[Touch-packages] [Bug 2077576] Re: SSH client doesn't handle properly non-ASCII chars
This change makes me uneasy: - I see no terminal-aware filtering applied in the notify_start() -> xvasprintf() -> writemsg() -> write() path. The remote server may not be entirely untrusted but it's also not exactly trusted, either, especially on the first use. There's a long and glorious history of surprising outcomes due to terminal escape sequences https://www.cyberark.com/resources/threat-research-blog/dont-trust-this- title-abusing-terminal-emulators-with-ansi-escape-characters - I'm not sure it's even necessary: my phone was easily able to read pure-ascii QR codes as easily as the (admittedly much better looking) utf-8 based codes. Try a few: sudo apt install qrencode u=`cat /proc/sys/kernel/random/uuid` ; for t in ANSI ANSI256 ASCII ASCIIi UTF8 ANSIUTF8 ; do qrencode -t $t $u ; done ; echo $u ; unset u Are ascii-encoded qr codes known to be insufficient? - As for the actual code changes, they seemed fairly straightforward, and I found no issues. I'm very wary about undoing a safety mechanism from the past, put in place by people who thought about this significantly more than I have. - Upstream might have been engaging for a while but now appears entirely silent. This reminds me too much of dpkg+zstd, where a similar train of engagement lead to Ubuntu forking the dpkg ecosystem and carrying a patch without a clear way to reunify the ecosystem. Will we do the same to OpenSSH? (We might have already passed this point if we chose to ship this in Noble rather than wait for Oracular to test this out.) Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2077576 Title: SSH client doesn't handle properly non-ASCII chars Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Focal: Incomplete Status in openssh source package in Jammy: Incomplete Status in openssh source package in Noble: Fix Released Bug description: [ Impact ] Non-ascii visible chars (including back-slashes, new lines and so) are not properly rendered by clients, showing their octal visualization. Such as: Hello SSHD \\ We love \360\237\215\225! Instead of: Hello SSHD \ We love 🍕! This is particularly an issue when a server has configured keyboard interactive authentication and a PAM module wants to show non-ASCII characters such as a QR code for web authentication: When using an ubuntu server running authd for web authentication we may end up having the login qrcode rendered such as \210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210\342\226\210 https://ubuntu.com 1337 Which is clearly unreadable. [ Test case ] ## Server preparation Enable PAM and keyboard interactive authentication in a ssh server: Add a configuration file such as: /etc/ssh/sshd_config.d/test-ssh-pam.conf Containing: UsePAM yes KbdInteractiveAuthentication yes # This was working already; here to check potential regressions ForceCommand bash -c "echo Hello from SSHD \ We also love 🍕!; $SHELL" It's also suggested to check for regressions using a `Banner` option in sshd, pointing to a file with utf-8 contents. Restart the server: sudo systemctl restart ssh.service Edit the sshd PAM configuration file, adding as first line: authrequisite pam_echo.so Hello SSHD \ We love 🍕! Can be done with the command: sudo sed '1 iauthrequisite pam_echo.so Hello SSHD! \\ We love 🍕!' \ -i /etc/pam.d/sshd ## Client test In the same host: ssh -o PubkeyAuthentication=no \ -o PasswordAuthentication=no \ -o PreferredAuthentications=keyboard-interactive \ $USER@localhost The client should show: Hello SSHD \ We love 🍕! ($USER@localhost) Password: ... Hello from SSHD \ We also love 🍕! Retry the same with another host and without keyboard authentication enabled in the server side. To verify the fix in more complex scenario it's possible to follow the instructions of configuring authd: - https://github.com/ubuntu/authd/wiki/05--How%E2%80%90to-log-in-over-SSH Once authd is configured, the user should be able to scan a QrCode from a ssh session. ## Cleanup Revert the changes done in the cleanup phase, after test is done sudo sed '/pam_echo\.so/d' -i /etc/pam.d/sshd sudo rm /etc/ssh/sshd_config.d/test-ssh-pam.conf [ Regression potential ] SSH info messages are not shown by the client. Even though those aren't covered by this change, it's important to check for regressions in an
[Touch-packages] [Bug 2062667] Re: Fails on (and should be removed from) raspi desktop
I'm having trouble seeing what the consequences are: > the result is a permanently failed service vs > this is was a major annoyance on my m2 air after upgrading to noble Was it it more than a red line in systemctl status output? Does it have annoying logging behaviour or break some other service if it isn't running? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/2062667 Title: Fails on (and should be removed from) raspi desktop Status in protection-domain-mapper package in Ubuntu: Confirmed Status in qrtr package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: The protection-domain-mapper package (and qrtr-tools) are both installed by default on the Ubuntu Desktop for Raspberry Pi images, thanks to their inclusion in the desktop-minimal seed for arm64. However, there's no hardware that they target on these platforms, and the result is a permanently failed service (pd-mapper.service). It appears these were added to support the X13s laptop [1]. I've attempted to work around the issue by excluding these packages in the desktop-raspi seed (experimentally in my no-pd-mapper branch [2]) but this does not work (the packages still appear in the built images). Ideally, these packages should be moved into a hardware-specific seed for the X13s (and/or whatever other laptops need these things). Alternatively, at a bare minimum, the package should have some conditional that causes the service not to attempt to start when it's not on Qualcomm hardware. [1]: https://git.launchpad.net/~ubuntu-core-dev/ubuntu- seeds/+git/ubuntu/commit/desktop- minimal?id=afe820cd49514896e96d02303298ed873d8d7f8a [2]: https://git.launchpad.net/~waveform/ubuntu- seeds/+git/ubuntu/commit/?id=875bddac19675f7e971f56d9c5d39a9912dc6e38 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/protection-domain-mapper/+bug/2062667/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056627] Re: PHPStorm crashes when opening a project
The unfortunate thing with AppImage is that there's no easy default path that can be confined as can be done for other systems. So you'll need to construct an AppArmor profile for your applications following the instructions at https://discourse.ubuntu.com/t/noble-numbat-release- notes/39890#unprivileged-user-namespace-restrictions-15 Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056627 Title: PHPStorm crashes when opening a project Status in apparmor package in Ubuntu: Confirmed Bug description: Filing mostly in case anyone else hits this and is looking for workarounds: Since the Update to 24.04 PHPStorm crashes on open for me. I think when it tries to preview a markdown file, like a README.md which is shown when opening a project. ``` [0309/094602.913394:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /home/user/bin/phpstorm/jbr/lib/chrome-sandbox is owned by root and has mode 4755. ``` Workaround 1 (wont persist reboots, needs root): sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0 sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 Workaround 2 (persists and doesn't need root): thanks to https://youtrack.jetbrains.com/issue/IDEA-313202/IDE- crashes-due-to-chrome-sandbox-is-owned-by-root-and-has-mode-error- when-IDE-is-launching-the-JCEF-in-a- sandbox#focus=Comments-27-7059083.0-0 * Run `/bin/phpstorm.sh dontReopenProjects` (to avoid it crashing on start) * ctrl+shift+a * type "Registry..." and select it * disable the "ide.browser.jcef.sandbox.enable" option * Restart phpstorm To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056627/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2063536] Re: flickering screen
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/2063536 Title: flickering screen Status in xorg package in Ubuntu: New Bug description: automatically refresh and hang ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 6.5.0-28.29~22.04.1-generic 6.5.13 Uname: Linux 6.5.0-28-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: pass CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Fri Apr 26 08:44:25 2024 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu DkmsStatus: rtbth/3.9.8, 6.5.0-27-generic, x86_64: installed rtbth/3.9.8, 6.5.0-28-generic, x86_64: installed ExtraDebuggingInterest: Yes GraphicsCard: Intel Corporation CometLake-S GT2 [UHD Graphics 630] [8086:9bc5] (rev 05) (prog-if 00 [VGA controller]) Subsystem: Micro-Star International Co., Ltd. [MSI] CometLake-S GT2 [UHD Graphics 630] [1462:7d82] InstallationDate: Installed on 2024-04-16 (9 days ago) InstallationMedia: Ubuntu 22.04.4 LTS "Jammy Jellyfish" - Release amd64 (20240220) Lsusb: Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 002: ID 093a:2510 Pixart Imaging, Inc. Optical Mouse Bus 001 Device 003: ID 1a2c:0e24 China Resource Semico Co., Ltd USB Keyboard Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Lsusb-t: /: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/4p, 2M/x2 /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/16p, 480M |__ Port 9: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 1.5M |__ Port 10: Dev 3, If 0, Class=Human Interface Device, Driver=usbhid, 1.5M |__ Port 10: Dev 3, If 1, Class=Human Interface Device, Driver=usbhid, 1.5M MachineType: Micro-Star International Co., Ltd. MS-7D82 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.5.0-28-generic root=UUID=5d5b2975-ec40-4c41-919c-f0c2ecc1a822 ro quiet splash vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 03/24/2022 dmi.bios.release: 5.19 dmi.bios.vendor: American Megatrends International, LLC. dmi.bios.version: 1.22 dmi.board.asset.tag: Default string dmi.board.name: PRO H410M-B(MS-7D82) dmi.board.vendor: Micro-Star International Co., Ltd. dmi.board.version: 1.0 dmi.chassis.asset.tag: Default string dmi.chassis.type: 3 dmi.chassis.vendor: Micro-Star International Co., Ltd. dmi.chassis.version: 1.0 dmi.modalias: dmi:bvnAmericanMegatrendsInternational,LLC.:bvr1.22:bd03/24/2022:br5.19:svnMicro-StarInternationalCo.,Ltd.:pnMS-7D82:pvr1.0:rvnMicro-StarInternationalCo.,Ltd.:rnPROH410M-B(MS-7D82):rvr1.0:cvnMicro-StarInternationalCo.,Ltd.:ct3:cvr1.0:skuDefaultstring: dmi.product.family: Default string dmi.product.name: MS-7D82 dmi.product.sku: Default string dmi.product.version: 1.0 dmi.sys.vendor: Micro-Star International Co., Ltd. version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.113-2~ubuntu0.22.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 23.2.1-1ubuntu3.1~22.04.2 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.xserver-xorg-core: xserver-xorg-core 2:21.1.4-2ubuntu1.7~22.04.10 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2ubuntu1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20210115-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/2063536/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2063884] [NEW] ubuntu-bug can't report bugs in Ubuntu Pro packages
Public bug reported: Hello, ubuntu-bug can't report bugs in packages provided by Ubuntu Pro. For example, I have lynx installed, which has an update issued through esm-apps: $ dpkg -l lynx | grep ^ii ii lynx 2.9.0dev.5-1ubuntu0.1~esm1 amd64classic non-graphical (text-mode) web browser $ ubuntu-bug lynx *** Collecting problem information The collected information can be sent to the developers to improve the application. This might take a few minutes. . *** Problem in lynx The problem cannot be reported: This is not an official Ubuntu package. Please remove any third party package and try again. Press any key to continue... ^? No pending crash reports. Try --help for more information. ** Affects: apport (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/2063884 Title: ubuntu-bug can't report bugs in Ubuntu Pro packages Status in apport package in Ubuntu: New Bug description: Hello, ubuntu-bug can't report bugs in packages provided by Ubuntu Pro. For example, I have lynx installed, which has an update issued through esm-apps: $ dpkg -l lynx | grep ^ii ii lynx 2.9.0dev.5-1ubuntu0.1~esm1 amd64classic non-graphical (text-mode) web browser $ ubuntu-bug lynx *** Collecting problem information The collected information can be sent to the developers to improve the application. This might take a few minutes. . *** Problem in lynx The problem cannot be reported: This is not an official Ubuntu package. Please remove any third party package and try again. Press any key to continue... ^? No pending crash reports. Try --help for more information. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/2063884/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2063271] Re: Illegal opcode in libssl
** Package changed: openssh (Ubuntu) => openssl (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2063271 Title: Illegal opcode in libssl Status in openssl package in Ubuntu: New Bug description: Many programs using openssl now fail, typically with messages such as Illegal instruction (core dumped) This seems to be a serious error, since it affects, for example, update-manager. Since this makes it harder to get security updates, I would also consider it a security vulnerability. The issue seems to be that openssl seems to be an attempt to use an illegal opcode. A few sample entries in /var/log/syslog are: Apr 21 19:16:39 einstein kernel: [495465.431588] traps: update-manager[396881] trap invalid opcode ip:740964b8ac6b sp:7409552125b0 error:0 in libssl.so.3[740964b7a000+5b000] Apr 21 19:16:55 einstein kernel: [495482.104658] traps: python3[396949] trap invalid opcode ip:73607be8ac6b sp:736074d8d5b0 error:0 in libssl.so.3[73607be7a000+5b000] Apr 21 19:40:05 einstein kernel: [496871.653271] traps: chrome-gnome-sh[397293] trap invalid opcode ip:79432ffa7c6b sp:7ffd6bc03e70 error:0 in libssl.so.3[79432ff97000+5b000] Apr 22 16:23:08 einstein kernel: [501744.765118] traps: check-new-relea[400397] trap invalid opcode ip:797c7cc8ac6b sp:797c6cace5b0 error:0 in libssl.so.3[797c7cc7a000+5b000] Apr 23 15:08:03 einstein kernel: [518701.050526] traps: wget[443588] trap invalid opcode ip:73a8b2eb4c6b sp:7ffc04918740 error:0 in libssl.so.3[73a8b2ea4000+5b000] Apr 23 15:12:55 einstein kernel: [518992.493020] traps: curl[443851] trap invalid opcode ip:7e4e3951dc6b sp:7ffc804d2ed0 error:0 in libssl.so.3[7e4e3950d000+5b000] Apr 23 15:13:32 einstein kernel: [519029.181422] traps: apport-gtk[04] trap invalid opcode ip:7039180f5c6b sp:703902bfaad0 error:0 in libssl.so.3[7039180e5000+5b000] This bug report itself had to be submitted manually since ubuntu-bug now itself fails. lsb_release -rd reports: Description:Ubuntu 22.04.4 LTS Release:22.04 apt-cache policy openssl reports: openssl: Installed: 3.0.2-0ubuntu1.15 Candidate: 3.0.2-0ubuntu1.15 Version table: *** 3.0.2-0ubuntu1.15 500 500 http://us.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages 100 /var/lib/dpkg/status 3.0.2-0ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu jammy/main amd64 Packages /proc/version for my computer gives Linux version 6.5.0-28-generic (buildd@lcy02-amd64-098) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #29~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 4 14:39:20 UTC 2 /proc/cpuinfo for my computer starts processor : 0 vendor_id : GenuineIntel cpu family: 6 model : 78 model name: Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz stepping : 3 microcode : 0xf0 cpu MHz : 500.018 cache size: 4096 KB physical id : 0 siblings : 4 core id : 0 cpu cores : 2 apicid: 0 initial apicid: 0 fpu : yes fpu_exception : yes cpuid level : 22 wp: yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d arch_capabilities bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit srbds mmio_stale_data retbleed gds bogomips : 5199.98 clflush size : 64 cache_alignment : 64 address sizes : 39 bits physical, 48 bits virtual power management: ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2063271/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2061869] Re: Snaps unable to connect to network under linux-lowlatency 6.8.0-25.25.3
*** This bug is a duplicate of bug 2061851 *** https://bugs.launchpad.net/bugs/2061851 ** This bug has been marked a duplicate of bug 2061851 linux-gcp 6.8.0-1005.5 (+ others) Noble kernel regression with new apparmor profiles/features -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2061869 Title: Snaps unable to connect to network under linux-lowlatency 6.8.0-25.25.3 Status in apparmor package in Ubuntu: Confirmed Status in linux-lowlatency package in Ubuntu: Confirmed Bug description: After upgrading to linux-lowlatency 6.8.0-25, suddenly snaps can no longer connect to network. I tried downgrading snapd from edge, still no connectivity. Only solution was to downgrade back to 6.8.0-7. I'll also add apparmor in case this is an apparmor issue as well. Marking as "critical" priority as this affects all installs of Ubuntu Studio and affects Firefox and Thunderbird. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2061869/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2058690] Re: aa-easyprof: allow mmap and link from easyprof generated profiles
The 'm' permission shouldn't be a default; restricting what the CPU will execute is a very useful security mitigation. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2058690 Title: aa-easyprof: allow mmap and link from easyprof generated profiles Status in apparmor package in Ubuntu: New Bug description: Currently, an easyprof-generated profile will list the reads with `rk` and the writes as `rwk`. With recent Qt, this breaks because newer Qt versions use hard-linking of temporary files to perform atomic writes. Also, `rk` doesn't allow mmap()'ing shared library for execution. We at UBports are carrying a patch in Ubuntu Touch which changes the read rules to `mrk` and write rules to `mrwkl`, and are upstreaming this patch at [1]. When the MR is merged, I would like this patch to be included in Ubuntu 24.04, so that Ubuntu Touch doesn't have to package AppArmor separately from Ubuntu. If we agree that we want this patch, I can provide an MR on Salsa. [1] https://gitlab.com/apparmor/apparmor/-/merge_requests/1189 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058690/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2057943] Re: Can't disable or modify snap package apparmor rules
