-2022-2795 CVE-2022-2881 CVE-2022-2906 CVE-2022-3080 CVE-2022-38178 CVE-2022-3094 CVE-2022-3736 CVE-2022-3924 Features: update-quota option named -V shows supported cryptographic algorithms Additional info given for recursion not available and query (cache) '...' denied outputs Jammy only (Kinetic already has these): Catalog Zones schema version 2 support in named DNS error support Stale Answer and Stale NXDOMAIN Answer remote TLS certificate verification support reusereport option Bug Fixes: https://gitlab.isc.org/isc-projects/bind9/-/issues/3178 https://gitlab.isc.org/isc-projects/bind9/-/issues/3636 https://gitlab.isc.org/isc-projects/bind9/-/issues/3772 https://gitlab.isc.org/isc-projects/bind9/-/issues/3752 https://gitlab.isc.org/isc-projects/bind9/-/issues/3678 https://gitlab.isc.org/isc-projects/bind9/-/issues/3637 https://gitlab.isc.org/isc-projects/bind9/-/issues/3739 https://gitlab.isc.org/isc-projects/bind9/-/issues/3743 https://gitlab.isc.org/isc-projects/bind9/-/issues/3725 https://gitlab.isc.org/isc-projects/bind9/-/issues/3693 https://gitlab.isc.org/isc-projects/bind9/-/issues/3683 https://gitlab.isc.org/isc-projects/bind9/-/issues/3727 https://gitlab.isc.org/isc-projects/bind9/-/issues/3638 https://gitlab.isc.org/isc-projects/bind9/-/issues/3183 https://gitlab.isc.org/isc-projects/bind9/-/issues/3721 https://gitlab.isc.org/isc-projects/bind9/-/issues/3707 https://gitlab.isc.org/isc-projects/bind9/-/issues/3591 https://gitlab.isc.org/isc-projects/bind9/-/issues/3598 https://gitlab.isc.org/isc-projects/bind9/-/issues/3247 https://gitlab.isc.org/isc-projects/bind9/-/issues/2895 https://gitlab.isc.org/isc-projects/bind9/-/issues/3584 https://gitlab.isc.org/isc-projects/bind9/-/issues/3627 https://gitlab.isc.org/isc-projects/bind9/-/issues/3563 https://gitlab.isc.org/isc-projects/bind9/-/issues/3603 https://gitlab.isc.org/isc-projects/bind9/-/issues/3542 https://gitlab.isc.org/isc-projects/bind9/-/issues/3557 https://gitlab.isc.org/isc-projects/bind9/-/issues/2982 https://gitlab.isc.org/isc-projects/bind9/-/issues/3439 https://gitlab.isc.org/isc-projects/bind9/-/issues/3438 https://gitlab.isc.org/isc-projects/bind9/-/issues/2918 https://gitlab.isc.org/isc-projects/bind9/-/issues/3462 https://gitlab.isc.org/isc-projects/bind9/-/issues/3400
[Freeipa] [Bug 2003586] Re: MRE Updates 9.18.12 / 9.16.36
** Description changed:
This bug tracks an update for the bind9 package, moving to versions:
* Kinetic (22.10): bind9 9.18.12
* Jammy (22.04): bind9 9.18.12
* Focal (20.04): bind9 9.16.36
These updates include bug fixes following the SRU policy exception
defined at https://wiki.ubuntu.com/Bind9Updates.
[Upstream changes]
For bind9 9.18.2-9.18.12, major changes include:
CVE fixes (These already existed as patches but are now included as part of
upstream):
CVE-2022-1183
CVE-2022-2795
CVE-2022-2881
CVE-2022-2906
CVE-2022-3080
CVE-2022-38178
CVE-2022-3094
CVE-2022-3736
CVE-2022-3924
Features:
update-quota option
named -V shows supported cryptographic algorithms
Additional info given for recursion not available and query (cache) '...'
