On Thu, 2020-03-19 at 09:44 +, Olivier Tilloy wrote:
> It looks like symlinking firefox and thunderbird's own copies of
> libnssckbi.so to the system-wide p11-kit-trust.so is the proper way to
> fix this bug, as far as Mozilla's products are concerned.
>
> Before I proceed to doing this, I'd w
Now https://gitlab.gnome.org/GNOME/gnome-shell/issues/2105
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1609700
Title:
username is not saved in openconnect conne
That build seems not to fix it. I tried to build locally to bisect, but
can't seem to get the local build to work at all. May have to leave this
to the NM maintainers.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-ma
Please test the Fedora 30 build with that commit reverted, at
https://koji.fedoraproject.org/koji/taskinfo?taskID=36857342
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/b
I wonder if this regression is caused by
https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=009f7560867e939
?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad
According to https://bugs.launchpad.net/bugs/1609700 this bug has
reoccurred in f30.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1609700
Title:
username is not
*** Bug 1705711 has been marked as a duplicate of this bug. ***
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1609700
Title:
username is not saved in openconnect
** Package changed: network-manager-openconnect (Ubuntu) => gnome-shell
(Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1838838
Title:
username is not save
I moved it to NetworkManager because that's where the regression is.
There's not a lot we can do about it in NetworkManager-openconnect.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
https://bugs.l
** Package changed: network-manager-openconnect (Ubuntu) => network-
manager (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1838838
Title:
username is not
@kvasko yes, it works here. Are you sure that's the version of
libnssckbi.so that is being used? There are lots; I've replaced them
all...
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.
https://bugs
I have worked out the problem with the new NetworkManager which required
me to set ipv4.dns-priority=-1 (which, in turn, messes things up for
those with fresh installs that don't get the new NetworkManager).
The new NM sets ipv4.dns-search=~. automatically for full-tunnel VPNs
but it doesn't also
Any word on when this CVE will be fixed?
In the meantime I have put the 1.10.14-0ubuntu2 package into an apt
repository at http://david.woodhou.se/cve-2018-1000135/ for users who
need it. I couldn't work out how to copy it into a PPA without
rebuilding it.
In the short term can someone please at
> That's weird, do you understand why? The update was deleted so you should be
> back to initial
> situation, we had no change to the previous package build
Other package changes? Certainly systemd-resolver although we don't use
that (because of a previous VPN DNS leak problem) we use dnsmasq.
Do we have any idea when this will be fixed? Most of my users used to
get away with the DNS leakage and it was "only" a security problem but
stuff actually worked. Then the NM and other updates were shipped, we
set ipv4.dns-priority=-1 and ipv4.dns-search=~. and it all worked fine.
Then the NM upda
@ddstreet We don't use systemd-resolver here. It's fairly trivial to set
up a VPN service; the openconnect 'make check' uses ocserv
automatically, for example. You shouldn't have difficulty reproducing
this locally.
--
You received this bug notification because you are a member of Ubuntu
Touch se
And (in case any of my colleagues are paying attention and inclined to
do it before the next time I get to spend any real time in front of a
computer, next week), without the dns-priority and dns-search settings
that made it work again after the recent NM update.
--
You received this bug notifica
Till, you want that for the case where dnsmasq is being used and is
misbehaving?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1754671
Title:
Full-tunnel VPN DNS leakage
On the 1.10.14 regression simply making those dns-priority/dns-
search settings the *default* behaviour for a full-tunnel VPN would
appear to be the correct thing to do (i.e. use the DNS of a full-tunnel
VPN for *all* lookups), and I think it should resolve the problems
people were seeing.
--
On the switch to using dnsmasq: that decision predates my tenure so I
have limited visibility. I can try to get our IT team to expend effort
in moving to systemd-resolved and see what breaks. It may even be
completely unnecessary in xenial, and is merely inherited to make our
bionic setups less dif
Dammit, "completely unnecessary in bionic but inherited from xenial"...