I'm adding the snapd package as it feels plausible that snapd could make this task easier, too. ** Also affects: snapd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2057943 Title: Can't disable or modify snap package apparmor rules Status in apparmor package in Ubuntu: New Status in snapd package in Ubuntu: New Bug description: On Ubuntu 20.04 (and probably 22.04 and greater), it is impossible to disable snap chromium apparmor rules: root@{HOSTNAME}:~# aa-complain snap.chromium.hook.configure Can't find chromium.hook.configure in the system path list. If the name of the application is correct, please run 'which snap.chromium.hook.configure' as a user with correct PATH environment set up in order to find the fully-qualified path and use the full path as parameter. root@{HOSTNAME}:~# aa-complain snap.chromium.chromedriver -d /var/lib/snapd/apparmor/profiles ERROR: Include file /var/lib/snapd/apparmor/profiles/tunables/global not found root@{HOSTNAME}:~# aa-complain snap.chromium.chromium -d /var/lib/snapd/apparmor/profiles ERROR: Include file /var/lib/snapd/apparmor/profiles/tunables/global not found root@{HOSTNAME}:~# aa-complain snap.chromium.hook.configure -d /var/lib/snapd/apparmor/profiles ERROR: Include file /var/lib/snapd/apparmor/profiles/tunables/global not found It seems like no one has an answer on how these overly restricted rules can be disabled: https://askubuntu.com/questions/1267980/how-to-disable-apparmor-for-chromium-snap-ubuntu-20-04 https://ubuntuforums.org/showthread.php?t=2410550 https://ubuntuforums.org/showthread.php?t=2449022 https://answers.launchpad.net/ubuntu/+source/apparmor/+question/701036 So I just got rid of apparmor which doesn't seem like the solution I was after, but it works great now: sudo systemctl stop apparmor sudo systemctl disable apparmor Please give us a way to modify (and keep the rules permanently modified even after snap updates) snap apparmor rules. Thank you! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2057943/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2059367] Re: SSH-RSA not supported for Self-SSH in Ubuntu 22.04 FIPS
Hello Arunaav, I'm curious if you could double-check the testing environment to make sure the user accounts are as you expected? chmod 0600 /home/core/.ssh/authorized_keys ssh -i .ssh/id_rsa onprem_shell@10.14.169.25 ssh -v user@10.14.169.25 debug1: identity file /root/.ssh/id_rsa type -1 There's usernames 'core', 'onprem_shell', 'user', and 'root' in play here, and I think it'd be extraordinarily easy to perhaps use sudo or another privilege changing tool in such a way that it is using the wrong private key or the wrong authorized_keys file, etc. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2059367 Title: SSH-RSA not supported for Self-SSH in Ubuntu 22.04 FIPS Status in openssh package in Ubuntu: New Bug description: On a FIPS Enabled Ubuntu 22.04 kernel, we are seeing an issue with self-ssh. We created a key with the following steps: touch /home/core/.ssh/known_hosts ssh-keygen -q -t rsa -f /home/core/.ssh/id_rsa -N '' > /dev/null cp /home/core/.ssh/id_rsa.pub /home/core/.ssh/authorized_keys chmod 0600 /home/core/.ssh/id_rsa chmod 0600 /home/core/.ssh/authorized_keys When we try to do a self ssh with the key, the following happens: ssh -i .ssh/id_rsa onprem_shell@10.14.169.25 Connection closed by 10.14.169.25 port 22 FIPS status: cat /proc/sys/crypto/fips_enabled 1 PFB, the ssh dump: ssh -v user@10.14.169.25 OpenSSH_8.9p1 Ubuntu-3ubuntu0.6+Fips1, OpenSSL 3.0.2 15 Mar 2022 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: FIPS mode initialized debug1: Connecting to 10.14.169.25 [10.14.169.25] port 22. debug1: Connection established. debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa_sk type -1 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: identity file /root/.ssh/id_ed25519_sk type -1 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /root/.ssh/id_xmss type -1 debug1: identity file /root/.ssh/id_xmss-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6+Fips1 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.6+Fips1 debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.6+Fips1 pat OpenSSH* compat 0x0400 debug1: Authenticating to 10.14.169.25:22 as 'user' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: ecdh-sha2-nistp256 debug1: kex: host key algorithm: ssh-rsa debug1: kex: server->client cipher: aes128-cbc MAC: hmac-sha1 compression: none debug1: kex: client->server cipher: aes128-cbc MAC: hmac-sha1 compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY Connection closed by 10.14.169.25 port 22 hostname -i 10.14.169.25 Please note that SSH onto other hosts (both FIPS and non-FIPS) works. The only workaround that we have found has been removing the ssh-rsa entry from “HostKeyAlgorithms” in “etc/ssh/sshd_config” and restarting the SSH service. This issue has neither been encountered in the Ubuntu 18.04 FIPS nor Ubuntu 20.04 FIPS. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2059367/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2055521] Re: Xorg freeze
Hello, thanks for the bug report. I suggest taking your dmesg output (from CurrentDmesg.txt) to the virtualbox developers, it looks very unhappy. Thanks ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/2055521 Title: Xorg freeze Status in xorg package in Ubuntu: New Bug description: System is freeze after opening browsers ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 6.5.0-21.21~22.04.1-generic 6.5.8 Uname: Linux 6.5.0-21-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: pass CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins' CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Fri Mar 1 11:59:12 2024 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu ExtraDebuggingInterest: No GraphicsCard: Intel Corporation TigerLake-LP GT2 [Iris Xe Graphics] [8086:9a49] (rev 01) (prog-if 00 [VGA controller]) Subsystem: Dell TigerLake-LP GT2 [Iris Xe Graphics] [1028:0ab0] Subsystem: Dell GP107M [GeForce MX350] [1028:0ab0] InstallationDate: Installed on 2023-12-11 (80 days ago) InstallationMedia: Ubuntu 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230807.2) Lsusb: Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 003: ID 0c45:6730 Microdia Integrated_Webcam_HD Bus 001 Device 004: ID 0bda:c829 Realtek Semiconductor Corp. Bluetooth Radio Bus 001 Device 002: ID 3554:fc03 CX 2.4G Receiver Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub MachineType: Dell Inc. Inspiron 15 3511 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.5.0-21-generic root=UUID=400f7ddd-5dab-4879-8016-60995117717f ro quiet splash vt.handoff=7 SourcePackage: xorg Symptom: display Title: Xorg freeze UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 12/19/2023 dmi.bios.release: 1.26 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.26.0 dmi.board.name: 0YX04V dmi.board.vendor: Dell Inc. dmi.board.version: A00 dmi.chassis.type: 10 dmi.chassis.vendor: Dell Inc. dmi.modalias: dmi:bvnDellInc.:bvr1.26.0:bd12/19/2023:br1.26:svnDellInc.:pnInspiron153511:pvr:rvnDellInc.:rn0YX04V:rvrA00:cvnDellInc.:ct10:cvr:sku0AB0: dmi.product.family: Inspiron dmi.product.name: Inspiron 15 3511 dmi.product.sku: 0AB0 dmi.sys.vendor: Dell Inc. version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.113-2~ubuntu0.22.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 23.2.1-1ubuntu3.1~22.04.2 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.xserver-xorg-core: xserver-xorg-core 2:21.1.4-2ubuntu1.7~22.04.8 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2ubuntu1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20210115-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/2055521/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2055226] Re: mount option `users` blocks ntfs to mount
Hello, thanks for the report; note that the fstab(5) and mount(8) man pages both say "user", singular, not "users", plural. That's probably why your mount command didn't work when run as a user. I don't know about the gio or udisksctl tool errors, I'm unfamiliar with their operation. Maybe they were also looking for "user"? Thanks ** Information type changed from Private Security to Public ** Changed in: util-linux (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/2055226 Title: mount option `users` blocks ntfs to mount Status in util-linux package in Ubuntu: Incomplete Bug description: /etc/fstab: # /media/Sicherung was on /dev/sda7 during installation UUID=2510AA16624BB80C /media/Sicherung ntfs defaults,users,noauto,windows_names,hide_dot_files 0 0 $ gio mount -d /dev/sda7 gio: /dev/sda7: Error mounting system-managed device /dev/sda7: Unknown error when mounting /media/Sicherung $ udisksctl mount -b /dev/sda7 Error mounting /dev/sda7: GDBus.Error:org.freedesktop.UDisks2.Error.Failed: Error mounting system-managed device /dev/sda7: Unknown error when mounting /media/Sicherung $ journalctl -b 0 -u udisks2.service Feb 27 23:48:51 T500 udisksd[10478]: Error opening read-only '/dev/sda7': Keine Berechtigung Feb 27 23:48:51 T500 udisksd[10478]: Failed to mount '/dev/sda7': Keine Berechtigung Feb 27 23:48:51 T500 udisksd[10478]: Please check '/dev/sda7' and the ntfs-3g binary permissions, Feb 27 23:48:51 T500 udisksd[10478]: and the mounting user ID. More explanation is provided at Feb 27 23:48:51 T500 udisksd[10478]: https://github.com/tuxera/ntfs-3g/wiki/NTFS-3G-FAQ This worked fine until Ubuntu 20.04, but since 22.04 I have these errors. Additionally, mount option `users` does not, what it should do: $ LC_ALL=C mount /media/Sicherung Error opening read-only '/dev/sda7': Permission denied Failed to mount '/dev/sda7': Permission denied Please check '/dev/sda7' and the ntfs-3g binary permissions, and the mounting user ID. More explanation is provided at https://github.com/tuxera/ntfs-3g/wiki/NTFS-3G-FAQ When removing `users` from /etc/fstab, it works fine: $ gio mount -d /dev/sda7 $ LC_ALL=C journalctl -b 0 -u udisks2.service Feb 28 00:05:31 T500 ntfs-3g[10977]: Version 2021.8.22 integrated FUSE 28 Feb 28 00:05:31 T500 ntfs-3g[10977]: Mounted /dev/sda7 (Read-Write, label "Sicherung", NTFS 3.1) Feb 28 00:05:31 T500 ntfs-3g[10977]: Cmdline options: rw,windows_names,hide_dot_files Feb 28 00:05:31 T500 ntfs-3g[10977]: Mount options: allow_other,nonempty,relatime,rw,fsname=/dev/sda7,blkdev,blksize=4096 Feb 28 00:05:31 T500 ntfs-3g[10977]: Ownership and permissions disabled, configuration type 7 Feb 28 00:05:31 T500 udisksd[583]: Mounted /dev/sda7 (system) at /media/Sicherung on behalf of uid 1000 So it seems, that option `users` virtually effectuates the opposite, than it is supposed to do. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2055226/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2055135] Re: [CREF-XX, Conexant SN6140, Black Headphone Out, Left] No sound at all
I suggest talking with the virtualbox devs: [4.040754] UBSAN: array-index-out-of-bounds in /tmp/vbox.0/common/log/log.c:1791:41 It may or may not be related to your audio issues, but it can't be good. Thanks ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to alsa-driver in Ubuntu. https://bugs.launchpad.net/bugs/2055135 Title: [CREF-XX, Conexant SN6140, Black Headphone Out, Left] No sound at all Status in alsa-driver package in Ubuntu: New Bug description: ubuntu-bug -s audio ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: alsa-base 1.0.25+dfsg-0ubuntu7 ProcVersionSignature: Ubuntu 6.5.0-21.21~22.04.1-generic 6.5.8 Uname: Linux 6.5.0-21-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: ronalp 2069 F pulseaudio /dev/snd/pcmC0D0p: ronalp 2069 F...m pulseaudio CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Tue Feb 27 16:55:13 2024 InstallationDate: Installed on 2024-02-27 (0 days ago) InstallationMedia: Ubuntu 22.04.4 LTS "Jammy Jellyfish" - Release amd64 (20240220) PackageArchitecture: all SourcePackage: alsa-driver Symptom: audio Symptom_AlsaPlaybackTest: ALSA playback test through plughw:sofhdadsp failed Symptom_Card: sof-hda-dsp - sof-hda-dsp Symptom_DevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: ronalp 2069 F pulseaudio /dev/snd/pcmC0D0p: ronalp 2069 F...m pulseaudio Symptom_Jack: Black Headphone Out, Left Symptom_Type: No sound at all Title: [CREF-XX, Conexant SN6140, Black Headphone Out, Left] No sound at all UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 08/11/2023 dmi.bios.release: 1.24 dmi.bios.vendor: HUAWEI dmi.bios.version: 1.24 dmi.board.asset.tag: N/A dmi.board.name: CREF-XX-PCB dmi.board.vendor: HUAWEI dmi.board.version: M1010 dmi.chassis.asset.tag: N/A dmi.chassis.type: 10 dmi.chassis.vendor: HUAWEI dmi.chassis.version: M1010 dmi.ec.firmware.release: 1.24 dmi.modalias: dmi:bvnHUAWEI:bvr1.24:bd08/11/2023:br1.24:efr1.24:svnHUAWEI:pnCREF-XX:pvrM1010:rvnHUAWEI:rnCREF-XX-PCB:rvrM1010:cvnHUAWEI:ct10:cvrM1010:skuC233: dmi.product.family: MateBook dmi.product.name: CREF-XX dmi.product.sku: C233 dmi.product.version: M1010 dmi.sys.vendor: HUAWEI To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/2055135/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
Scarlett, Simon and I had discussed preparing a small program that could prepare a wrapper profile: given a path to an appimage, it could emit a small profile to /etc/apparmor.d/ for the file, with the right attachment path and then load the profile. As I understand our new strategy, it would probably also have to include whatever capabilities that appimage uses as part of setting up the new namespaces -- ideally, it'd be the same capabilities from appimage to appimage. If there's some reasonable restraints on appimages, like using XDG_SOMETHING for user data storage, that might be nice, too. But that's harder to do. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in akregator package in Ubuntu: Fix Released Status in angelfish package in Ubuntu: In Progress Status in apparmor package in Ubuntu: Confirmed Status in bubblewrap package in Ubuntu: Confirmed Status in cantor package in Ubuntu: Fix Released Status in devhelp package in Ubuntu: Confirmed Status in digikam package in Ubuntu: Fix Released Status in epiphany-browser package in Ubuntu: Confirmed Status in evolution package in Ubuntu: Confirmed Status in falkon package in Ubuntu: Fix Released Status in freecad package in Ubuntu: Confirmed Status in ghostwriter package in Ubuntu: Fix Released Status in gnome-packagekit package in Ubuntu: Confirmed Status in goldendict-webengine package in Ubuntu: Confirmed Status in kalgebra package in Ubuntu: Fix Released Status in kchmviewer package in Ubuntu: Confirmed Status in kdeplasma-addons package in Ubuntu: Confirmed Status in kgeotag package in Ubuntu: In Progress Status in kiwix package in Ubuntu: Confirmed Status in kmail package in Ubuntu: Fix Released Status in konqueror package in Ubuntu: Fix Released Status in kontact package in Ubuntu: Fix Released Status in marble package in Ubuntu: Fix Released Status in notepadqq package in Ubuntu: Confirmed Status in opam package in Ubuntu: Confirmed Status in pageedit package in Ubuntu: Confirmed Status in plasma-desktop package in Ubuntu: Confirmed Status in plasma-welcome package in Ubuntu: In Progress Status in privacybrowser package in Ubuntu: Confirmed Status in qmapshack package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Status in rssguard package in Ubuntu: Confirmed Status in steam package in Ubuntu: Confirmed Status in supercollider package in Ubuntu: Confirmed Status in tellico package in Ubuntu: Fix Released Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/akregator/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2049402] Re: sshd doesn't properly disable KbdInteractiveAuthentication
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2049402 Title: sshd doesn't properly disable KbdInteractiveAuthentication Status in openssh package in Ubuntu: Incomplete Bug description: On 22.04 in OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022 setting KbdInteractiveAuthentication=no in sshd_config does not disable keyboard-interactive authentication. After updating (and restarting the sshd service) `sshd -T` still reports `kbdinteractiveauthentication yes` attempts to connect to sshd also allow keyboard-interactive authentication. Possibly related to https://bugs.archlinux.org/task/71941 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2049402/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1117804] Re: ausearch doesn't show AppArmor denial messages
As far as I know, no one has made an effort to try to improve the situation lately. There's some discussion at https://lists.ubuntu.com/archives/apparmor/2024-February/013091.html that may be enlightening, if not encouraging. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1117804 Title: ausearch doesn't show AppArmor denial messages Status in AppArmor: Confirmed Status in audit package in Ubuntu: Confirmed Status in linux package in Ubuntu: Incomplete Bug description: The following command should display all AVC denials: ausearch -m avc However, it doesn't work with AppArmor denials. Here's a quick test case to generate a denial, search for it with ausearch, and see that no messages are displayed: $ aa-exec -p /usr/sbin/tcpdump cat /proc/self/attr/current cat: /proc/self/attr/current: Permission denied $ sudo ausearch -m avc -c cat ausearch claims that there are no matches, but there's a matching audit message if you look in audit.log: type=AVC msg=audit(1360193426.539:64): apparmor="DENIED" operation="open" parent=8253 profile="/usr/sbin/tcpdump" name="/proc/8485/attr/current" pid=8485 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1117804/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046633] Re: Don't include 'nmcli -f all con' output in bug report (for privacy)
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/2046633 Title: Don't include 'nmcli -f all con' output in bug report (for privacy) Status in network-manager package in Ubuntu: New Bug description: The apport bug reporting hooks for this package (/usr/share/apport/package/hooks/source_network-manager{,-applet}.py) include the output of `nmcli -f all con`. This lists all wifi SSIDs that the user has ever connected to, and the date of last connection. I think this is a privacy problem, as it tends to reveal the user's recent whereabouts, and it's posted publicly on launchpad. (Imagine for instance an entry for "LoveMotelGuestWifi" at a time when the user had said they were at the office...) It is disclosed to the user before the report is sent, but only if they think to expand that item in the "Send / Don't send" dialog (which is not descriptively labeled), and there is no way to opt out of it. You can delete it manually from launchpad afterward, which is what I am going to do with this bug report, but I doubt most people would know to do that. This info should probably not be included at all, or if it is, it should be sanitized. Also, it might be a good idea to purge launchpad of all such files. (Marking this as "security" in case you consider this kind of a privacy leak to be something the security team should handle. If not, feel free to demote it to an ordinary bug.) ProblemType: Bug DistroRelease: Ubuntu 23.10 Package: network-manager 1.44.2-1ubuntu1.2 ProcVersionSignature: Ubuntu 6.5.0-14.14-generic 6.5.3 Uname: Linux 6.5.0-14-generic x86_64 ApportVersion: 2.27.0-0ubuntu5 Architecture: amd64 CasperMD5CheckResult: unknown Date: Sat Dec 16 14:38:45 2023 IfupdownConfig: # interfaces(5) file used by ifup(8) and ifdown(8) auto lo iface lo inet loopback InstallationDate: Installed on 2019-06-03 (1657 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) IpRoute: default via 192.168.1.13 dev enxa0cec8c4f782 proto dhcp src 192.168.1.60 metric 100 169.254.0.0/16 dev virbr0 scope link metric 1000 linkdown 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 192.168.1.0/24 dev enxa0cec8c4f782 proto kernel scope link src 192.168.1.60 metric 100 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR= SourcePackage: network-manager UpgradeStatus: Upgraded to mantic on 2023-12-14 (3 days ago) modified.conffile..etc.default.apport: # set this to 0 to disable apport, or to 1 to enable it # you can temporarily override this with # sudo service apport start force_start=1 enabled=0 mtime.conffile..etc.default.apport: 2020-08-04T11:07:36.415303 nmcli-nm: RUNNING VERSION STATE STARTUP CONNECTIVITY NETWORKING WIFI-HW WIFI WWAN-HW WWAN running 1.44.2 connected started full enabled enabled enabled missing enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/2046633/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046526] Re: pam_access Configuration Treats TTY Names as Hostnames