denied outputs
Jammy only (Kinetic already has these):
Catalog Zones schema version 2 support in named
DNS error support Stale Answer and Stale NXDOMAIN Answer
remote TLS certificate verification support
reusereport option
Bug Fixes:
https://gitlab.isc.org/isc-projects/bind9/-/issues/3178
https://gitlab.isc.org/isc-projects/bind9/-/issues/3636
https://gitlab.isc.org/isc-projects/bind9/-/issues/3772
https://gitlab.isc.org/isc-projects/bind9/-/issues/3752
https://gitlab.isc.org/isc-projects/bind9/-/issues/3678
https://gitlab.isc.org/isc-projects/bind9/-/issues/3637
https://gitlab.isc.org/isc-projects/bind9/-/issues/3739
https://gitlab.isc.org/isc-projects/bind9/-/issues/3743
https://gitlab.isc.org/isc-projects/bind9/-/issues/3725
https://gitlab.isc.org/isc-projects/bind9/-/issues/3693
https://gitlab.isc.org/isc-projects/bind9/-/issues/3683
https://gitlab.isc.org/isc-projects/bind9/-/issues/3727
https://gitlab.isc.org/isc-projects/bind9/-/issues/3638
https://gitlab.isc.org/isc-projects/bind9/-/issues/3183
https://gitlab.isc.org/isc-projects/bind9/-/issues/3721
https://gitlab.isc.org/isc-projects/bind9/-/issues/3707
https://gitlab.isc.org/isc-projects/bind9/-/issues/3591
https://gitlab.isc.org/isc-projects/bind9/-/issues/3598
https://gitlab.isc.org/isc-projects/bind9/-/issues/3247
https://gitlab.isc.org/isc-projects/bind9/-/issues/2895
https://gitlab.isc.org/isc-projects/bind9/-/issues/3584
https://gitlab.isc.org/isc-projects/bind9/-/issues/3627
https://gitlab.isc.org/isc-projects/bind9/-/issues/3563
https://gitlab.isc.org/isc-projects/bind9/-/issues/3603
https://gitlab.isc.org/isc-projects/bind9/-/issues/3542
https://gitlab.isc.org/isc-projects/bind9/-/issues/3557
https://gitlab.isc.org/isc-projects/bind9/-/issues/2982
https://gitlab.isc.org/isc-projects/bind9/-/issues/3439
https://gitlab.isc.org/isc-projects/bind9/-/issues/3438
https://gitlab.isc.org/isc-projects/bind9/-/issues/2918
https://gitlab.isc.org/isc-projects/bind9/-/issues/3462
https://gitlab.isc.org/isc-projects/bind9/-/issues/3400
https://gitlab.isc.org/isc-projects/bind9/-/issues/3402
https://gitlab.isc.org/isc-projects/bind9/-/issues/3152
https://gitlab.isc.org/isc-projects/bind9/-/issues/3415
https://gitlab.isc.org/isc-projects/bind9/-/issues/2506
Jammy only:
https://gitlab.isc.org/isc-projects/bind9/-/issues/3327
https://gitlab.isc.org/isc-projects/bind9/-/issues/3380
https://gitlab.isc.org/isc-projects/bind9/-/issues/3302
https://gitlab.isc.org/isc-projects/bind9/-/issues/2931
https://gitlab.isc.org/isc-projects/bind9/-/issues/3242
https://gitlab.isc.org/isc-projects/bind9/-/issues/3020
https://gitlab.isc.org/isc-projects/bind9/-/issues/3128
https://gitlab.isc.org/isc-projects/bind9/-/issues/3145
https://gitlab.isc.org/isc-projects/bind9/-/issues/3184
https://gitlab.isc.org/isc-projects/bind9/-/issues/3205
https://gitlab.isc.org/isc-projects/bind9/-/issues/3244
https://gitlab.isc.org/isc-projects/bind9/-/issues/3248
https://gitlab.isc.org/isc-projects/bind9/-/issues/3142
https://gitlab.isc.org/isc-projects/bind9/-/issues/3200
This will also fix bugs LP: #1258003, LP: #1970252, and LP: #2006972
Full release notes for versions 9.18.2-9.18.12:
https://bind9.readthedocs.io/en/v9_18_12/notes.html#notes-for-
bind-9-18-12
[Test Plan]
DEP-8 Tests:
simpletest - Confirms bind9 daemon starts successfully and dig can find
127.0.0.1 through the default setup of bind9
zonetest - Added in this update, currently in lunar. Confirms the
functionality of named and bind9 by creating a local DNS zone and