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1754671
Title:
Full-tunnel VPN DNS leakage regressio
This is Bionic.
After last week's update to 1.10.14-0ubuntu2 all my VPN users (who are
using dnsmasq) reported that DNS supported working for them while they
were on the VPN. Some internal names were looked up correctly, others
weren't.
I resolved it for them as follows:
$ sudo nmcli con modify
We aren't using systemd-resolver for various historical reasons; we are
using dnsmasq which should be expected to work. It isn't, but we have
manually added the dns-priority=-1;dns-search=~. settings which make it
work, as an emergency deployment when the latest NM update broke things
for everyone.
These systems are using dnsmasq not systemd-resolver. This was done for
historical reasons; I'm not sure of the specific bug which caused that
choice.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://
I am receiving reports that it isn't fixed in 18.04 either. Users are
still seeing DNS lookups on the local network, until they manually edit
the VPN config to include:
[ipv4]
dns-priority=-1
dns-search=~.;
I thought that wasn't going to be necessary?
--
You received this bug notification becau
@seb128 please see "In 16.04 the NetworkManager package used to carry
this patch..." in the bug description above.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1754
Is there a 16.04 package? This was a regression there caused by an
earlier update.
I have users reporting the same bizarre behaviour I wasn't able to
clearly describe before — essentially, DNS being sent out seemingly
random interfaces (sometimes VPN, sometimes local). My advice to just
install th
Not sure what happened there. It was looking up *some* names in the
$COMPANY.com domain on the VPN, but others not, consistently. I couldn't
see a pattern.
I have manually set ipv4.dns-search="~." and ipv4.dns-priority=-1 and
now it does seem to be behaving. However, this shouldn't be necessary.
T
Hm, that didn't last long. Now it isn't looking up *anything* in the VPN
domains. It's all going to the local VPN server. I don't know what
changed.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
ht
network-manager-1.10.14-0ubuntu1 does seem to fix the DNS problem here;
thanks.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1754671
Title:
Full-tunnel VPN DNS l
Any progress on fixing this?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to p11-kit in Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
SSL trust not system-wide
Status in ca-certificates package in Ubuntu:
Confir
This is CVE-2018-1000135. For some reason the 'Link to CVE' option above
doesn't seem to work.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000135
** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2018-1000135
--
You received this bug notification because you are a memb
*** This bug is a security vulnerability ***
Public security bug reported:
In 16.04 the NetworkManager package used to carry this patch:
http://bazaar.launchpad.net/~network-manager/network-manager/ubuntu/view/head:/debian/patches/Filter-DNS-servers-to-add-to-dnsmasq-based-on-availa.patch
It fix
I don't think this should be considered a 'feature request'. If you have
a full-tunnel VPN, your employer will *expect* all your network traffic
to go via the VPN as if you were dialled directly into the corporate
network. Allowing some of the DNS traffic to "escape" to be seen by
potentially malic
cf. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741005
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704180
https://lists.freedesktop.org/archives/p11-glue/2013-June/000331.html
** Bug watch added: Debian Bug tracker #741005
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741005
**
This appears to still be broken in 16.04.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/420411
Title:
vpn connection handshake times out too soon
Status in netwo
I believe NSS wants these patches backported from 3.30:
https://bugzilla.mozilla.org/show_bug.cgi?id=1334976
Firefox has its own copy of NSS which I think as of Firefox 54 should be fine.
Thunderbird also needs fixing, I think.
** Bug watch added: Mozilla Bugzilla #1334976
https://bugzilla.moz
I believe we need to update p11-kit to v0.23.4 to make the key pinning
work correctly in the recommended configuration, by adding the
CKA_NSS_MOZILLA_CA_POLICY attribute.
https://bugs.freedesktop.org/show_bug.cgi?id=99453
https://bugzilla.mozilla.org/show_bug.cgi?id=1324096
** Bug watch added: fr
This of course means that even if I wanted to work around bug 1647285
(where apps using NSS don't honour the system SSL trust settings) by
manually adding the company certs to /etc/pki/nssdb, applications can't
even use *that*...