I wondered if it would look up LOCAL too but figured the reference in the manual to pam_get_item(3) meant that it would special case this one without any lookups. I should have looked at the source instead. I like your idea of using two different files for local vs networked services. (Though that doesn't exactly help with su or sudo, since they can be used by both.) It's not ideal but it's straightforward. ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/2046526 Title: pam_access Configuration Treats TTY Names as Hostnames Status in pam package in Ubuntu: New Bug description: Comments in PAM service files at /etc/pam.d/* suggest a line to uncomment to configure complicated authorization rules using pam_access (which in turn is configured by /etc/security/access.conf): /etc/pam.d/sshd: # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so /etc/pam.d/login: # Uncomment and edit /etc/security/access.conf if you need to # set access limits. # (Replaces /etc/login.access file) # account required pam_access.so Comments in /etc/security/access.conf indicate the origin in this file can be a TTY or domain name: # The third field should be a list of one or more tty names (for # non-networked logins), host names, domain names (begin with "."), I wanted to configure a user on my server, 'localadmin', who can only log in on the console and not via any network service and tried to achieve this using pam_access as follows: I uncommented the default ‘account required pam_access.so’ lines in /etc/pam.d/sshd and /etc/pam.d/login. I add the following in /etc/security/access.conf intending to allow user 'localadmin' to only log in on the console: +:localadmin:tty1 -:localadmin:ALL This seems to work. Login via SSH fails and succeeds on the console, as expected. However, /var/log/auth.log suspiciously indicates it is treating tty1 as a hostname during the failed SSH attempt: Dec 15 01:28:12 server sshd[5868]: pam_access(sshd:account): cannot resolve hostname "tty1" Dec 15 01:28:12 server sshd[5868]: pam_access(sshd:account): access denied for user `localadmin' from `10.0.0.101' It is confirmed to be doing DNS lookups for 'tty1' in the search domain during the login attempt: admin@server:~$ resolvectl status eth0 ... DNS Servers: 10.0.0.2 DNS Domain: example.com admin@server:~$ sudo tcpdump -i eth0 -n port 53 01:28:12.100348 IP 10.0.0.42.44968 > 10.0.0.2.53: 21558+ [1au] A? tty1.example.com. (45) 01:28:12.100666 IP 10.0.0.42.44669 > 10.0.0.2.53: 40453+ [1au] ? tty1.example.com. (45) 01:28:12.103027 IP 10.0.0.2.53 > 10.0.0.42.44968: 21558 NXDomain* 0/1/1 (95) 01:28:12.103027 IP 10.0.0.2.53 > 10.0.0.42.44669: 40453 NXDomain* 0/1/1 (95) I configured my DNS service to resolve hostname 'tty1' to the IP address the SSH connection originates from: admin@server:~$ dig +short tty1.example.com 10.0.0.101 SSH access is then unexpectedly allowed: user@clienthost:~$ ip -4 a show dev eth0 inet 10.0.0.101/24 ... user@clienthost:~$ ssh localadmin@10.0.0.42 localadmin@10.0.0.42's password: localadmin@server:~$ I think the local origins should be completely separated from network origins in /etc/security/access.conf somehow (maybe with separate access.conf files used for local and network PAM services). Other requested bug report info: root@server:~# lsb_release -rd Description:Ubuntu 22.04.3 LTS Release:22.04 root@server:~# apt-cache policy pam N: Unable to locate package pam root@server:~# apt-cache policy libpam-modules libpam-modules: Installed: 1.4.0-11ubuntu2.3 Candidate: 1.4.0-11ubuntu2.3 Version table: *** 1.4.0-11ubuntu2.3 500 500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages 100 /var/lib/dpkg/status 1.4.0-11ubuntu2 500 500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2046526/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046367] Re: AlphaSSL SHA256 G4 Intermediate Certificate missing
Hey Andrey, thanks; I think they've almost got it right -- the Qualys TLS compliance tool says the chain is in the wrong order so it might not work everywhere, but certainly it'll work better than just Ubuntu adding one intermediate: https://www.ssllabs.com/ssltest/analyze.html?d=smsc.kz Thanks ** Changed in: ca-certificates (Ubuntu) Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/2046367 Title: AlphaSSL SHA256 G4 Intermediate Certificate missing Status in ca-certificates package in Ubuntu: Won't Fix Bug description: Please add AlphaSSL SHA256 G4 Intermediate Certificate into ca- certificates. https://support.globalsign.com/ca-certificates/intermediate- certificates/alphassl-intermediate-certificates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/2046367/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046367] Re: AlphaSSL SHA256 G4 Intermediate Certificate missing
Normally, intermediate certificates are supposed to be included by the leaf certificate owners in their chain of certificates to their roots. It is unusual for intermediate certificates to be included in the CA bundle. GlobalSign has instructions for many applications on their website: https://support.globalsign.com/ssl/ssl-certificates- installation I suspect whatever you're problem you're trying to solve would be better solved by a site administrator rather than us. What problem are you trying to solve? Why is including intermediate certificates in our CA bundle the right answer for solving the problem? Thanks ** Changed in: ca-certificates (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/2046367 Title: AlphaSSL SHA256 G4 Intermediate Certificate missing Status in ca-certificates package in Ubuntu: Incomplete Bug description: Please add AlphaSSL SHA256 G4 Intermediate Certificate into ca- certificates. https://support.globalsign.com/ca-certificates/intermediate- certificates/alphassl-intermediate-certificates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/2046367/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2045250] Re: pam_lastlog doesn't handle localtime_r related errors properly
I'm uncomfortable with the idea of printing nothing when the routines fail. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/2045250 Title: pam_lastlog doesn't handle localtime_r related errors properly Status in Ubuntu on IBM z Systems: New Status in pam package in Ubuntu: New Status in pam package in Fedora: Fix Released Bug description: The pam version(s) in Debian (checked buster) and Ubuntu (checked focal to noble) are affected by https://bugzilla.redhat.com/show_bug.cgi?id=2012871 Customers report a command going through PAM crashing for a given user. A potential follow on issue can be that no ssh remote connections to an affected server are possible anymore, esp. painful with headless systems (was reported on a different distro). This is caused by an issue in modules/pam_lastlog/pam_lastlog.c: with tm = localtime_r(...) that can be NULL and needs to be handled. There are two such cases in modules/pam_lastlog/pam_lastlog.c (here noble): 314- ll_time = last_login.ll_time; 315: if ((tm = localtime_r (&ll_time, &tm_buf)) != NULL) { 316- strftime (the_time, sizeof (the_time), 317- /* TRANSLATORS: "strftime options for date of last login" */ -- 574- 575- lf_time = utuser.ut_tv.tv_sec; 576: tm = localtime_r (&lf_time, &tm_buf); 577- strftime (the_time, sizeof (the_time), 578- /* TRANSLATORS: "strftime options for date of last login" */ Case 1 (line 315) is properly handled, but not case 2 (line 576). The second case got fixed by: https://github.com/linux-pam/linux-pam/commit/40c271164dbcebfc5304d0537a42fb42e6b6803c This fix should be included in Ubuntu (and Debian). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2045250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2045855] Re: package bluez 5.64-0ubuntu1.1 failed to install/upgrade: end of file on stdin at conffile prompt
There's over 2k instances of errors like this in the terminal log: dpkg: 경고: files list file for package 'libctf0:amd64' missing; assuming package has no files currently installed This is not a happy installation. I recommend a fresh install when convenient. As for the prompt, the history log suggests this was run during an unattended updates run. That'll be invisible to the user. (And, also, I think it's supposed to skip packages that change configuration files, but with a few thousand errors for missing file lists, we shouldn't be surprised that it doesn't work correctly.) Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bluez in Ubuntu. https://bugs.launchpad.net/bugs/2045855 Title: package bluez 5.64-0ubuntu1.1 failed to install/upgrade: end of file on stdin at conffile prompt Status in bluez package in Ubuntu: Incomplete Bug description: I did not recognized the error. ProblemType: Package DistroRelease: Ubuntu 22.04 Package: bluez 5.64-0ubuntu1.1 ProcVersionSignature: Ubuntu 6.2.0-37.38~22.04.1-generic 6.2.16 Uname: Linux 6.2.0-37-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 AptOrdering: bluez:amd64: Install NULL: ConfigurePending Architecture: amd64 CasperMD5CheckResult: unknown Date: Thu Dec 7 15:44:57 2023 ErrorMessage: end of file on stdin at conffile prompt InstallationDate: Installed on 2021-01-30 (1040 days ago) InstallationMedia: Ubuntu 20.04.1 LTS "Focal Fossa" - Release amd64 (20200731) InterestingModules: rfcomm bnep btusb bluetooth MachineType: Dell Inc. OptiPlex 7010 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.2.0-37-generic root=UUID=1aa27b2f-8d22-4b4e-931f-bd8e304ed0d4 ro quiet splash vt.handoff=7 Python3Details: /usr/bin/python3.10, Python 3.10.12, unpackaged PythonDetails: N/A RelatedPackageVersions: dpkg 1.21.1ubuntu2.2 apt 2.4.11 SourcePackage: bluez Title: package bluez 5.64-0ubuntu1.1 failed to install/upgrade: end of file on stdin at conffile prompt UpgradeStatus: Upgraded to jammy on 2023-03-28 (253 days ago) dmi.bios.date: 03/25/2013 dmi.bios.release: 4.6 dmi.bios.vendor: Dell Inc. dmi.bios.version: A13 dmi.board.name: 0GY6Y8 dmi.board.vendor: Dell Inc. dmi.board.version: A00 dmi.chassis.type: 6 dmi.chassis.vendor: Dell Inc. dmi.modalias: dmi:bvnDellInc.:bvrA13:bd03/25/2013:br4.6:svnDellInc.:pnOptiPlex7010:pvr01:rvnDellInc.:rn0GY6Y8:rvrA00:cvnDellInc.:ct6:cvr:sku: dmi.product.name: OptiPlex 7010 dmi.product.version: 01 dmi.sys.vendor: Dell Inc. hciconfig: hci0:Type: Primary Bus: USB BD Address: 00:1A:7D:DA:71:03 ACL MTU: 310:10 SCO MTU: 64:8 UP RUNNING PSCAN RX bytes:1332 acl:0 sco:0 events:84 errors:0 TX bytes:3786 acl:0 sco:0 commands:81 errors:0 mtime.conffile..etc.bluetooth.input.conf: 2020-04-03T15:47:01 mtime.conffile..etc.bluetooth.main.conf: 2020-02-26T18:57:50 mtime.conffile..etc.bluetooth.network.conf: 2012-12-25T02:46:55 mtime.conffile..etc.dbus-1.system.d.bluetooth.conf: 2022-03-24T15:30:38 mtime.conffile..etc.init.d.bluetooth: 2020-02-26T18:57:50 rfkill: 0: hci0: Bluetooth Soft blocked: no Hard blocked: no To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/2045855/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2045668] Re: Please merge dbus 1.14.10-3 (main) from Debian unstable
usr-is-merged should probably be in main, it serves as an indicator that the system is already using the usrmerge layout. From: https://lists.debian.org/debian-ctte/2022/07/msg00019.html The usrmerge package has been updated to pick up a few fixes from Ubuntu, and most importantly to provide a new lightweight metapackage, usr-is-merged, that can only be installed on merged-usr systems, to provide a way for installers to avoid the additional dependencies of usrmerge when they set up the filesystem correctly by themselves (eg: debootstrap), and for users who already completed the transition. It also gained a flag file that stops the package from updating the system, clearly marked as making the system unsupported. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dbus in Ubuntu. https://bugs.launchpad.net/bugs/2045668 Title: Please merge dbus 1.14.10-3 (main) from Debian unstable Status in dbus package in Ubuntu: In Progress Bug description: 1.14.10-3 Published in sid-release on 2023-10-30 dbus (1.14.10-3) unstable; urgency=medium * d/control: dbus Depends on usr-is-merged (>= 38~). Non-merged /usr has been unsupported since Debian 12, as per Technical Committee resolutions #978636 and #994388 (please see the Debian 12 release notes for details). The version of usr-is-merged shipped in Debian 12 had an undocumented opt-out mechanism intended for use on buildds and QA systems targeting Debian 12 (piuparts, reproducible-builds, autopkgtest and similar), to ensure that the upgrade path from Debian 11 to 12 will continue to work and continue to undergo automated tests. That opt-out is no longer applicable or available in trixie/sid, and was removed in usrmerge version 38. Since version 1.14.10-2, dbus ships its systemd units in /usr/lib/systemd/system, as part of the distro-wide transition away from making use of "aliased" paths. This is entirely valid on merged-/usr systems, but will no longer work in the unsupported filesystem layout with non-merged /usr, because for historical reasons, current versions of systemd on non-merged-/usr systems will only read units from /lib/systemd/system. In the case of dbus, the symptom when this assumption is broken is particularly bad (various key system services will not start, with long delays during boot, login and shutdown), so let's hold back this upgrade on unsupported non-merged-/usr systems until they have completed the switch to merged-/usr and can install usr-is-merged (>= 38~). (Closes: #1054650) -- Simon McVittie Mon, 30 Oct 2023 11:51:35 + 1.14.10-2 Superseded in sid-release on 2023-10-30 dbus (1.14.10-2) unstable; urgency=low * Backport packaging changes from experimental: - Install systemd system units into /usr/lib/systemd/system. This was allowed by TC resolution #1053901. The shared library is still in /lib, for now. Build-depend on debhelper 13.11.6~ to ensure that the units are still picked up by dh_installsystemd. - Build-depend on pkgconf rather than pkg-config - dbus-x11: Don't copy XDG_SEAT_PATH, XDG_SESSION_PATH to activation environment. These variables are specific to a single login session. * d/copyright: Drop unused entry for pkg.m4. This is no longer included in the upstream source release since 1.14.6. * d/dbus-tests.lintian-overrides: Drop unused overrides. Lintian no longer flags our RUNPATH as problematic. -- Simon McVittie Wed, 25 Oct 2023 15:56:36 +0100 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/2045668/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2039541] Re: groupmems prompts for password when run as sudo/root
Nice find. My guess is that the Debian maintainer forgot to include the pam.d configuration file supplied by upstream when this new tool was included: - https://github.com/shadow-maint/shadow/blob/master/etc/pam.d/groupmems - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663117 We could decide either to: - support the tool properly and include the pam.d file - drop the tool entirely because we've made it this far without anyone noticing, and we made it several decades before someone wrote the tool in the first place - ignore it entirely because it doesn't seem to be hurting anything as it is Properly including the tool might bring with it any security problems that it might have. Leaving it alone probably doesn't bring security problems. In any event we should also file a bug with Debian so they can make a decision, too. Thanks ** Bug watch added: Debian Bug tracker #663117 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663117 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to shadow in Ubuntu. https://bugs.launchpad.net/bugs/2039541 Title: groupmems prompts for password when run as sudo/root Status in shadow package in Ubuntu: New Bug description: When trying to clear users from a group using the groupmems command, the user is always prompted for the root's password, even when running as root or via sudo: (as root) # addgroup testgroup # groupmems -g testgroup -p Password: (via sudo) # sudo addgroup testgroup # sudo groupmems -g testgroup -p Password: I'm not sure if this is desired behavior, but I would expect this command to work without the root password. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2039541/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2039294] Re: apparmor docker
Are you perhaps mixing Docker packages from one source with Docker AppArmor profiles from another source? AppArmor policy around signals is a bit more involved than around files: - The sending process must have permission to send the signal to the recipient - The receiving process must have permission to receive the signal from the sender Make sure both your docker-default profile and your /usr/sbin/runc profile have the necessary permissions. Thanks ** Changed in: apparmor (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2039294 Title: apparmor docker Status in apparmor package in Ubuntu: Incomplete Bug description: No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 23.10 Release:23.10 Codename: mantic Docker version 24.0.5, build 24.0.5-0ubuntu1 Graceful shutdown doesn't work anymore due to SIGTERM and SIGKILL (maybe all signals?) doesn't reach the target process. Works when apparmor is uninstalled. [17990.085295] audit: type=1400 audit(1697213244.019:981): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=172626 comm="runc" requested_mask="receive" denied_mask="receive" signal=term peer="/usr/sbin/runc" [17992.112517] audit: type=1400 audit(1697213246.043:982): apparmor="DENIED" operation="signal" class="signal" profile="docker-default" pid=172633 comm="runc" requested_mask="receive" denied_mask="receive" signal=kill peer="/usr/sbin/runc" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2039294/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2035644] Re: apt status not updated ubuntu 20 LTS