domain, and having dig look it up
validation - This test is provided by Debian and consistently fails both
before and after the update due to several issues. It is marked as
flaky, and does not block autopkgtest passing overall
Bug fix tests:
- Test for LP: #1258003 fix:
- # lxc launch images:ubuntu/{kinetic, jammy} test-bind9
- # lxc exec test-bind9
- # apt update && apt dist-upgrade -y
- # apt install dnsutils -y
- # dig google.com +nssearch +tcp
- - Before the update this leads to a crash ending
[Freeipa] [Bug 1104954] Re: CVE-2012-5484: ipa-client security vunerability
The Precise Pangolin has reached end of life, so this bug will not be fixed for that release ** Changed in: freeipa (Ubuntu Precise) Status: In Progress => Won't Fix -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1104954 Title: CVE-2012-5484: ipa-client security vunerability Status in freeipa package in Ubuntu: Fix Released Status in freeipa source package in Precise: Won't Fix Bug description: Needs to be fixed in Ubuntu. Sadly CVE Identifier is still not public. Anyways, fixes are already public: See RHEL Announcement. Security Advisory - RHSA-2013:0189-1 -- Summary: Important: ipa-client security update An updated ipa-client package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Description: Red Hat Identity Management is a centralized authentication, identity management and authorization solution for both traditional and cloud-based enterprise environments. A weakness was found in the way IPA clients communicated with IPA servers when initially attempting to join IPA domains. As there was no secure way to provide the IPA server's Certificate Authority (CA) certificate to the client during a join, the IPA client enrollment process was susceptible to man-in-the-middle attacks. This flaw could allow an attacker to obtain access to the IPA server using the credentials provided by an IPA client, including administrative access to the entire domain if the join was performed using an administrator's credentials. (CVE-2012-5484) Note: This weakness was only exposed during the initial client join to the realm, because the IPA client did not yet have the CA certificate of the server. Once an IPA client has joined the realm and has obtained the CA certificate of the IPA server, all further communication is secure. If a client were using the OTP (one-time password) method to join to the realm, an attacker could only obtain unprivileged access to the server (enough to only join the realm). Red Hat would like to thank Petr Menšík for reporting this issue. When a fix for this flaw has been applied to the client but not yet the server, ipa-client-install, in unattended mode, will fail if you do not have the correct CA certificate locally, noting that you must use the "--force" option to insecurely obtain the certificate. In interactive mode, the certificate will try to be obtained securely from LDAP. If this fails, you will be prompted to insecurely download the certificate via HTTP. In the same situation when using OTP, LDAP will not be queried and you will be prompted to insecurely download the certificate via HTTP. Users of ipa-client are advised to upgrade to this updated package, which corrects this issue. References: https://access.redhat.com/security/updates/classification/#important To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1104954/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1858967] Re: RM: dogtag-pki RC buggy, not in testing or stable