--
You received this bug notification because you are a member of U
Public bug reported:
Ubuntu 16.04 appears to ship with libnsssysinit.so configured in
/etc/pki/nssdb as it should be, but the library isn't *present*. So when
applications such as Evolution attempt to open it, they fail:
(evolution:20974): camel-WARNING **: Failed to initialize NSS SQL
database i
Reproducer
See dwmw2's (reporter of the bug) comment #3 :
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1648901/comments/3
[Regression Potential]
* none expected Y and Z release already has the krb5 upstream patch.
* Debian has the patch as well.
[Other Info]
* Upstrea
On 16.04. Apologies, I looked but couldn't see where Launchpad expects
me to enter that information.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1648901
Title:
SPNEGO cras
Sure, I can attempt to test. It needs Kerberos to fail, while another
mechanism is possible. So fix up the packaging errors noted in bug
1648898 so that GSS-NTLMSSP is actually registered properly, then just
KRB5CCNAME=/dev/null google-chrome $SOME_URL_WHICH_USES_NEGOTIATE_AUTH
--
You received t
This is actually a NetworkManager bug. As noted in bug 1648905 it's
fixed upstream by
https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=nm-1-2&id=bb45adeda0bf427ada23b09daf970b0757e82d60
** Also affects: network-manager (Ubuntu)
Importance: Undecided
Status: New
** Bu
*** This bug is a duplicate of bug 1609700 ***
https://bugs.launchpad.net/bugs/1609700
Actually, this is probably a duplicate of bug 1609700
** This bug has been marked a duplicate of bug 1609700
username is not saved in openconnect connection dialog
--
You received this bug notification
When do we get a fix for 16.04?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1648905
Title:
VPN username and settings not saved
Status in network-manager packag
The Mozilla bugs you link are a bit of a red herring. They refer to an
abortive attempt by Mozilla/NSS to have a 'shared system database' in
sql:/etc/pki/nssdb. The idea is that applications specify that as their
NSS database and although it's obviously read-only, it automatically
adds the user's d
Public bug reported:
The OpenConnect VPN auth-dialog doesn't remember usernames and other
settings.
See discussion (and fix) in
https://bugzilla.redhat.com/show_bug.cgi?id=1332491
** Affects: network-manager (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug noti
Public bug reported:
Chrome (and other things) crash when Kerberos fails to authenticate:
https://bugs.chromium.org/p/chromium/issues/detail?id=554905
This was fixed in MIT krb5 in January:
https://github.com/krb5/krb5/pull/385
Thread 22 "Chrome_IOThread" received signal SIGSEGV, Segmentation fa
https://bugzilla.gnome.org/show_bug.cgi?id=723084
** Bug watch added: GNOME Bug Tracker #723084
https://bugzilla.gnome.org/show_bug.cgi?id=723084
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
Public bug reported:
When opencryptoki is installed, it creates a symlink from /etc/pkcs11 to
/var/lib/opencryptoki, which is readable only by root.
This means that anything using p11-kit to find the PKCS#11 modules which
are configured to be available in the system (which is basically any
well-b
It does seem that p11-kit-trust.so is working correctly. If I just make
a symlink from libnssckbi.so to it, corporate trust installed by update-
ca-certificates *does* work in Firefox.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscri
Public bug reported:
When I install a corporate CA trust root with update-ca-certificates, it
doesn't seem to work everywhere. Various things like Firefox, Evolution,
Chrome, etc. all fail to trust the newly-installed trusted CA.
This ought to work, and does on other distributions. In p11-kit the
Is there an upstream bug/RFE filed for this?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/893024
Title:
Support 802.1x auth requirement detection and fallback
S
54 matches
Mail list logo