** Package changed: isc-dhcp (Ubuntu) => apt (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/2035644 Title: apt status not updated ubuntu 20 LTS Status in apt package in Ubuntu: New Bug description: Hi, is this a cache bug? The packages are installed, but "apt list --upgradable" say's no, the are not installed. root@minion:~# apt list --upgradable Listing... Done uls-client/luxux-standard-ubuntu20-x-amd64-dp-tserver 3.15-7ubuntu20 amd64 [upgradable from: 3.15-7ubuntu20] venv-salt-minion/ubuntu20-x-amd64-res-suma-dp-tserver 3006.0-2.35.1 amd64 [upgradable from: 3006.0-2.35.1] root@minion:~# apt install uls-client Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: linux-headers-5.4.0-153 linux-headers-5.4.0-153-generic linux-image-5.4.0-153-generic linux-modules-5.4.0-153-generic linux-modules-extra-5.4.0-153-generic Use 'apt autoremove' to remove them. Recommended packages: libncursesw5 The following packages will be upgraded: uls-client 1 upgraded, 0 newly installed, 0 to remove and 1 not upgraded. Need to get 0 B/194 kB of archives. After this operation, 0 B of additional disk space will be used. (Reading database ... 177475 files and directories currently installed.) Preparing to unpack .../uls-client_3.15-7ubuntu20_amd64.deb ... redirecting to systemd Unpacking uls-client (3.15-7ubuntu20) over (3.15-7ubuntu20) ... Setting up uls-client (3.15-7ubuntu20) ... Processing triggers for man-db (2.9.1-1) ... Processing triggers for systemd (245.4-4ubuntu3.22) ... root@minion:~# apt list --upgradable Listing... Done uls-client/luxux-standard-ubuntu20-x-amd64-dp-tserver 3.15-7ubuntu20 amd64 [upgradable from: 3.15-7ubuntu20] venv-salt-minion/ubuntu20-x-amd64-res-suma-dp-tserver 3006.0-2.35.1 amd64 [upgradable from: 3006.0-2.35.1] root@minion:~# apt update Hit:12 https://SuMa:443/rhn/manager/download ubuntu20-x-amd64-dp-tserver/ Release Hit:13 https://SuMa:443/rhn/manager/download ubuntu20-x-amd64-main-dp-tserver/ Release Hit:14 https://SuMa:443/rhn/manager/download ubuntu20-x-amd64-res-suma-dp-tserver/ Release Hit:15 https://SuMa:443/rhn/manager/download luxux-puppet-ubuntu20-x-amd64-dp-tserver/ Release Hit:16 https://SuMa:443/rhn/manager/download tvm-standard-ubuntu20-x-amd64-dp-tserver/ Release Hit:17 https://SuMa:443/rhn/manager/download ubuntu20-x-amd64-main-updates-dp-tserver/ Release Hit:18 https://SuMa:443/rhn/manager/download ubuntu20-x-amd64-main-security-dp-tserver/ Release Hit:19 https://SuMa:443/rhn/manager/download ubuntu20-x-amd64-main-universe-dp-tserver/ Release Hit:20 https://SuMa:443/rhn/manager/download luxux-standard-ubuntu20-x-amd64-dp-tserver/ Release Hit:21 https://SuMa:443/rhn/manager/download ubuntu20-x-amd64-main-updates-universe-dp-tserver/ Release Hit:22 https://SuMa:443/rhn/manager/download ubuntu20-x-amd64-main-security-universe-dp-tserver/ Release Reading package lists... Done Building dependency tree Reading state information... Done 2 packages can be upgraded. Run 'apt list --upgradable' to see them. root@minion:~# apt list --upgradable Listing... Done uls-client/luxux-standard-ubuntu20-x-amd64-dp-tserver 3.15-7ubuntu20 amd64 [upgradable from: 3.15-7ubuntu20] venv-salt-minion/ubuntu20-x-amd64-res-suma-dp-tserver 3006.0-2.35.1 amd64 [upgradable from: 3006.0-2.35.1] root@minion:~# apt upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages were automatically installed and are no longer required: linux-headers-5.4.0-153 linux-headers-5.4.0-153-generic linux-image-5.4.0-153-generic linux-modules-5.4.0-153-generic linux-modules-extra-5.4.0-153-generic Use 'apt autoremove' to remove them. The following packages will be upgraded: uls-client venv-salt-minion 2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 22.7 MB/22.9 MB of archives. After this operation, 0 B of additional disk space will be used. Do you want to continue? [Y/n] Y Get:1 https://SuMa:443/rhn/manager/download ubuntu20-x-amd64-res-suma-dp-tserver/ venv-salt-minion 3006.0-2.35.1 [22.7 MB] Fetched 22.7 MB in 0s (76.8 MB/s) (Reading database ... 177475 files and directories currently installed.) Preparing to unpack .../uls-client_3.15-7ubuntu20_amd64.deb ... redirecting to systemd Unpacking uls-client (3.15-7ubuntu20) over (3.15-7ubuntu20) ... Preparing to unpack .../venv-salt-minion_3006.0-2.35.1_amd64.deb ... Unpacking venv-salt-minion (3006.0-2.35.1) over (3006.0-2.35.1) ... Setting up venv-salt-minion (3006.0-2.35.1) ... Setting up uls-client (3.15-7ubuntu20) ... Proc
[Touch-packages] [Bug 1965439] Re: [SRU] kdesu fails to authenticate with sudo from Jammy
BlackMage, the publishing history page suggests the fix was published a year earlier: https://launchpad.net/ubuntu/+source/kdesu/5.92.0-0ubuntu1.1 What is the output of: apt policy libkf5su-data namei -l /etc/sudoers.d/kdesu-sudoers Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1965439 Title: [SRU] kdesu fails to authenticate with sudo from Jammy Status in kdesu package in Ubuntu: Fix Released Status in kubuntu-settings package in Ubuntu: Fix Released Status in sudo package in Ubuntu: Won't Fix Status in ubuntustudio-default-settings package in Ubuntu: Fix Released Status in kdesu source package in Jammy: Fix Released Status in kubuntu-settings source package in Jammy: In Progress Status in sudo source package in Jammy: Won't Fix Status in ubuntustudio-default-settings source package in Jammy: Fix Released Status in kdesu source package in Kinetic: Fix Released Status in kubuntu-settings source package in Kinetic: Fix Released Status in sudo source package in Kinetic: Won't Fix Status in ubuntustudio-default-settings source package in Kinetic: Fix Released Status in kdesu package in Debian: Fix Released Bug description: kdesu fails to authenticate with sudo from Jammy. See upstream bug: KDE bug: https://bugs.kde.org/show_bug.cgi?id=452532 Examples: Launch Kubuntu driver manager from system setting, launching ksystemlog from the main menu, or trying to run krusader root mode option via its 'Tools > Start Krusader Root Mode' menu entry. Assuming that the current user is a member of the sudo group. On entering the correct password authentication is refused, stating that possibly an incorrect password has been entered. It appears that kdesu fails to cope with the sudo config change in this commit: https://salsa.debian.org/sudo- team/sudo/-/commit/59db341d46aa4c26b54c1270e69f2562e7f3d751 kdesu was fixed in Debian with: https://tracker.debian.org/news/1330116/accepted-kdesu-5940-2-source- into-unstable/ and fixed in kinetic with: https://launchpad.net/ubuntu/+source/kdesu/5.94.0-0ubuntu2 The issue can be worked around by adding /etc/sudoers.d/kdesu-sudoers with the contents Defaults!/usr/lib/*/libexec/kf5/kdesu_stub !use_pty [Impact] * Users are unable to authenticate to and launch applications via kdesu. * This should be backported to restore functionality that users expect. [Test Plan] * Launch Kubuntu driver manager from system setting, launching ksystemlog from the main menu, or trying to run krusader root mode option via its 'Tools > Start Krusader Root Mode' menu entry. Assuming that the current user is a member of the sudo group. * Confirm that the application authentcate and launch as successfully as in previous releases. [Where problems could occur] * While this update only returns sudo to its default behaviour (used in previous releases and virtually all other distributions) for kdesu, care should be taken to test some other applications that seek root permissions to confirm that no unexpected consequences occur. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdesu/+bug/1965439/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1971650] Re: wrong check for "server" in libssl3.postinst
On Tue, Aug 29, 2023 at 03:06:58PM -, Adrien Nader wrote: > Shall we assume on both desktops and servers that an openssl update > always requires a reboot? At least until we do anything related to > needrestart. Our needrestart work is already live, those big obnoxious modal dialogs are something I don't quickly forget. :) I think we can delete all the maintainer-script upgrade notices from jammy onwards, and I wouldn't cry to see it go from earlier releases, either. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1971650 Title: wrong check for "server" in libssl3.postinst Status in openssl package in Ubuntu: Confirmed Bug description: A security update has just been applied to my system for openssl, and the 'reboot required' message just popped on my desktop. I looked to see why this was, and found the following code in the libssl3 postinst: # Here we issue the reboot notification for upgrades and # security updates. We do want services to be restarted when we # update for a security issue, but planned by the sysadmin, not # automatically. # Only issue the reboot notification for servers; we proxy this by # testing that the X server is not running (LP: #244250) if ! pidof /usr/lib/xorg/Xorg > /dev/null && [ -x /usr/share/update-notifier/notify-reboot-required ]; then /usr/share/update-notifier/notify-reboot-required fi Now, AFAIK this is the only package that interfaces with notify- reboot-required but omits the notification on desktops, so that seems to be an inconsistent policy; but even if we thought that was the correct policy to apply, the above check for a desktop is not because it doesn't match in the case the user is running Xwayland, which most users not using the nvidia driver will be doing now by default. Also, this is now inside a block that checks for the presence of needrestart, which is part of the server seed; so in effect this notification now *never* fires on servers, it *only* fires on desktops. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: openssl 3.0.2-0ubuntu1.1 ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30 Uname: Linux 5.15.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu82 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Thu May 5 05:39:06 2022 InstallationDate: Installed on 2019-12-23 (863 days ago) InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017) RebootRequiredPkgs: Error: path contained symlinks. SourcePackage: openssl UpgradeStatus: Upgraded to jammy on 2022-04-15 (19 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1971650/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2028774] Re: ssh fails to load opensc-pkcs11.so
Can you run fatrace or opensnoop-bpfcc to discover what exact paths are being probed? Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2028774 Title: ssh fails to load opensc-pkcs11.so Status in openssh package in Ubuntu: New Bug description: I have PKCS11Provider opensc-pkcs11.so in my ~/.ssh/config After the last update of openssh-client I now get: $ strace -o slogin.log slogin host lib_contains_symbol: open opensc-pkcs11.so: No such file or directory provider opensc-pkcs11.so is not a PKCS11 library (uwe@host) Password for uwe@host: $ grep -i pkcs11 slogin.log read(3, "PKCS11Provider opensc-pkcs11.so\n"..., 4096) = 1603 openat(AT_FDCWD, "opensc-pkcs11.so", O_RDONLY) = -1 ENOENT (No such file or directory) write(2, "provider opensc-pkcs11.so is not"..., 51) = 51 $ dpkg-query --listfiles opensc-pkcs11 | grep opensc-pkcs11.so /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so /usr/lib/x86_64-linux-gnu/pkcs11/onepin-opensc-pkcs11.so /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: openssh-client 1:8.9p1-3ubuntu0.3 ProcVersionSignature: Ubuntu 5.19.0-50.50-generic 5.19.17 Uname: Linux 5.19.0-50-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Wed Jul 26 15:46:30 2023 InstallationDate: Installed on 2022-08-25 (334 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419) RelatedPackageVersions: ssh-askpass 1:1.2.4.1-13 libpam-sshN/A keychain N/A ssh-askpass-gnome N/A SSHClientVersion: OpenSSH_8.9p1 Ubuntu-3ubuntu0.3, OpenSSL 3.0.2 15 Mar 2022 SourcePackage: openssh UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2028774/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1966203] Re: Syslog shows "systemd-udevd[2837]: nvme0n1: Process ... failed with exit code 1." in Ubuntu 22.04
(why is this file installed in desktop systems anyway?) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1966203 Title: Syslog shows "systemd-udevd[2837]: nvme0n1: Process ... failed with exit code 1." in Ubuntu 22.04 Status in snapd: Confirmed Status in systemd package in Ubuntu: Invalid Bug description: Configuration: OS:jammy-live-server20220320-amd64.iso CPU:AMD EPYC 7702 64-Core Processor UEFI Version:D8E119A BMC Version:D8BT19I SSD:Intel 1.60TB NVMe SSD Boot mode:legacy Reproduce Steps: 1.Boot into BIOS and set boot mode to legacy 2.install ubuntu 22.04 on NVMe SSD 3.Check syslog log Current behaviors: syslog shows systemd-udevd errors in Ubuntu 22.04 Feb 9 10:16:19 len systemd-udevd[2837]: nvme0n1: Process '/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/nvme0n1' failed with exit code 1. Feb 9 10:16:19 len systemd-udevd[2877]: nvme0n1p3: Process '/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/nvme0n1p3' failed with exit code 1. Feb 9 10:16:19 len systemd-udevd[2876]: nvme0n1p2: Process '/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/nvme0n1p2' failed with exit code 1. Feb 9 10:16:19 len systemd-udevd[2837]: nvme0n1p1: Process '/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/nvme0n1p1' failed with exit code 1. Feb 9 10:16:19 len systemd-udevd[2828]: sr0: Process '/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/sr0' failed with exit code 1. Feb 9 10:16:19 len systemd-udevd[2850]: dm-0: Process '/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/dm-0' failed with exit code 1. To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1966203/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1966203] Re: Syslog shows "systemd-udevd[2837]: nvme0n1: Process ... failed with exit code 1." in Ubuntu 22.04
I have to imagine mardy isn't going to bother investigating further, so lets unsubscribe him. I'm hoping that will be enough for the snap team to see this bug again. Thanks ** Changed in: snapd Assignee: Alberto Mardegan (mardy) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1966203 Title: Syslog shows "systemd-udevd[2837]: nvme0n1: Process ... failed with exit code 1." in Ubuntu 22.04 Status in snapd: Confirmed Status in systemd package in Ubuntu: Invalid Bug description: Configuration: OS:jammy-live-server20220320-amd64.iso CPU:AMD EPYC 7702 64-Core Processor UEFI Version:D8E119A BMC Version:D8BT19I SSD:Intel 1.60TB NVMe SSD Boot mode:legacy Reproduce Steps: 1.Boot into BIOS and set boot mode to legacy 2.install ubuntu 22.04 on NVMe SSD 3.Check syslog log Current behaviors: syslog shows systemd-udevd errors in Ubuntu 22.04 Feb 9 10:16:19 len systemd-udevd[2837]: nvme0n1: Process '/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/nvme0n1' failed with exit code 1. Feb 9 10:16:19 len systemd-udevd[2877]: nvme0n1p3: Process '/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/nvme0n1p3' failed with exit code 1. Feb 9 10:16:19 len systemd-udevd[2876]: nvme0n1p2: Process '/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/nvme0n1p2' failed with exit code 1. Feb 9 10:16:19 len systemd-udevd[2837]: nvme0n1p1: Process '/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/nvme0n1p1' failed with exit code 1. Feb 9 10:16:19 len systemd-udevd[2828]: sr0: Process '/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/sr0' failed with exit code 1. Feb 9 10:16:19 len systemd-udevd[2850]: dm-0: Process '/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/dm-0' failed with exit code 1. To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1966203/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2027797] Re: systemd-resolved DNSSEC implementation does not protect against cache poisoning
Thanks for the report; it's my understanding that "real" DNSSEC deployments at sites that care will do all the DNSSEC enforcement with a local recursor because the application APIs are immature / underspecified / etc. Such centralization also makes it far easier for the DNS operations team to work around misconfigured DNSSEC systems in the wild by setting Negative Trust Anchors on portions of the DNS tree (as described at https://doc.powerdns.com/recursor/dnssec.html#negative-trust-anchors ) when necessary. Thanks ** Changed in: systemd (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/2027797 Title: systemd-resolved DNSSEC implementation does not protect against cache poisoning Status in systemd package in Ubuntu: Confirmed Bug description: Steps required are at upstream issue https://github.com/systemd/systemd/issues/25676 Unfortunately it has been reported publicly for 3 years in https://github.com/systemd/systemd/issues/15158, so no embargo makes sense To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2027797/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2024540] Re: Vulnerability Can Gain Access even with Time OTP Enabled
What exactly is suspicious about remmina using shared memory? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2024540 Title: Vulnerability Can Gain Access even with Time OTP Enabled Status in openssh package in Ubuntu: Incomplete Bug description: Hi, We have noticed that when allowing firewall rule to open SSH port 22 of my computer, somebody in the local network gets access to the system, to prevent it we had added two factor authentication by adding Time based OTP using google authenticator and root login is disabled in configuration, our network have windows systems which are compromised they are infecting this system and installing XOR DDOS Malware in my system, the rkhunter log shows variation in lot of system binary files, The XOR DDOS is overwriting lot of files before installing itself in the system, i think there is some critical bug in ssh system, we thought they are bruteforcing ssh password, but even after putting time based two factor authentication they are able to infiltrate the system and gain access. The ubuntu we are using is 22.04 LTS Jammy. Our systems are constantly attacked by XOR DDOS Rootkit. We had even rate limited the ssh even then they gets access added OTP verification also. we think there is some severe security issue with ssh. More Details About XOR DDOS Here https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ Also there is no option to attach multiple files here. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2024540/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2019970] Re: OpenSSL 3.0.2 crash in Ubuntu 22.04.2 LTS
That's awesome! I figure post-quantum cryptography will feel like something for years in the future until the week when we all realize we should have moved years earlier. Capture-and-store has to be going on right now, on the assumptions that someone will bring a reliable quantum machine to market. Thanks for working on it :) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2019970 Title: OpenSSL 3.0.2 crash in Ubuntu 22.04.2 LTS Status in openssl package in Ubuntu: Incomplete Bug description: Full bug report at https://github.com/openssl/openssl/issues/20981 No upstream impact: OpenSSL 3.0.9-dev does not contain the problem any more. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2019970/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2023342] Re: apparmor needs read access to no-stub-resolv.conf
Hi Chris, thanks for the report. In this case, reporting to Debian probably wouldn't help much, they're less active than they used to be. If you're motivated and interested enough, a merge request on https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/abstractions/nameservice would be fantastic. It'd probably speed the process along nicely. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2023342 Title: apparmor needs read access to no-stub-resolv.conf Status in apparmor package in Ubuntu: New Bug description: Description: Ubuntu 22.04.2 LTS Release: 22.04 apt-cache policy apparmor apparmor: Installed: 3.0.4-2ubuntu2.2 Candidate: 3.0.4-2ubuntu2.2 apparmor 3.0.4-2ubuntu2.2 amd64 Due to issues with systemd-resolved failing to resolve hosts after a random amount of time, I have /etc/resolv.conf -> ../run/NetworkManager/no-stub-resolv.conf Unfortunately, /etc/apparmor.d/abstractions/nameservice does not allow read access to the above path, so armored daemons like chrony fail to resolve hostnames when used in their configuration files: type=AVC msg=audit(1685023761.372:15182): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/run/NetworkManager/no-stub-resolv.conf" pid=191892 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=118 ouid=0^]FSUID="_chrony" OUID="root" A generalized (non-chrony specific) workaround is: mkdir /etc/apparmor.d/abstractions/nameservice.d echo @{run}/NetworkManager/no-stub-resolv.conf r, > /etc/apparmor.d/abstractions/nameservice.d/no-stub systemctl reload apparmor.service It seems to be an omission to not have '@{run}/NetworkManager/no-stub- resolv.conf r,' in the default abstractions/nameservice file. Thanks for your consideration! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2023342/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2019970] Re: OpenSSL 3.0.2 crash in Ubuntu 22.04.2 LTS