Removing packages from focal: dogtag-pki 10.7.3-4 in focal dogtag-pki 10.7.3-4 in focal amd64 dogtag-pki 10.7.3-4 in focal arm64 dogtag-pki 10.7.3-4 in focal armhf dogtag-pki 10.7.3-4 in focal i386 dogtag-pki 10.7.3-4 in focal ppc64el dogtag-pki 10.7.3-4 in focal s390x dogtag-pki-console-theme 10.7.3-4 in focal amd64 dogtag-pki-console-theme 10.7.3-4 in focal arm64 dogtag-pki-console-theme 10.7.3-4 in focal armhf dogtag-pki-console-theme 10.7.3-4 in focal i386 dogtag-pki-console-theme 10.7.3-4 in focal ppc64el dogtag-pki-console-theme 10.7.3-4 in focal s390x dogtag-pki-server-theme 10.7.3-4 in focal amd64 dogtag-pki-server-theme 10.7.3-4 in focal arm64 dogtag-pki-server-theme 10.7.3-4 in focal armhf dogtag-pki-server-theme 10.7.3-4 in focal i386 dogtag-pki-server-theme 10.7.3-4 in focal ppc64el dogtag-pki-server-theme 10.7.3-4 in focal s390x libsymkey-java 10.7.3-4 in focal amd64 libsymkey-java 10.7.3-4 in focal arm64 libsymkey-java 10.7.3-4 in focal armhf libsymkey-java 10.7.3-4 in focal i386 libsymkey-java 10.7.3-4 in focal ppc64el libsymkey-java 10.7.3-4 in focal s390x libsymkey-jni 10.7.3-4 in focal amd64 libsymkey-jni 10.7.3-4 in focal arm64 libsymkey-jni 10.7.3-4 in focal armhf libsymkey-jni 10.7.3-4 in focal ppc64el libsymkey-jni 10.7.3-4 in focal s390x pki-base 10.7.3-4 in focal amd64 pki-base 10.7.3-4 in focal arm64 pki-base 10.7.3-4 in focal armhf pki-base 10.7.3-4 in focal i386 pki-base 10.7.3-4 in focal ppc64el pki-base 10.7.3-4 in focal s390x pki-base-java 10.7.3-4 in focal amd64 pki-base-java 10.7.3-4 in focal arm64 pki-base-java 10.7.3-4 in focal armhf pki-base-java 10.7.3-4 in focal i386 pki-base-java 10.7.3-4 in focal ppc64el pki-base-java 10.7.3-4 in focal s390x pki-ca 10.7.3-4 in focal amd64 pki-ca 10.7.3-4 in focal arm64 pki-ca 10.7.3-4 in focal armhf pki-ca 10.7.3-4 in focal i386 pki-ca 10.7.3-4 in focal ppc64el pki-ca 10.7.3-4 in focal s390x pki-console 10.7.3-4 in focal amd64 pki-console 10.7.3-4 in focal arm64 pki-console 10.7.3-4 in focal armhf pki-console 10.7.3-4 in focal i386 pki-console 10.7.3-4 in focal ppc64el pki-console 10.7.3-4 in focal s390x pki-javadoc 10.7.3-4 in focal amd64 pki-javadoc 10.7.3-4 in focal arm64 pki-javadoc 10.7.3-4 in focal armhf pki-javadoc 10.7.3-4 in focal i386 pki-javadoc 10.7.3-4 in focal ppc64el pki-javadoc 10.7.3-4 in focal s390x pki-kra 10.7.3-4 in focal amd64 pki-kra 10.7.3-4 in focal arm64 pki-kra 10.7.3-4 in focal armhf pki-kra 10.7.3-4 in focal i386 pki-kra 10.7.3-4 in focal ppc64el pki-kra 10.7.3-4 in focal s390x pki-ocsp 10.7.3-4 in focal amd64 pki-ocsp 10.7.3-4 in focal arm64 pki-ocsp 10.7.3-4 in focal armhf pki-ocsp 10.7.3-4 in focal i386 pki-ocsp 10.7.3-4 in focal ppc64el pki-ocsp 10.7.3-4 in focal s390x pki-server 10.7.3-4 in focal amd64 pki-server 10.7.3-4 in focal arm64 pki-server 10.7.3-4 in focal armhf pki-server 10.7.3-4 in focal ppc64el pki-server 10.7.3-4 in focal s390x pki-tks 10.7.3-4 in focal amd64 pki-tks 10.7.3-4 in focal arm64 pki-tks 10.7.3-4 in focal armhf pki-tks 10.7.3-4 in focal i386 pki-tks 10.7.3-4 in focal ppc64el pki-tks 10.7.3-4 in focal s390x pki-tools 10.7.3-4 in focal amd64 pki-tools 10.7.3-4 in focal arm64 pki-tools 10.7.3-4 in focal armhf pki-tools 10.7.3-4 in focal ppc64el pki-tools 10.7.3-4 in focal s390x pki-tps 10.7.3-4 in focal amd64 pki-tps 10.7.3-4 in focal arm64 pki-tps 10.7.3-4 in focal armhf pki-tps 10.7.3-4 in focal i386 pki-tps 10.7.3-4 in focal ppc64el pki-tps 10.7.3-4 in focal s390x pki-tps-client 10.7.3-4 in