It's less about bug completeness and more about the risks of breaking users. The general rule for the whole distribution is backporting specific fixes for specific bugs; however, there's a handful of packages where that's not feasible, desired, etc. Firefox and Chromium are the most obvious cases of wanting the same, recent, version, on all supported releases. The upstream developers for these projects have way more resources and way more comprehensive test suites than we could ever hope to achieve ourselves, and they've got loads of experience making frequent releases. MySQL, MariaDB, PostgreSQL are common for "the most recent version of the release that was used at the time of release" (or something like that; it's an ugly mouthful). Moving from MySQL 5.5 to 8 would be a huge jump, but 5.5.32 to 5.5.36 to 5.5.40 etc shouldn't be a big deal. (Alas, it is. LP:2019203.) These are also far more complex than we can realistically engineer ourselves. We've done full-version jumps with Samba before; some of their security fixes involve hundreds of patches with huge refactoring. There's no good choices with Samba. The risks of backporting are huge, the opportunity costs are even larger, and if we backport that much, we'll wind up with software that nobody is familiar with. So, we will sometimes ship entirely new versions, and just deal with all the fallout from regressions. OpenSSL is a challenging case. It'd be ideal to run the same version as upstream, so when there's issues, there's a much larger community working on them. Perhaps the OpenSSL upstream developers have an extensive enough test suite today to reduce the risks of using entirely new versions. I know that historically we've found some issues with security patches via our testing that the OpenSSL upstream testing missed. I also know that our testing is focused on what ships in our distribution, it doesn't test the wide world of propriety software or not-yet-packaged software, so we know we have blind spots. If we explore shipping upstream OpenSSL packages, I'd really like to see it trialed in our 'interim' releases: eg, ship an OpenSSL update halfway through the support cycle for 23.04, 23.10, 24.10, 25.04, 25.10, and if those all go well, consider it for 26.04 and future releases. There's way fewer users of our interim releases (which is both a benefit and a curse, here) and the consequences of a problem are thus constrained. Users expect (if not appreciate) breaking changes at release points. They don't expect (and detest) such changes in LTS releases. Given the foundational importance of OpenSSL, I think it makes sense to go very slowly in testing such a hypothetical change. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2019970 Title: OpenSSL 3.0.2 crash in Ubuntu 22.04.2 LTS Status in openssl package in Ubuntu: Incomplete Bug description: Full bug report at https://github.com/openssl/openssl/issues/20981 No upstream impact: OpenSSL 3.0.9-dev does not contain the problem any more. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2019970/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2019970] Re: OpenSSL 3.0.2 crash in Ubuntu 22.04.2 LTS
Michael, Ubuntu backports specific fixes as they are identified; you can check the status of our OpenSSL packages on our website: All OpenSSL issues: https://ubuntu.com/security/cves?q=&package=openssl&priority=&version=&status= OpenSSL issues, restricted to just Jammy: https://ubuntu.com/security/cves?q=&package=openssl&priority=&version=jammy&status= OpenSSL issues without a release, restricted to just Jammy: https://ubuntu.com/security/cves?q=&package=openssl&priority=&version=jammy&status=needed https://ubuntu.com/security/cves?q=&package=openssl&priority=&version=jammy&status=deferred https://ubuntu.com/security/cves?q=&package=openssl&priority=&version=jammy&status=ignored https://ubuntu.com/security/cves?q=&package=openssl&priority=&version=jammy&status=needs-triage (Yeah, it's unfortunate that currently takes multiple pages to view. Hopefully this will be addressed soon.) Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2019970 Title: OpenSSL 3.0.2 crash in Ubuntu 22.04.2 LTS Status in openssl package in Ubuntu: Incomplete Bug description: Full bug report at https://github.com/openssl/openssl/issues/20981 No upstream impact: OpenSSL 3.0.9-dev does not contain the problem any more. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2019970/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2023741] Re: package apparmor 3.0.4-2ubuntu2.2 failed to install/upgrade: installed apparmor package post-installation script subprocess was killed by signal (Broken pipe)
Hello Stephan, it looks a bit like you had an external hard drive disconnect or suffer low power immediately before these error messages. My guess is that making sure all the cables are plugged in tightly, rebooting, and then: sudo apt update sudo apt install -f will get you back up and running without trouble. If there's more errors here, let us know. Thanks ** Changed in: apparmor (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2023741 Title: package apparmor 3.0.4-2ubuntu2.2 failed to install/upgrade: installed apparmor package post-installation script subprocess was killed by signal (Broken pipe) Status in apparmor package in Ubuntu: Incomplete Bug description: I'm just following instructions for reporting, Not a guru, just a copy and paste end user who HATES microsoft. Freshly installed Ubuntu on laptop HP250G6 Had windows 10 home on laptop, suspect all the windows updates caused PC to be so slow, much better now of course. After installing had to enable visualization technology (VMX) and Software guard extensions (SGX) in bios for pc to boot up. ProblemType: Package DistroRelease: Ubuntu 22.04 Package: apparmor 3.0.4-2ubuntu2.2 ProcVersionSignature: Ubuntu 5.19.0-43.44~22.04.1-generic 5.19.17 Uname: Linux 5.19.0-43-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: pass Date: Tue Jun 13 19:17:47 2023 DuplicateSignature: package:apparmor:3.0.4-2ubuntu2.2 Setting up apparmor (3.0.4-2ubuntu2.2) ... dpkg: error processing package apparmor (--configure): installed apparmor package post-installation script subprocess was killed by signal (Broken pipe) ErrorMessage: installed apparmor package post-installation script subprocess was killed by signal (Broken pipe) InstallationDate: Installed on 2023-06-13 (0 days ago) InstallationMedia: Ubuntu 22.04.2 LTS "Jammy Jellyfish" - Release amd64 (20230223) ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-5.19.0-43-generic root=UUID=1a48d7a5-5953-4fd2-9ea9-7eea65640625 ro quiet splash vt.handoff=7 Python3Details: /usr/bin/python3.10, Python 3.10.6, python3-minimal, 3.10.6-1~22.04 PythonDetails: N/A RelatedPackageVersions: dpkg 1.21.1ubuntu2.2 apt 2.4.9 SourcePackage: apparmor Title: package apparmor 3.0.4-2ubuntu2.2 failed to install/upgrade: installed apparmor package post-installation script subprocess was killed by signal (Broken pipe) UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2023741/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2008846] Re: package libssl3:amd64 3.0.2-0ubuntu1.8 failed to install/upgrade: installed libssl3:amd64 package post-installation script subprocess returned error exit status 1
Of your suggestions, I like #1 the most; a reboot is usually a good idea *anyway*, since there's always kernel updates to install, but I'd hold off rebooting until you get the machine back into a happy state. Try: sudo kill 1224036 sudo apt install -f You might also need: sudo dpkg --configure -a Then: sudo apt update && sudo apt upgrade Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2008846 Title: package libssl3:amd64 3.0.2-0ubuntu1.8 failed to install/upgrade: installed libssl3:amd64 package post-installation script subprocess returned error exit status 1 Status in needrestart package in Ubuntu: New Status in openssl package in Ubuntu: Incomplete Bug description: encounter error when attempting to do sudo update, upgrade, and full- upgrade ProblemType: Package DistroRelease: Ubuntu 22.04 Package: libssl3:amd64 3.0.2-0ubuntu1.8 ProcVersionSignature: Ubuntu 5.15.0-58.64-generic 5.15.74 Uname: Linux 5.15.0-58-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu82.3 Architecture: amd64 CasperMD5CheckResult: pass Date: Wed Mar 1 10:28:26 2023 ErrorMessage: installed libssl3:amd64 package post-installation script subprocess returned error exit status 1 InstallationDate: Installed on 2022-10-01 (150 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419) Python3Details: /usr/bin/python3.10, Python 3.10.6, python3-minimal, 3.10.6-1~22.04 PythonDetails: N/A RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: dpkg 1.21.1ubuntu2.1 apt 2.4.8 SourcePackage: openssl Title: package libssl3:amd64 3.0.2-0ubuntu1.8 failed to install/upgrade: installed libssl3:amd64 package post-installation script subprocess returned error exit status 1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/needrestart/+bug/2008846/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2008846] Re: package libssl3:amd64 3.0.2-0ubuntu1.8 failed to install/upgrade: installed libssl3:amd64 package post-installation script subprocess returned error exit status 1
Thanks Adrien, that feels less worrying than I initially thought. Yesterday I missed an unattended-upgrades that's been running since March. Oof. I honestly don't know what to suggest to Derek; killing those processes feels like a good idea, since there's no terminal available to interact with debconf, and sooner or later the consequences of that are going to have to be faced. It's probably enough to kill it, and then do: sudo apt install -f sudo apt update && sudo apt upgrade by hand afterwards, that'd probably get to a happy place. But I'm not confident. I like the idea of removing / pruning / moving the openssl maintainer scripts; a lot of it feels like it was made for a previous world. And it's certainly fragile, I see enough of these bug reports, too. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2008846 Title: package libssl3:amd64 3.0.2-0ubuntu1.8 failed to install/upgrade: installed libssl3:amd64 package post-installation script subprocess returned error exit status 1 Status in needrestart package in Ubuntu: New Status in openssl package in Ubuntu: Incomplete Bug description: encounter error when attempting to do sudo update, upgrade, and full- upgrade ProblemType: Package DistroRelease: Ubuntu 22.04 Package: libssl3:amd64 3.0.2-0ubuntu1.8 ProcVersionSignature: Ubuntu 5.15.0-58.64-generic 5.15.74 Uname: Linux 5.15.0-58-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu82.3 Architecture: amd64 CasperMD5CheckResult: pass Date: Wed Mar 1 10:28:26 2023 ErrorMessage: installed libssl3:amd64 package post-installation script subprocess returned error exit status 1 InstallationDate: Installed on 2022-10-01 (150 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419) Python3Details: /usr/bin/python3.10, Python 3.10.6, python3-minimal, 3.10.6-1~22.04 PythonDetails: N/A RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: dpkg 1.21.1ubuntu2.1 apt 2.4.8 SourcePackage: openssl Title: package libssl3:amd64 3.0.2-0ubuntu1.8 failed to install/upgrade: installed libssl3:amd64 package post-installation script subprocess returned error exit status 1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/needrestart/+bug/2008846/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2021484] Re: Editing a VPN ask to introduce credentials but if you cancel can be accessed anyway
** Changed in: ubuntu-settings (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-settings in Ubuntu. https://bugs.launchpad.net/bugs/2021484 Title: Editing a VPN ask to introduce credentials but if you cancel can be accessed anyway Status in ubuntu-settings package in Ubuntu: New Bug description: I'm logged as a normal user without admin privileges. When I try to edit a VPN I'm asked to introduce the credentials of the admin, nevertheless if I click cancel I can still access to the VPN configuration. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: ubuntu-settings 20.04.6 ProcVersionSignature: Ubuntu 5.15.0-72.79~20.04.1-generic 5.15.98 Uname: Linux 5.15.0-72-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.26 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: ubuntu:GNOME Date: Mon May 29 11:16:38 2023 InstallationDate: Installed on 2022-05-04 (389 days ago) InstallationMedia: Ubuntu 20.04.3 LTS "Focal Fossa" - Release amd64 (20210819) PackageArchitecture: all SourcePackage: ubuntu-settings UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-settings/+bug/2021484/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2021484] Re: Editing a VPN ask to introduce credentials but if you cancel can be accessed anyway
Hello Cristobal, can you make changes from that interface? Or is it read-only? Thanks ** Information type changed from Private Security to Public Security ** Changed in: ubuntu-settings (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-settings in Ubuntu. https://bugs.launchpad.net/bugs/2021484 Title: Editing a VPN ask to introduce credentials but if you cancel can be accessed anyway Status in ubuntu-settings package in Ubuntu: Incomplete Bug description: I'm logged as a normal user without admin privileges. When I try to edit a VPN I'm asked to introduce the credentials of the admin, nevertheless if I click cancel I can still access to the VPN configuration. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: ubuntu-settings 20.04.6 ProcVersionSignature: Ubuntu 5.15.0-72.79~20.04.1-generic 5.15.98 Uname: Linux 5.15.0-72-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.26 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: ubuntu:GNOME Date: Mon May 29 11:16:38 2023 InstallationDate: Installed on 2022-05-04 (389 days ago) InstallationMedia: Ubuntu 20.04.3 LTS "Focal Fossa" - Release amd64 (20210819) PackageArchitecture: all SourcePackage: ubuntu-settings UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-settings/+bug/2021484/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2008846] Re: package libssl3:amd64 3.0.2-0ubuntu1.8 failed to install/upgrade: installed libssl3:amd64 package post-installation script subprocess returned error exit status 1
Am I reading the ps faux output from comment #5 correctly, that needrestart is responsible for starting a dpkg process that starts a debconf frontend, but there's no terminal available to this process? Why is needrestart doing operations that would need a debconf frontend? Should it be doing them, or is it a surprise? Should it be setting the frontend non-interactive environment variable? Or should it stop doing the dpkg operations? Or, did I misread the thing? Thanks ** Also affects: needrestart (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2008846 Title: package libssl3:amd64 3.0.2-0ubuntu1.8 failed to install/upgrade: installed libssl3:amd64 package post-installation script subprocess returned error exit status 1 Status in needrestart package in Ubuntu: New Status in openssl package in Ubuntu: Incomplete Bug description: encounter error when attempting to do sudo update, upgrade, and full- upgrade ProblemType: Package DistroRelease: Ubuntu 22.04 Package: libssl3:amd64 3.0.2-0ubuntu1.8 ProcVersionSignature: Ubuntu 5.15.0-58.64-generic 5.15.74 Uname: Linux 5.15.0-58-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu82.3 Architecture: amd64 CasperMD5CheckResult: pass Date: Wed Mar 1 10:28:26 2023 ErrorMessage: installed libssl3:amd64 package post-installation script subprocess returned error exit status 1 InstallationDate: Installed on 2022-10-01 (150 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419) Python3Details: /usr/bin/python3.10, Python 3.10.6, python3-minimal, 3.10.6-1~22.04 PythonDetails: N/A RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: dpkg 1.21.1ubuntu2.1 apt 2.4.8 SourcePackage: openssl Title: package libssl3:amd64 3.0.2-0ubuntu1.8 failed to install/upgrade: installed libssl3:amd64 package post-installation script subprocess returned error exit status 1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/needrestart/+bug/2008846/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2020838] Re: [regression][jammy] augenrules Error sending add rule data request (No such file or directory)
Awesome find! Probably for many users, that's a perfectly fine change, I suspect that auditing home directories isn't going to be a top priority for many people. However, the sheer confusion of this issue is troubling: going from these error messages to "I have to remove a systemd configuration directive" is a big leap. At least now there's a bug report on the internet with both the error message and the solution, so the next person will have an easier time of it, but it probably will still only come after frustration. But I'm leery of removing hardening options. Opinions from the wider world? Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/2020838 Title: [regression][jammy] augenrules Error sending add rule data request (No such file or directory) Status in audit package in Ubuntu: New Bug description: The rule '-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F auid!=unset -k privileged' can not be loaded during system boot up. # lsb_release -rc Release: 22.04 Codename: jammy # dpkg -l|grep audit ii auditd 1:3.0.7-1build1 amd64User space tools for security auditing ii libaudit-common 1:3.0.7-1build1 all Dynamic library for security auditing - common files ii libaudit1:amd64 1:3.0.7-1build1 amd64Dynamic library for security auditing ii libauparse0:amd64 1:3.0.7-1build1 amd64Dynamic library for parsing security auditing # cat /etc/audit/rules.d/audit.rules|grep -v ^#|grep -v ^$ -D -a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F auid!=unset -k privileged -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts -b 8192 --backlog_wait_time 6 -f 1 # ls -l /home/ubuntu/test.sh -rwxr-xr-x 1 root ubuntu 19 May 25 14:19 /home/ubuntu/test.sh # cat /home/ubuntu/test.sh #!/bin/bash echo 1 # >/etc/audit/audit.rules reboot the system, no rule can be loaded # auditctl -l No rules syslog: May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: Error sending add rule data request (No such file or directory) May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: There was an error in line 5 of /etc/audit/audit.rules May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: No rules May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0 # cat /etc/audit/audit.rules ## This file is automatically generated from /etc/audit/rules.d -D -b 8192 -f 1 -a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F auid!=unset -k privileged -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts --backlog_wait_time 6 But I can manually load the rule file. Seems this issue only happen during system boot up. # auditctl -R /etc/audit/audit.rules No rules enabled 1 failure 1 pid 476 rate_limit 0 backlog_limit 8192 lost 0 backlog 4 backlog_wait_time 15000 backlog_wait_time_actual 0 enabled 1 failure 1 pid 476 rate_limit 0 backlog_limit 8192 lost 0 backlog 4 backlog_wait_time 15000 backlog_wait_time_actual 0 enabled 1 failure 1 pid 476 rate_limit 0 backlog_limit 8192 lost 0 backlog 14 backlog_wait_time 6 backlog_wait_time_actual 0 # auditctl -l -a always,exit -S all -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts If I move the file /home/ubuntu/test.sh to
[Touch-packages] [Bug 2020840] Re: package linux-image-5.15.0-72-generic 5.15.0-72.79 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
Hello, it looks like your /boot filesystem is probably full. Recovering from this isn't great fun. There's some advice on https://askubuntu.com/q/89710/33812 that might be helpful. Processing triggers for linux-image-5.15.0-72-generic (5.15.0-72.79) ... /etc/kernel/postinst.d/initramfs-tools: update-initramfs: Generating /boot/initrd.img-5.15.0-72-generic zstd: error 25 : Write error : No space left on device (cannot write compressed block) Thanks ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu. https://bugs.launchpad.net/bugs/2020840 Title: package linux-image-5.15.0-72-generic 5.15.0-72.79 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 Status in initramfs-tools package in Ubuntu: New Bug description: error update ProblemType: Package DistroRelease: Ubuntu 22.04 Package: linux-image-5.15.0-72-generic 5.15.0-72.79 ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30 Uname: Linux 5.15.0-27-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: N/A CasperMD5CheckResult: unknown Date: Fri May 26 00:30:10 2023 ErrorMessage: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 IwConfig: lono wireless extensions. eth0 no wireless extensions. Lspci: Lspci-vt: -[:00]- Lsusb: Error: command ['lsusb'] failed with exit code 1: Lsusb-t: Lsusb-v: Error: command ['lsusb', '-v'] failed with exit code 1: MachineType: Microsoft Corporation Virtual Machine ProcFB: 0 hyperv_drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.15.0-27-generic root=LABEL=desktop-rootfs ro quiet splash vt.handoff=7 PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. Python3Details: /usr/bin/python3.10, Python 3.10.6, python3-minimal, 3.10.6-1~22.04 PythonDetails: N/A RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: grub-pc 2.06-2ubuntu7.1 RfKill: SourcePackage: initramfs-tools Title: package linux-image-5.15.0-72-generic 5.15.0-72.79 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 04/06/2022 dmi.bios.release: 4.1 dmi.bios.vendor: Microsoft Corporation dmi.bios.version: Hyper-V UEFI Release v4.1 dmi.board.asset.tag: None dmi.board.name: Virtual Machine dmi.board.vendor: Microsoft Corporation dmi.board.version: Hyper-V UEFI Release v4.1 dmi.chassis.asset.tag: 4521-1608-3807-0735-4847-9464-59 dmi.chassis.type: 3 dmi.chassis.vendor: Microsoft Corporation dmi.chassis.version: Hyper-V UEFI Release v4.1 dmi.modalias: dmi:bvnMicrosoftCorporation:bvrHyper-VUEFIReleasev4.1:bd04/06/2022:br4.1:svnMicrosoftCorporation:pnVirtualMachine:pvrHyper-VUEFIReleasev4.1:rvnMicrosoftCorporation:rnVirtualMachine:rvrHyper-VUEFIReleasev4.1:cvnMicrosoftCorporation:ct3:cvrHyper-VUEFIReleasev4.1:skuNone: dmi.product.family: Virtual Machine dmi.product.name: Virtual Machine dmi.product.sku: None dmi.product.version: Hyper-V UEFI Release v4.1 dmi.sys.vendor: Microsoft Corporation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/2020840/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2020838] Re: [regression][jammy] augenrules Error sending add rule data request (No such file or directory)
Hello, my guess is /home or /home/ubuntu may not exist when the audit rules are loaded. The file and directory watches work by setting up inotify watches on the underlying objects, and if the file or directory doesn't exist, there's nothing to watch. So, it errors. You can add -i to the configuration file to have it continue onwards despite the error: -i When given by itself, ignore errors when reading rules from a file. This causes auditctl to always return a success exit code. If passed as an argument to -s then it gives an interpretation of the numbers to human readable words if possible. I'm not sure what to suggest for actually working around the problem, though. Reloading the rules some point after booting, once all the filesystems are mounted, would make sense, but I'm not sure how to ask systemd to do that. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/2020838 Title: [regression][jammy] augenrules Error sending add rule data request (No such file or directory) Status in audit package in Ubuntu: New Bug description: The rule '-a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F auid!=unset -k privileged' can not be loaded during system boot up. # lsb_release -rc Release: 22.04 Codename: jammy # dpkg -l|grep audit ii auditd 1:3.0.7-1build1 amd64User space tools for security auditing ii libaudit-common 1:3.0.7-1build1 all Dynamic library for security auditing - common files ii libaudit1:amd64 1:3.0.7-1build1 amd64Dynamic library for security auditing ii libauparse0:amd64 1:3.0.7-1build1 amd64Dynamic library for parsing security auditing # cat /etc/audit/rules.d/audit.rules|grep -v ^#|grep -v ^$ -D -a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F auid!=unset -k privileged -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts -b 8192 --backlog_wait_time 6 -f 1 # ls -l /home/ubuntu/test.sh -rwxr-xr-x 1 root ubuntu 19 May 25 14:19 /home/ubuntu/test.sh # cat /home/ubuntu/test.sh #!/bin/bash echo 1 # >/etc/audit/audit.rules reboot the system, no rule can be loaded # auditctl -l No rules syslog: May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: Error sending add rule data request (No such file or directory) May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: There was an error in line 5 of /etc/audit/audit.rules May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: No rules May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: enabled 1 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: failure 1 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: pid 476 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: rate_limit 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_limit 8192 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: lost 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog 0 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time 15000 May 26 02:17:36 juju-d929ae-con28-1 augenrules[507]: backlog_wait_time_actual 0 # cat /etc/audit/audit.rules ## This file is automatically generated from /etc/audit/rules.d -D -b 8192 -f 1 -a always,exit -F path=/home/ubuntu/test.sh -F perm=x -F auid>=1000 -F auid!=unset -k privileged -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts --backlog_wait_time 6 But I can manually load the rule file. Seems this issue only happen during system boot up. # auditctl -R /etc/audit/audit.rules No rules enabled 1 failure 1 pid 476 rate_limit 0 backlog_limit 8192 lost 0 backlog 4 backlog_wait_time 15000 backlog_wait_time_actual 0 enabled 1 failure 1 pid 476 rate_limit 0 backlog_limit 8192 lost 0 backlog 4 backlog_wait_time 15000 backlog_wait_time_actual 0 enabled 1 failure 1 pid 476 rate_limit 0 backlog_limit 8192 lost 0 backlog 14 bac
[Touch-packages] [Bug 2019496] Re: Security implications of SUDO_ASKPASS
Hello Heinrich, I suspect once you can set aliases in shells used by people with sudo privileges, the game is already over regardless of environment variables used. Is there something I'm missing where setting aliases in someone else's shell is fine except for this variable? Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/2019496 Title: Security implications of SUDO_ASKPASS Status in sudo package in Ubuntu: New Bug description: All that is needed to subvert sudo is adding this line to ~/.bashrc alias sudo="SUDO_ASKPASS=/home/$USER/.config/git/doevil sudo -A" and a program that reads the password from the command line and makes use of it. Ignoring the SUDO_ASKPASS environment variable would be an option to stop this. Best regards Heinrich To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2019496/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1457020] Re: x86_64-specific crash with one-word modulus
Lets set this to WONTFIX then; this isn't exactly a promise we won't get to it, but ideally any 14.04 LTS users affected by this would re-open or file a support request etc. ** Changed in: openssl (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1457020 Title: x86_64-specific crash with one-word modulus Status in openssl package in Ubuntu: Won't Fix Bug description: Hello, I'm trying to build nodejs 0.10.38 on Precise using the shared openssl but the tests fails[0]. An upstream patch[1] exists to fix this issue. Is it possible to provide it to precise? Regards. [0] https://github.com/joyent/node/issues/8050 [1] https://github.com/openssl/openssl/commit/eca441b2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1457020/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2019496] Re: Security implications of SUDO_ASKPASS
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/2019496 Title: Security implications of SUDO_ASKPASS Status in sudo package in Ubuntu: New Bug description: All that is needed to subvert sudo is adding this line to ~/.bashrc alias sudo="SUDO_ASKPASS=/home/$USER/.config/git/doevil sudo -A" and a program that reads the password from the command line and makes use of it. Ignoring the SUDO_ASKPASS environment variable would be an option to stop this. Best regards Heinrich To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2019496/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2019940] Re: Directly manipulating NetworkManager keyfiles
jammy, lunary, and mantic: for distro in jammy lunar mantic ; do for component in main universe multiverse restricted ; do for-archive /srv/mirror/ubuntu/dists/$distro/$component/source/Sources.gz /srv/mirror/ubuntu/ ~/bin/for-archive-tools/unpack-search '/system- connections' ; done ; done | tee ~/system-connections-$(date +%d-%H:%M:%S) ** Attachment added: "system-connections-17-10:41:24" https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/2019940/+attachment/5673652/+files/system-connections-17-10%3A41%3A24 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/2019940 Title: Directly manipulating NetworkManager keyfiles Status in augeas package in Ubuntu: New Status in calamares package in Ubuntu: New Status in cloud-init package in Ubuntu: New Status in cruft-ng package in Ubuntu: New Status in dracut package in Ubuntu: New Status in forensic-artifacts package in Ubuntu: New Status in guestfs-tools package in Ubuntu: New Status in guix package in Ubuntu: New Status in ltsp package in Ubuntu: Invalid Status in netcfg package in Ubuntu: Won't Fix Status in netplan.io package in Ubuntu: Won't Fix Status in network-manager package in Ubuntu: New Status in refpolicy package in Ubuntu: New Status in sosreport package in Ubuntu: New Status in uhd package in Ubuntu: New Status in vagrant package in Ubuntu: New Bug description: The affected packages can manipulate NetworkManager keyfiles directly on disk, which might not be appropriate anymore on Ubuntu, since the Netplan integration was enabled in NetworkManager (starting with Mantic), migrating any keyfile configuration from /etc/NetworkManager/system-connections/*[.nmconnection] to /etc/netplan/90-NM-*.yaml See Netplan's documentation for how connections are handled: https://netplan.readthedocs.io/en/latest/netplan-everywhere/ PS: Packages were queried using: https://codesearch.debian.net/search?q=%2Fsystem-connections&literal=1&perpkg=1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/augeas/+bug/2019940/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1066101] Re: netbase 5.0ubuntu1 fails to cleanly upgrade, asks about conffiles
Note to future-sarnold: Remove 'devscripts' from ~/.mk-sbuild.rc Install devscripts into the -source schroot by hand later. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to netbase in Ubuntu. https://bugs.launchpad.net/bugs/1066101 Title: netbase 5.0ubuntu1 fails to cleanly upgrade, asks about conffiles Status in netbase package in Ubuntu: Triaged Status in netbase source package in Quantal: Won't Fix Bug description: Setting up netbase (5.0ubuntu1) ... Configuration file `/etc/protocols' ==> File on system created by you or by a script. ==> File also in package provided by package maintainer. ==> Using current old file as you requested. Configuration file `/etc/services' ==> File on system created by you or by a script. ==> File also in package provided by package maintainer. ==> Using current old file as you requested. In the sbuild chroot. I am not touching those files, so they should auto-upgrade in a sane way. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/netbase/+bug/1066101/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2017594] Re: package leaves non-updated copy of /usr/sbin/apparmor_parser after update to apparmor-2.13.3-7ubuntu5.2. Orphaned older executable breaks docker
Your dpkg -S hits an ancient issue https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=134758 You're also exactly right about status quo being an unhappy place. Debian is currently trying to figure out a solution: https://lists.debian.org/debian-devel/2023/04/msg8.html -- it's been in progress for years and probably will remain in progress for years. I don't think the right answer is for individual packages to make changes -- Simon has enumerated some risks at: https://lists.debian.org/debian-devel/2023/04/msg00090.html I don't know what the right answer is for your computer -- nor how you've even gotten into the situation you're in. I believe just blinding installing the usrmerge package to forcibly move all your executables and build symlinks would probably crash if you've got duplicate executables in both places. My first thought to finding more collisions... cd /bin ; echo * | tr ' ' '\n' > /tmp/bin cd /usr/bin ; echo * | tr ' ' '\n' > /tmp/usrbin comm -12 /tmp/bin /tmp/usrbin cd /sbin ; echo * | tr ' ' '\n' > /tmp/sbin cd /usr/sbin ; echo * | tr ' ' '\n' > /tmp/usrsbin comm -12 /tmp/sbin /tmp/usrsbin ** Bug watch added: Debian Bug tracker #134758 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=134758 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2017594 Title: package leaves non-updated copy of /usr/sbin/apparmor_parser after update to apparmor-2.13.3-7ubuntu5.2. Orphaned older executable breaks docker Status in apparmor package in Ubuntu: Confirmed Bug description: There appears to be two copies of apparmor_parser installed by previous versions of the apparmor package, in /sbin and /usr/sbin. When updating the apparmor package to apparmor-2.13.3-7ubuntu5.2, only the /sbin/apparmor_parser executable is updated and the /usr/sbin copy is left unchanged. Being earlier the path, /usr/sbin/apparmor_parser is used by Docker when trying to register the docker-default apparmor profile for containers. The orphaned older executable reports a warning about a new parameter in the parser configuration file in the same package, and that warning breaks the version check that docker runs against that executable on the first line of output. trying to parse the warning while looking for the version number results in the error: docker: Error response from daemon: AppArmor enabled on system but the docker-default profile could not be loaded: strconv.Atoi: parsing "file": invalid syntax. As a workaround, we've been replacing the old version in /usr/sbin with a symlink to the file in /sbin, but the package should be corrected to do appropriate behaviour (either delete the unnecessary(?) copy in /usr/sbin or replace it with a symlink) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2017594/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2017594] Re: package leaves non-updated copy of /usr/sbin/apparmor_parser after update to apparmor-2.13.3-7ubuntu5.2. Orphaned older executable breaks docker
Ah, interesting, TIL that focal is a bit odd here: - we changed to usrmerge as default in the disco installer - we added the 'usrmerge' package to convert old installations to this format in hirsute: https://bugs.launchpad.net/ubuntu/+source/usrmerge/+bug/1906671 So, if you installed with focal, you'd have the usrmerge filesystem setup. If you initially installed with cosmic or earlier and upgrade, you won't get the usrmerge filesystem setup. Your system is less strange than I thought; sadly, now I'm even more confused how you're seeing what you're seeing. These /sbin -> /usr/sbin symlinks are so awkward, it's easy to draw incorrect conclusions about what's going on, so be very careful before proceeding, but I expect you can delete the /usr/sbin/apparmor_parser if that is actually a symlink and hopefully never think of this again. Be careful, of course, if you delete the only apparmor_parser on the system it'll be a pretty unhappy next reboot. I'd double-check ls -l /sbin /usr/sbin /sbin/apparmor_parser /usr/sbin/apparmor_parser a few times before deciding what, if anything, to delete. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2017594 Title: package leaves non-updated copy of /usr/sbin/apparmor_parser after update to apparmor-2.13.3-7ubuntu5.2. Orphaned older executable breaks docker Status in apparmor package in Ubuntu: Confirmed Bug description: There appears to be two copies of apparmor_parser installed by previous versions of the apparmor package, in /sbin and /usr/sbin. When updating the apparmor package to apparmor-2.13.3-7ubuntu5.2, only the /sbin/apparmor_parser executable is updated and the /usr/sbin copy is left unchanged. Being earlier the path, /usr/sbin/apparmor_parser is used by Docker when trying to register the docker-default apparmor profile for containers. The orphaned older executable reports a warning about a new parameter in the parser configuration file in the same package, and that warning breaks the version check that docker runs against that executable on the first line of output. trying to parse the warning while looking for the version number results in the error: docker: Error response from daemon: AppArmor enabled on system but the docker-default profile could not be loaded: strconv.Atoi: parsing "file": invalid syntax. As a workaround, we've been replacing the old version in /usr/sbin with a symlink to the file in /sbin, but the package should be corrected to do appropriate behaviour (either delete the unnecessary(?) copy in /usr/sbin or replace it with a symlink) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2017594/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2017594] Re: package leaves non-updated copy of /usr/sbin/apparmor_parser after update to apparmor-2.13.3-7ubuntu5.2. Orphaned older executable breaks docker