[Freeipa] [Bug 1858967] Re: RM: dogtag-pki RC buggy, not in testing or stable
Removing packages from focal: freeipa 4.8.3-1 in focal freeipa-admintools 4.8.3-1 in focal amd64 freeipa-admintools 4.8.3-1 in focal arm64 freeipa-admintools 4.8.3-1 in focal armhf freeipa-admintools 4.8.3-1 in focal ppc64el freeipa-admintools 4.8.3-1 in focal s390x freeipa-client 4.8.3-1 in focal amd64 freeipa-client 4.8.3-1 in focal arm64 freeipa-client 4.8.3-1 in focal armhf freeipa-client 4.8.3-1 in focal ppc64el freeipa-client 4.8.3-1 in focal s390x freeipa-client-samba 4.8.3-1 in focal amd64 freeipa-client-samba 4.8.3-1 in focal arm64 freeipa-client-samba 4.8.3-1 in focal armhf freeipa-client-samba 4.8.3-1 in focal ppc64el freeipa-client-samba 4.8.3-1 in focal s390x freeipa-common 4.8.3-1 in focal amd64 freeipa-common 4.8.3-1 in focal arm64 freeipa-common 4.8.3-1 in focal armhf freeipa-common 4.8.3-1 in focal i386 freeipa-common 4.8.3-1 in focal ppc64el freeipa-common 4.8.3-1 in focal s390x freeipa-server 4.8.3-1 in focal amd64 freeipa-server 4.8.3-1 in focal arm64 freeipa-server 4.8.3-1 in focal armhf freeipa-server 4.8.3-1 in focal ppc64el freeipa-server 4.8.3-1 in focal s390x freeipa-server-dns 4.8.3-1 in focal amd64 freeipa-server-dns 4.8.3-1 in focal arm64 freeipa-server-dns 4.8.3-1 in focal armhf freeipa-server-dns 4.8.3-1 in focal i386 freeipa-server-dns 4.8.3-1 in focal ppc64el freeipa-server-dns 4.8.3-1 in focal s390x freeipa-server-trust-ad 4.8.3-1 in focal amd64 freeipa-server-trust-ad 4.8.3-1 in focal arm64 freeipa-server-trust-ad 4.8.3-1 in focal armhf freeipa-server-trust-ad 4.8.3-1 in focal ppc64el freeipa-server-trust-ad 4.8.3-1 in focal s390x freeipa-tests 4.8.3-1 in focal amd64 freeipa-tests 4.8.3-1 in focal arm64 freeipa-tests 4.8.3-1 in focal armhf freeipa-tests 4.8.3-1 in focal i386 freeipa-tests 4.8.3-1 in focal ppc64el freeipa-tests 4.8.3-1 in focal s390x python3-ipaclient 4.8.3-1 in focal amd64 python3-ipaclient 4.8.3-1 in focal arm64 python3-ipaclient 4.8.3-1 in focal armhf python3-ipaclient 4.8.3-1 in focal i386 python3-ipaclient 4.8.3-1 in focal ppc64el python3-ipaclient 4.8.3-1 in focal s390x python3-ipalib 4.8.3-1 in focal amd64 python3-ipalib 4.8.3-1 in focal arm64 python3-ipalib 4.8.3-1 in focal armhf python3-ipalib 4.8.3-1 in focal i386 python3-ipalib 4.8.3-1 in focal ppc64el python3-ipalib 4.8.3-1 in focal s390x python3-ipaserver 4.8.3-1 in focal amd64 python3-ipaserver 4.8.3-1 in focal arm64 python3-ipaserver 4.8.3-1 in focal armhf python3-ipaserver 4.8.3-1 in focal i386 python3-ipaserver 4.8.3-1 in focal ppc64el python3-ipaserver 4.8.3-1 in focal s390x python3-ipatests 4.8.3-1 in focal amd64 python3-ipatests 4.8.3-1 in focal arm64 python3-ipatests 4.8.3-1 in focal armhf python3-ipatests 4.8.3-1 in focal i386 python3-ipatests 4.8.3-1 in focal ppc64el python3-ipatests 4.8.3-1 in focal s390x Comment: removed from testing (Debian bugs #920725, #921926), depends on broken dogtag-pki 1 package successfully removed. ** Changed in: freeipa (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1858967 Title: RM: dogtag-pki RC buggy, not in testing or stable Status in dogtag-pki package in Ubuntu: Fix Released Status in freeipa package in Ubuntu: Fix Released Bug description: RM: RC buggy, not in testing or stable pki-base: Does not work with Java 11 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921926 Does not support TLS 1.3/Java 11 https://pagure.io/dogtagpki/issue/3088 pki-base-java: Depends on openjdk-8-jre-headless which will not be in buster https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920725 pki-server: Dogtag stopped starting after libnss3 upgrade to 2:3.35-2 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920725 Please remove dogtag-pki and its only reverse-depends freeipa nss now uses tls v1.2 min, and v1.3 max,