Hello Paul-Andre, I don't see any /usr/sbin/apparmor_parser files in any of the binary packages that I've got very easy access to: sarnold@wopr:/dev/shm/apparmor $ find . -name apparmor_parser -ls 331800394 1472 -rwxr-xr-x 1 sarnold sarnold 1506552 Feb 28 14:18 ./apparmor_3.0.8-1ubuntu2/sbin/apparmor_parser 331800180 1472 -rwxr-xr-x 1 sarnold sarnold 1506552 Sep 23 2022 ./apparmor_3.0.7-1ubuntu2/sbin/apparmor_parser 331799966 1472 -rwxr-xr-x 1 sarnold sarnold 1506552 Nov 23 09:55 ./apparmor_3.0.7-1ubuntu2.1/sbin/apparmor_parser 331799752 1500 -rwxr-xr-x 1 sarnold sarnold 1535648 Mar 9 2022 ./apparmor_3.0.4-2ubuntu2/sbin/apparmor_parser 331799540 1508 -rwxr-xr-x 1 sarnold sarnold 1543872 Oct 19 2022 ./apparmor_3.0.4-2ubuntu2.2/sbin/apparmor_parser 331799361832 -rwxr-xr-x 1 sarnold sarnold849048 Apr 3 2014 ./apparmor_2.8.95~2430-0ubuntu5/sbin/apparmor_parser 331799175 1468 -rwxr-xr-x 1 sarnold sarnold 1501568 Apr 12 2020 ./apparmor_2.13.3-7ubuntu5/sbin/apparmor_parser 331798981 1488 -rwxr-xr-x 1 sarnold sarnold 1522176 Oct 10 2022 ./apparmor_2.13.3-7ubuntu5.2/sbin/apparmor_parser 331798786 1440 -rwxr-xr-x 1 sarnold sarnold 1472232 Apr 17 2018 ./apparmor_2.12-4ubuntu5/sbin/apparmor_parser 331798611 1440 -rwxr-xr-x 1 sarnold sarnold 1472232 Sep 27 2018 ./apparmor_2.12-4ubuntu5.1/sbin/apparmor_parser 331798311 1256 -rwxr-xr-x 1 sarnold sarnold 1282984 Apr 12 2016 ./apparmor_2.10.95-0ubuntu2/sbin/apparmor_parser 331798305888 -rwxr-xr-x 1 sarnold sarnold909192 Sep 27 2018 ./apparmor_2.10.95-0ubuntu2.6~14.04.4/sbin/apparmor_parser 331797891 1260 -rwxr-xr-x 1 sarnold sarnold 1287064 May 28 2019 ./apparmor_2.10.95-0ubuntu2.11/sbin/apparmor_parser sarnold@wopr:/dev/shm/apparmor $ find . -name apparmor_parser -ls | grep usr sarnold@wopr:/dev/shm/apparmor 1 $ On my focal and newer systems, /sbin is a symlink to /usr/sbin: $ ls -ld /sbin /usr/sbin lrwxrwxrwx 1 root root 8 Apr 10 2019 /sbin -> usr/sbin drwxr-xr-x 2 root root 605 Apr 21 06:44 /usr/sbin This is part of the usrmerge process: https://www.freedesktop.org/wiki/Software/systemd/TheCaseForTheUsrMerge/ I'm curious how you've got a focal system where this isn't the case. How did this machine come to be? What's the broad outlines of its life history? Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2017594 Title: package leaves non-updated copy of /usr/sbin/apparmor_parser after update to apparmor-2.13.3-7ubuntu5.2. Orphaned older executable breaks docker Status in apparmor package in Ubuntu: Confirmed Bug description: There appears to be two copies of apparmor_parser installed by previous versions of the apparmor package, in /sbin and /usr/sbin. When updating the apparmor package to apparmor-2.13.3-7ubuntu5.2, only the /sbin/apparmor_parser executable is updated and the /usr/sbin copy is left unchanged. Being earlier the path, /usr/sbin/apparmor_parser is used by Docker when trying to register the docker-default apparmor profile for containers. The orphaned older executable reports a warning about a new parameter in the parser configuration file in the same package, and that warning breaks the version check that docker runs against that executable on the first line of output. trying to parse the warning while looking for the version number results in the error: docker: Error response from daemon: AppArmor enabled on system but the docker-default profile could not be loaded: strconv.Atoi: parsing "file": invalid syntax. As a workaround, we've been replacing the old version in /usr/sbin with a symlink to the file in /sbin, but the package should be corrected to do appropriate behaviour (either delete the unnecessary(?) copy in /usr/sbin or replace it with a symlink) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2017594/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2015067] Re: package libpam-runtime 1.4.0-11ubuntu2.3 failed to install/upgrade: installed libpam-runtime package post-installation script subprocess returned error exit status 1
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/2015067 Title: package libpam-runtime 1.4.0-11ubuntu2.3 failed to install/upgrade: installed libpam-runtime package post-installation script subprocess returned error exit status 128 Status in pam package in Ubuntu: New Bug description: Updates in my laptop not succeding ProblemType: Package DistroRelease: Ubuntu 22.04 Package: libpam-runtime 1.4.0-11ubuntu2.3 ProcVersionSignature: Ubuntu 5.19.0-38.39~22.04.1-generic 5.19.17 Uname: Linux 5.19.0-38-generic x86_64 ApportVersion: 2.20.11-0ubuntu82 Architecture: amd64 CasperMD5CheckResult: pass Date: Mon Apr 3 14:05:48 2023 DuplicateSignature: package:libpam-runtime:1.4.0-11ubuntu2.3 Setting up libpam-runtime (1.4.0-11ubuntu2.3) ... Use of uninitialized value $ret in string eq at /usr/share/perl5/Debconf/FrontEnd/Passthrough.pm line 134. dpkg: error processing package libpam-runtime (--configure): installed libpam-runtime package post-installation script subprocess returned error exit status 128 ErrorMessage: installed libpam-runtime package post-installation script subprocess returned error exit status 128 InstallationDate: Installed on 2023-04-03 (0 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419) PackageArchitecture: all Python3Details: /usr/bin/python3.10, Python 3.10.4, python3-minimal, 3.10.4-0ubuntu2 PythonDetails: N/A RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: dpkg 1.21.1ubuntu2 apt 2.4.5 SourcePackage: pam Title: package libpam-runtime 1.4.0-11ubuntu2.3 failed to install/upgrade: installed libpam-runtime package post-installation script subprocess returned error exit status 128 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2015067/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1978351] Re: MITM vector: ifupdown puts .domains TLD in resolv.conf
We were asked privately if this should receive a CVE. I'll copy my reply here: In this case I don't believe a CVE is appropriate: - DNS is typically plain-text unauthenticated - DNS cache poisoning can be insanely easy if poor-quality DNS recursors are in use - DNS cache poisoning is possible even if high-quality DNS recursors are in use - DNSSEC can provide authentication of DNS results; end user sites can use a validating recursor to ensure that only authenticated results are delivered to applications - Applications should be taking steps such as TLS or end-to-end data authenticity checks regardless of DNS authentication Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ifupdown in Ubuntu. https://bugs.launchpad.net/bugs/1978351 Title: MITM vector: ifupdown puts .domains TLD in resolv.conf Status in ifupdown package in Ubuntu: Confirmed Bug description: The bug described in https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1907878?comments=all is a security vulnerability because DNS names that would normally fail are now attempted as "foo.domains". ".domains" is a real TLD, with the registrar "Donuts, Inc." based in Bellvue, WA. "google.com.domains" is registered, for example. So is "test.domains". For users with ifupdown, any Internet request (especially that does not involve some cryptographic payload and destination signature verification) is potentially sending packets to an unintended audience. It's impossible to say, but likely, that malicious registrants are squatting sensitive and common names in the .domains TLD. The ifupdown package is still used by some cloud providers that have not adopted netplan. This vulnerability affects 22.04 and potentially other releases. This issue has not been corrected in 0.8.36+nmu1ubuntu4. With 0.8.36+nmu1ubuntu3 and after an update to 0.8.36+nmu1ubuntu4, the resolv.conf looks like the following (which is vulnerable to mitm attacks): ``` root@foo:~# cat /etc/resolv.conf # This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8). # Do not edit. # # This file might be symlinked as /etc/resolv.conf. If you're looking at # /etc/resolv.conf and seeing this text, you have followed the symlink. # # This is a dynamic resolv.conf file for connecting local clients to the # internal DNS stub resolver of systemd-resolved. This file lists all # configured search domains. # # Run "resolvectl status" to see details about the uplink DNS servers # currently in use. # # Third party programs should typically not access this file directly, but only # through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a # different way, replace this symlink by a static file or a different symlink. # # See man:systemd-resolved.service(8) for details about the supported modes of # operation for /etc/resolv.conf. nameserver 127.0.0.53 options edns0 trust-ad search DOMAINS ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1978351/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2009738] Re: no lxc manpage
Ah but it's still plenty useful, Simon showed me I was holding the tool the wrong way around. Having 300 manpages in a directory is a pretty fantastic starting point. Thanks :) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/2009738 Title: no lxc manpage Status in lxc package in Ubuntu: Won't Fix Bug description: Hello, I don't have an lxc manpage on my focal system: $ man lxc No manual entry for lxc $ dpkg -l lxd | grep lxd ; snap info lxd | grep installed un lxd (no description available) installed: 5.11-ad0b61e (24483) 149MB - It looks a bit like none are packaged: $ find /snap/lxd -name '*.1.gz' -o -name '*.7.gz' -o -name '*.8.gz' $ While I appreciate the online --help output, I also like having longer-form documentation available on a system without needing to use a web browser. Thanks ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: lxc (not installed) ProcVersionSignature: Ubuntu 5.4.0-139.156-generic 5.4.224 Uname: Linux 5.4.0-139-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu27.25 Architecture: amd64 CasperMD5CheckResult: skip Date: Wed Mar 8 18:21:08 2023 SourcePackage: lxc UpgradeStatus: Upgraded to focal on 2020-01-24 (1138 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2009738/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2009738] Re: no lxc manpage
Ah, thanks twice over. I've poked the old bug with a hope for a happier answer today :) Unfortunately lxc manpage isn't exactly ideal: $ lxc manpage lxc Error: open /var/lib/snapd/hostfs/home/sarnold/tmp/takehometests/lxc/lxc.alias.add.1: no such file or directory -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/2009738 Title: no lxc manpage Status in lxc package in Ubuntu: New Bug description: Hello, I don't have an lxc manpage on my focal system: $ man lxc No manual entry for lxc $ dpkg -l lxd | grep lxd ; snap info lxd | grep installed un lxd (no description available) installed: 5.11-ad0b61e (24483) 149MB - It looks a bit like none are packaged: $ find /snap/lxd -name '*.1.gz' -o -name '*.7.gz' -o -name '*.8.gz' $ While I appreciate the online --help output, I also like having longer-form documentation available on a system without needing to use a web browser. Thanks ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: lxc (not installed) ProcVersionSignature: Ubuntu 5.4.0-139.156-generic 5.4.224 Uname: Linux 5.4.0-139-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu27.25 Architecture: amd64 CasperMD5CheckResult: skip Date: Wed Mar 8 18:21:08 2023 SourcePackage: lxc UpgradeStatus: Upgraded to focal on 2020-01-24 (1138 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2009738/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2009738] [NEW] no lxc manpage
Public bug reported: Hello, I don't have an lxc manpage on my focal system: $ man lxc No manual entry for lxc $ dpkg -l lxd | grep lxd ; snap info lxd | grep installed un lxd (no description available) installed: 5.11-ad0b61e (24483) 149MB - It looks a bit like none are packaged: $ find /snap/lxd -name '*.1.gz' -o -name '*.7.gz' -o -name '*.8.gz' $ While I appreciate the online --help output, I also like having longer- form documentation available on a system without needing to use a web browser. Thanks ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: lxc (not installed) ProcVersionSignature: Ubuntu 5.4.0-139.156-generic 5.4.224 Uname: Linux 5.4.0-139-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu27.25 Architecture: amd64 CasperMD5CheckResult: skip Date: Wed Mar 8 18:21:08 2023 SourcePackage: lxc UpgradeStatus: Upgraded to focal on 2020-01-24 (1138 days ago) ** Affects: lxc (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/2009738 Title: no lxc manpage Status in lxc package in Ubuntu: New Bug description: Hello, I don't have an lxc manpage on my focal system: $ man lxc No manual entry for lxc $ dpkg -l lxd | grep lxd ; snap info lxd | grep installed un lxd (no description available) installed: 5.11-ad0b61e (24483) 149MB - It looks a bit like none are packaged: $ find /snap/lxd -name '*.1.gz' -o -name '*.7.gz' -o -name '*.8.gz' $ While I appreciate the online --help output, I also like having longer-form documentation available on a system without needing to use a web browser. Thanks ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: lxc (not installed) ProcVersionSignature: Ubuntu 5.4.0-139.156-generic 5.4.224 Uname: Linux 5.4.0-139-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu27.25 Architecture: amd64 CasperMD5CheckResult: skip Date: Wed Mar 8 18:21:08 2023 SourcePackage: lxc UpgradeStatus: Upgraded to focal on 2020-01-24 (1138 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2009738/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2009544] [NEW] OpenSSL 3 performance regression
Public bug reported: Hello, it sounds like there's some significant performance regressions in OpenSSL 3: https://github.com/openssl/openssl/issues/20286#issuecomment-1438826816 Some we might be able to address with: https://github.com/openssl/openssl/pull/18151 Some of the performance differences may be subject to ongoing work. Thanks ** Affects: openssl (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2009544 Title: OpenSSL 3 performance regression Status in openssl package in Ubuntu: New Bug description: Hello, it sounds like there's some significant performance regressions in OpenSSL 3: https://github.com/openssl/openssl/issues/20286#issuecomment-1438826816 Some we might be able to address with: https://github.com/openssl/openssl/pull/18151 Some of the performance differences may be subject to ongoing work. Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2009544/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2008141] Re: apt pattern to list packages from universe
Awesome! Thanks, I thought 'section' would have been something like libs vs oldlibs in Debian, so I didn't even try it. Sorry. apt list '?installed?section(^universe/)' -- seems to work as I wanted. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/2008141 Title: apt pattern to list packages from universe Status in apt package in Ubuntu: Triaged Bug description: Hello, a friend would like to remove all universe packages from their system but I do not know an easy way to discover which installed packages came from universe. I expected one of these two apt patterns to work: ?archive(REGEX), ~AREGEX Selects versions that come from the archive that matches the specified regular expression. Archive, here, means the values after a= in apt-cache policy. ?origin(REGEX), ~OREGEX Selects versions that come from the origin that matches the specified regular expression. Origin, here, means the values after o= in apt-cache policy. However, a quick check of my own system's apt-cache policy output shows the a= and o= values aren't helpful for determining universe from main: $ apt-cache policy | grep -A1 universe 500 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal-security,n=focal,l=Ubuntu,c=universe,b=amd64 origin security.ubuntu.com -- 400 http://192.168.0.27/ubuntu focal-proposed/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal-proposed,n=focal,l=Ubuntu,c=universe,b=amd64 origin 192.168.0.27 -- 500 http://192.168.0.27/ubuntu focal-updates/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal-updates,n=focal,l=Ubuntu,c=universe,b=amd64 origin 192.168.0.27 -- 500 http://192.168.0.27/ubuntu focal/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal,n=focal,l=Ubuntu,c=universe,b=amd64 origin 192.168.0.27 Are there apt patterns that can select the c=universe state? Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2008141/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2008507] Re: package login 1:4.11.1+dfsg1-2ubuntu1 failed to install/upgrade: unable to make backup link of './usr/bin/faillog' before installing new version: Input/output error
Hello, note the following lines from your dmesg: [3.791052] ata3.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0 [3.791095] ata3.00: BMDMA stat 0x65 [3.791116] ata3.00: failed command: READ DMA [3.791137] ata3.00: cmd c8/00:08:00:00:00/00:00:00:00:00/e0 tag 0 dma 4096 in res 51/04:08:00:00:00/00:00:00:00:00/e0 Emask 0x1 (device error) [3.791202] ata3.00: status: { DRDY ERR } [3.791222] ata3.00: error: { ABRT } [3.793984] ata3.00: configured for UDMA/133 [3.794009] ata3: EH complete [3.806999] ata3.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0 [3.807047] ata3.00: BMDMA stat 0x65 [3.807068] ata3.00: failed command: READ DMA [3.807089] ata3.00: cmd c8/00:08:00:00:00/00:00:00:00:00/e0 tag 0 dma 4096 in res 51/04:08:00:00:00/00:00:00:00:00/e0 Emask 0x1 (device error) [3.807154] ata3.00: status: { DRDY ERR } [3.807174] ata3.00: error: { ABRT } [3.809935] ata3.00: configured for UDMA/133 [3.809961] ata3: EH complete There's lots of these in your logs -- they indicate failure communicating with the hard drive. This could be failing hard drive, bad cables, bad power supply, bad motherboard, etc. I suggest making backups if you don't already have some -- do not overwrite old backups, you may need those. Then troubleshoot or replace etc. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to shadow in Ubuntu. https://bugs.launchpad.net/bugs/2008507 Title: package login 1:4.11.1+dfsg1-2ubuntu1 failed to install/upgrade: unable to make backup link of './usr/bin/faillog' before installing new version: Input/output error Status in shadow package in Ubuntu: Invalid Bug description: Not too sure what had happened. ProblemType: Package DistroRelease: Ubuntu 22.10 Package: login 1:4.11.1+dfsg1-2ubuntu1 ProcVersionSignature: Ubuntu 5.19.0-21.21-generic 5.19.7 Uname: Linux 5.19.0-21-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair Architecture: amd64 Date: Fri Feb 24 16:25:41 2023 Df: ErrorMessage: unable to make backup link of './usr/bin/faillog' before installing new version: Input/output error PythonDetails: N/A SourcePackage: shadow Title: package login 1:4.11.1+dfsg1-2ubuntu1 failed to install/upgrade: unable to make backup link of './usr/bin/faillog' before installing new version: Input/output error UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2008507/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2008507] Re: package login 1:4.11.1+dfsg1-2ubuntu1 failed to install/upgrade: unable to make backup link of './usr/bin/faillog' before installing new version: Input/output error