[Freeipa] [Bug 1764744] Re: Support of freeipa-server for s390x
** Changed in: freeipa (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1764744 Title: Support of freeipa-server for s390x Status in Ubuntu on IBM z Systems: Triaged Status in freeipa package in Ubuntu: Incomplete Bug description: freeipa fails to configure on s390x. (Configuration being handled by the freeipa-server-install script)This script has two failure points. The first is below: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1600634 describes a known bug but it was only resolved for x86_64. In the falling scenario the install log will have entries like the following: 2018-04-10T18:53:01Z DEBUG nsslapd-pluginenabled: 2018-04-10T18:53:01Z DEBUG on 2018-04-10T18:53:01Z DEBUG nsslapd-pluginpath: 2018-04-10T18:53:01Z DEBUG /usr/lib/x86_64-linux-gnu/dirsrv/plugins/schemacompat-plugin.so 2018-04-10T18:53:01Z DEBUG nsslapd-pluginversion: 2018-04-10T18:53:01Z DEBUG 0.8 Obviously on s390x /usr/lib/x86_64-linux-gnu/dirsrv/plugins/schemacompat-plugin.so will never be found. Now if I create a symbolic link with the above name that is linked to the same location but with s390x where x86_64 is located, the install will proceed past this failing location. The second failure point in the freeipa-server-install script is near the end, after the script has completed the freeipa-server-install and where it attempts to install the freeipa-client. The client install appears to fail because of a problem with certificates related to the server install. 2018-04-17T12:14:59Z ERROR Cannot connect to the server due to generic error: Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method) The above appears to be related to an issue with the key database # certutil -L certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. # ipa cert-show 1 ipa: ERROR: cannot connect to 'https://fipas1.pdl.pok.ibm.com/ipa/json': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. # ipa user-add First name: Richard >>> First name: Leading and trailing spaces are not allowed First name: Richard Last name: Young User login [ryoung]: ryoung1 ipa: ERROR: cannot connect to 'https://fipas1.pdl.pok.ibm.com/ipa/json': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1764744/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1716842] Re: dogtag-pki needs porting work for tomcat8
I don't understand what this bug is about and how you have determined that porting work is required. dogtag-pki build-depends on libtomcat8-java, and has built successfully. There appears to be an autopkgtest problem on armhf, but that is not the issue you reported here. ** Changed in: dogtag-pki (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1716842 Title: dogtag-pki needs porting work for tomcat8 Status in dogtag-pki package in Ubuntu: Incomplete Status in freeipa package in Ubuntu: New Status in dogtag-pki package in Debian: New Bug description: dogtag-pki needs porting work for tomcat8, demoting to proposed for now, plus the freeipa dependency. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1716842/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