Thank you for taking the time to report this bug and helping to make Ubuntu better. Reviewing your dmesg attachment to this bug report it seems that there may be a problem with your hardware. I'd recommend performing a back up and then investigating the situation. Measures you might take include checking cable connections and using software tools to investigate the health of your hardware. In the event that is is not in fact an error with your hardware please set the bug's status back to New. Thanks and good luck! ** Changed in: shadow (Ubuntu) Status: New => Invalid ** Changed in: shadow (Ubuntu) Importance: Undecided => Low ** Tags added: hardware-error -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to shadow in Ubuntu. https://bugs.launchpad.net/bugs/2008507 Title: package login 1:4.11.1+dfsg1-2ubuntu1 failed to install/upgrade: unable to make backup link of './usr/bin/faillog' before installing new version: Input/output error Status in shadow package in Ubuntu: Invalid Bug description: Not too sure what had happened. ProblemType: Package DistroRelease: Ubuntu 22.10 Package: login 1:4.11.1+dfsg1-2ubuntu1 ProcVersionSignature: Ubuntu 5.19.0-21.21-generic 5.19.7 Uname: Linux 5.19.0-21-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair Architecture: amd64 Date: Fri Feb 24 16:25:41 2023 Df: ErrorMessage: unable to make backup link of './usr/bin/faillog' before installing new version: Input/output error PythonDetails: N/A SourcePackage: shadow Title: package login 1:4.11.1+dfsg1-2ubuntu1 failed to install/upgrade: unable to make backup link of './usr/bin/faillog' before installing new version: Input/output error UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2008507/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2008151] Re: package base-files 12ubuntu4.2 failed to install/upgrade: subprocess new pre-removal script returned error exit status 1
Your logs suggest that your /usr/bin/dpkg has been corrupted. There is no easy way to recover from this situation. If you have another computer of the same architecture and running the same release, you can copy the /usr/bin/dpkg file from one computer to the other. If you don't have this, you can use apt download dpkg to download the dpkg package, use ar x to unpack the dpkg package, and then tar xf the data.tar.* file that was created. Then you can copy the usr/bin/dpkg from that over your /usr/bin/dpkg. Good luck. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/2008151 Title: package base-files 12ubuntu4.2 failed to install/upgrade: subprocess new pre-removal script returned error exit status 1 Status in base-files package in Ubuntu: New Bug description: my dpkg dir is delete how to recover ProblemType: Package DistroRelease: Ubuntu 22.04 Package: base-files 12ubuntu4.2 ProcVersionSignature: Ubuntu 5.19.0-32.33~22.04.1-generic 5.19.17 Uname: Linux 5.19.0-32-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.3 Architecture: amd64 CasperMD5CheckResult: unknown Date: Thu Feb 23 07:24:22 2023 ErrorMessage: subprocess new pre-removal script returned error exit status 1 InstallationDate: Installed on 2022-10-18 (127 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) Python3Details: /usr/bin/python3.10, Python 3.10.6, python3-minimal, 3.10.6-1~22.04 PythonDetails: N/A RelatedPackageVersions: dpkg 1.21.1ubuntu2.1 apt 2.4.8 SourcePackage: base-files Title: package base-files 12ubuntu4.2 failed to install/upgrade: subprocess new pre-removal script returned error exit status 1 UpgradeStatus: Upgraded to jammy on 2022-10-26 (119 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/2008151/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2008051] Re: package linux-firmware 1.187.36 failed to install/upgrade: installed linux-firmware package post-installation script subprocess returned error exit status 1
These look like the important errors: update-initramfs: Generating /boot/initrd.img-5.15.0-60-generic I: The initramfs will attempt to resume from /dev/dm-2 I: (/dev/mapper/vgubuntu-swap_1) I: Set the RESUME variable to override this. Error 24 : Write error : cannot write compressed block E: mkinitramfs failure cpio 141 lz4 -9 -l 24 update-initramfs: failed for /boot/initrd.img-5.15.0-60-generic with 1. These kinds of messages usually mean your /boot is full. And your Df.txt confirms this: /dev/nvme0n1p2 719936550688116784 83% /boot try: sudo apt autoremove that might help, it might not. If it doesn't help, the easiest thing to do is to *truncate* old kernels and initrds from /boot. 'sudo truncate -s0 /boot/' preferably of the old versions that you're not actively running at the moment. Be careful, this could make the system fail to boot in the future if you truncate too many things, mismatched things, etc. Once done, try: sudo apt install -f You could also ask for help on https://askubuntu.com/ or irc #ubuntu irc.libera.chat. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu. https://bugs.launchpad.net/bugs/2008051 Title: package linux-firmware 1.187.36 failed to install/upgrade: installed linux-firmware package post-installation script subprocess returned error exit status 1 Status in initramfs-tools package in Ubuntu: New Bug description: I don't know.. I have no idea.. you've made this too difficult for average users (non technical people) and it isn't fair. Something is failing on my system related to installing linux-firmware and that sounds bad. Now I (a regular person) have to drop everything and try to figure it out? Maybe if I don't give you what you want here in this further information section I don't get help or the thing to be fixed? ProblemType: Package DistroRelease: Ubuntu 20.04 Package: linux-firmware 1.187.36 ProcVersionSignature: Ubuntu 5.15.0-60.66~20.04.1-generic 5.15.78 Uname: Linux 5.15.0-60-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu27.25 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: gdm1641 F pulseaudio jake 2452 F pulseaudio CasperMD5CheckResult: skip Date: Tue Feb 21 23:29:18 2023 Dependencies: ErrorMessage: installed linux-firmware package post-installation script subprocess returned error exit status 1 InstallationDate: Installed on 2021-04-05 (687 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) MachineType: HP HP ENVY Laptop 17-cg1xxx PackageArchitecture: all ProcFB: 0 i915drmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-60-generic root=/dev/mapper/vgubuntu-root ro quiet splash vt.handoff=7 PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 3.8.2-0ubuntu2 PythonDetails: N/A RelatedPackageVersions: grub-pc 2.04-1ubuntu26.16 SourcePackage: initramfs-tools Title: package linux-firmware 1.187.36 failed to install/upgrade: installed linux-firmware package post-installation script subprocess returned error exit status 1 UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/17/2021 dmi.bios.release: 15.12 dmi.bios.vendor: Insyde dmi.bios.version: F.12 dmi.board.asset.tag: Type2 - Board Asset Tag dmi.board.name: 8823 dmi.board.vendor: HP dmi.board.version: 49.36 dmi.chassis.asset.tag: Chassis Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: HP dmi.chassis.version: Chassis Version dmi.ec.firmware.release: 49.36 dmi.modalias: dmi:bvnInsyde:bvrF.12:bd02/17/2021:br15.12:efr49.36:svnHP:pnHPENVYLaptop17-cg1xxx:pvrType1ProductConfigId:rvnHP:rn8823:rvr49.36:cvnHP:ct10:cvrChassisVersion:sku19S92AV: dmi.product.family: 103C_5335KV HP Envy dmi.product.name: HP ENVY Laptop 17-cg1xxx dmi.product.sku: 19S92AV dmi.product.version: Type1ProductConfigId dmi.sys.vendor: HP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/2008051/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2008051] Re: package linux-firmware 1.187.36 failed to install/upgrade: installed linux-firmware package post-installation script subprocess returned error exit status 1
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu. https://bugs.launchpad.net/bugs/2008051 Title: package linux-firmware 1.187.36 failed to install/upgrade: installed linux-firmware package post-installation script subprocess returned error exit status 1 Status in initramfs-tools package in Ubuntu: New Bug description: I don't know.. I have no idea.. you've made this too difficult for average users (non technical people) and it isn't fair. Something is failing on my system related to installing linux-firmware and that sounds bad. Now I (a regular person) have to drop everything and try to figure it out? Maybe if I don't give you what you want here in this further information section I don't get help or the thing to be fixed? ProblemType: Package DistroRelease: Ubuntu 20.04 Package: linux-firmware 1.187.36 ProcVersionSignature: Ubuntu 5.15.0-60.66~20.04.1-generic 5.15.78 Uname: Linux 5.15.0-60-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu27.25 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: gdm1641 F pulseaudio jake 2452 F pulseaudio CasperMD5CheckResult: skip Date: Tue Feb 21 23:29:18 2023 Dependencies: ErrorMessage: installed linux-firmware package post-installation script subprocess returned error exit status 1 InstallationDate: Installed on 2021-04-05 (687 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) MachineType: HP HP ENVY Laptop 17-cg1xxx PackageArchitecture: all ProcFB: 0 i915drmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-60-generic root=/dev/mapper/vgubuntu-root ro quiet splash vt.handoff=7 PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 3.8.2-0ubuntu2 PythonDetails: N/A RelatedPackageVersions: grub-pc 2.04-1ubuntu26.16 SourcePackage: initramfs-tools Title: package linux-firmware 1.187.36 failed to install/upgrade: installed linux-firmware package post-installation script subprocess returned error exit status 1 UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/17/2021 dmi.bios.release: 15.12 dmi.bios.vendor: Insyde dmi.bios.version: F.12 dmi.board.asset.tag: Type2 - Board Asset Tag dmi.board.name: 8823 dmi.board.vendor: HP dmi.board.version: 49.36 dmi.chassis.asset.tag: Chassis Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: HP dmi.chassis.version: Chassis Version dmi.ec.firmware.release: 49.36 dmi.modalias: dmi:bvnInsyde:bvrF.12:bd02/17/2021:br15.12:efr49.36:svnHP:pnHPENVYLaptop17-cg1xxx:pvrType1ProductConfigId:rvnHP:rn8823:rvr49.36:cvnHP:ct10:cvrChassisVersion:sku19S92AV: dmi.product.family: 103C_5335KV HP Envy dmi.product.name: HP ENVY Laptop 17-cg1xxx dmi.product.sku: 19S92AV dmi.product.version: Type1ProductConfigId dmi.sys.vendor: HP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/2008051/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2008141] [NEW] apt pattern to list packages from universe
Public bug reported: Hello, a friend would like to remove all universe packages from their system but I do not know an easy way to discover which installed packages came from universe. I expected one of these two apt patterns to work: ?archive(REGEX), ~AREGEX Selects versions that come from the archive that matches the specified regular expression. Archive, here, means the values after a= in apt-cache policy. ?origin(REGEX), ~OREGEX Selects versions that come from the origin that matches the specified regular expression. Origin, here, means the values after o= in apt-cache policy. However, a quick check of my own system's apt-cache policy output shows the a= and o= values aren't helpful for determining universe from main: $ apt-cache policy | grep -A1 universe 500 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal-security,n=focal,l=Ubuntu,c=universe,b=amd64 origin security.ubuntu.com -- 400 http://192.168.0.27/ubuntu focal-proposed/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal-proposed,n=focal,l=Ubuntu,c=universe,b=amd64 origin 192.168.0.27 -- 500 http://192.168.0.27/ubuntu focal-updates/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal-updates,n=focal,l=Ubuntu,c=universe,b=amd64 origin 192.168.0.27 -- 500 http://192.168.0.27/ubuntu focal/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal,n=focal,l=Ubuntu,c=universe,b=amd64 origin 192.168.0.27 Are there apt patterns that can select the c=universe state? Thanks ** Affects: apt (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/2008141 Title: apt pattern to list packages from universe Status in apt package in Ubuntu: New Bug description: Hello, a friend would like to remove all universe packages from their system but I do not know an easy way to discover which installed packages came from universe. I expected one of these two apt patterns to work: ?archive(REGEX), ~AREGEX Selects versions that come from the archive that matches the specified regular expression. Archive, here, means the values after a= in apt-cache policy. ?origin(REGEX), ~OREGEX Selects versions that come from the origin that matches the specified regular expression. Origin, here, means the values after o= in apt-cache policy. However, a quick check of my own system's apt-cache policy output shows the a= and o= values aren't helpful for determining universe from main: $ apt-cache policy | grep -A1 universe 500 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal-security,n=focal,l=Ubuntu,c=universe,b=amd64 origin security.ubuntu.com -- 400 http://192.168.0.27/ubuntu focal-proposed/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal-proposed,n=focal,l=Ubuntu,c=universe,b=amd64 origin 192.168.0.27 -- 500 http://192.168.0.27/ubuntu focal-updates/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal-updates,n=focal,l=Ubuntu,c=universe,b=amd64 origin 192.168.0.27 -- 500 http://192.168.0.27/ubuntu focal/universe amd64 Packages release v=20.04,o=Ubuntu,a=focal,n=focal,l=Ubuntu,c=universe,b=amd64 origin 192.168.0.27 Are there apt patterns that can select the c=universe state? Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2008141/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2006793] Re: package linux-image-5.15.0-60-generic 5.15.0-60.66~20.04.1 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
Hello, my guess is your /boot filesystem is out of space. You might be able to free up enough space by running: sudo apt autoremove If that doesn't make enough free space, you might want to ask for help on https://askubuntu.com or #ubuntu on https://libera.chat Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu. https://bugs.launchpad.net/bugs/2006793 Title: package linux-image-5.15.0-60-generic 5.15.0-60.66~20.04.1 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 Status in initramfs-tools package in Ubuntu: New Bug description: Its says a system error occurred - I've been getting these for a year now - and I have no idea where it's coming from. ProblemType: Package DistroRelease: Ubuntu 20.04 Package: linux-image-5.15.0-60-generic 5.15.0-60.66~20.04.1 ProcVersionSignature: Ubuntu 5.15.0-58.64~20.04.1-generic 5.15.74 Uname: Linux 5.15.0-58-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu27.25 Architecture: amd64 CasperMD5CheckResult: skip Date: Thu Feb 9 17:11:23 2023 ErrorMessage: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 InstallationDate: Installed on 2021-04-05 (675 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 3.8.2-0ubuntu2 PythonDetails: N/A RelatedPackageVersions: dpkg 1.19.7ubuntu3.2 apt 2.0.9 SourcePackage: initramfs-tools Title: package linux-image-5.15.0-60-generic 5.15.0-60.66~20.04.1 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/2006793/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2006793] Re: package linux-image-5.15.0-60-generic 5.15.0-60.66~20.04.1 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu. https://bugs.launchpad.net/bugs/2006793 Title: package linux-image-5.15.0-60-generic 5.15.0-60.66~20.04.1 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 Status in initramfs-tools package in Ubuntu: New Bug description: Its says a system error occurred - I've been getting these for a year now - and I have no idea where it's coming from. ProblemType: Package DistroRelease: Ubuntu 20.04 Package: linux-image-5.15.0-60-generic 5.15.0-60.66~20.04.1 ProcVersionSignature: Ubuntu 5.15.0-58.64~20.04.1-generic 5.15.74 Uname: Linux 5.15.0-58-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu27.25 Architecture: amd64 CasperMD5CheckResult: skip Date: Thu Feb 9 17:11:23 2023 ErrorMessage: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 InstallationDate: Installed on 2021-04-05 (675 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 3.8.2-0ubuntu2 PythonDetails: N/A RelatedPackageVersions: dpkg 1.19.7ubuntu3.2 apt 2.0.9 SourcePackage: initramfs-tools Title: package linux-image-5.15.0-60-generic 5.15.0-60.66~20.04.1 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/2006793/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2004505] [NEW] apt-key is still packaged
Public bug reported: The apt-key(8) manpage includes: apt-key(8) will last be available in Debian 11 and Ubuntu 22.04. It appears that apt-key was shipped in Ubuntu 22.10 by accident. apt-key is still in the 2.5.5 apt packaged for Lunar: https://launchpad.net/ubuntu/lunar/amd64/apt/2.5.5 ⏚ [sarnold:/tmp] $ wget http://launchpadlibrarian.net/646589288/apt_2.5.5_amd64.deb --2023-02-01 18:58:39-- http://launchpadlibrarian.net/646589288/apt_2.5.5_amd64.deb Resolving launchpadlibrarian.net (launchpadlibrarian.net)... 2620:2d:4000:1001::8007, 2620:2d:4000:1001::8008, 185.125.189.229, ... Connecting to launchpadlibrarian.net (launchpadlibrarian.net)|2620:2d:4000:1001::8007|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1377746 (1.3M) [application/x-debian-package] Saving to: ‘apt_2.5.5_amd64.deb’ apt_2.5.5_amd64.deb 100%[>] 1.31M 1.26MB/sin 1.0s 2023-02-01 18:58:41 (1.26 MB/s) - ‘apt_2.5.5_amd64.deb’ saved [1377746/1377746] ⏚ [sarnold:/tmp] 2s $ ar x apt_2.5.5_amd64.deb ⏚ [sarnold:/tmp] $ tar tf data.tar.zst | grep bin ./usr/bin/ ./usr/bin/apt ./usr/bin/apt-cache ./usr/bin/apt-cdrom ./usr/bin/apt-config ./usr/bin/apt-get ./usr/bin/apt-key ./usr/bin/apt-mark ⏚ [sarnold:/tmp] $ Thanks ** Affects: apt (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/2004505 Title: apt-key is still packaged Status in apt package in Ubuntu: New Bug description: The apt-key(8) manpage includes: apt-key(8) will last be available in Debian 11 and Ubuntu 22.04. It appears that apt-key was shipped in Ubuntu 22.10 by accident. apt-key is still in the 2.5.5 apt packaged for Lunar: https://launchpad.net/ubuntu/lunar/amd64/apt/2.5.5 ⏚ [sarnold:/tmp] $ wget http://launchpadlibrarian.net/646589288/apt_2.5.5_amd64.deb --2023-02-01 18:58:39-- http://launchpadlibrarian.net/646589288/apt_2.5.5_amd64.deb Resolving launchpadlibrarian.net (launchpadlibrarian.net)... 2620:2d:4000:1001::8007, 2620:2d:4000:1001::8008, 185.125.189.229, ... Connecting to launchpadlibrarian.net (launchpadlibrarian.net)|2620:2d:4000:1001::8007|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1377746 (1.3M) [application/x-debian-package] Saving to: ‘apt_2.5.5_amd64.deb’ apt_2.5.5_amd64.deb 100%[>] 1.31M 1.26MB/sin 1.0s 2023-02-01 18:58:41 (1.26 MB/s) - ‘apt_2.5.5_amd64.deb’ saved [1377746/1377746] ⏚ [sarnold:/tmp] 2s $ ar x apt_2.5.5_amd64.deb ⏚ [sarnold:/tmp] $ tar tf data.tar.zst | grep bin ./usr/bin/ ./usr/bin/apt ./usr/bin/apt-cache ./usr/bin/apt-cdrom ./usr/bin/apt-config ./usr/bin/apt-get ./usr/bin/apt-key ./usr/bin/apt-mark ⏚ [sarnold:/tmp] $ Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2004505/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2003759] [NEW] apt phasing should be documented in apt.conf(5) rather than apt_preferences(5)
Public bug reported: Hello, the apt documentation on controlling apt phasing is in apt_preferences(5). However, putting the records into a file in /etc/apt/preferences.d leads to an error: $ rg -l APT::Machine-ID -g '*.xml' apt_2.2.2ubuntu1/doc/apt_preferences.5.xml apt_2.3.10/doc/apt_preferences.5.xml apt_2.3.7/doc/apt_preferences.5.xml apt_2.1.17/doc/apt_preferences.5.xml apt_2.3.3/doc/apt_preferences.5.xml apt_2.3.9/doc/apt_preferences.5.xml apt_2.4.8/doc/apt_preferences.5.xml apt_2.2.3/doc/apt_preferences.5.xml apt_2.5.0/doc/apt_preferences.5.xml apt_2.4.5/doc/apt_preferences.5.xml apt_2.3.13/doc/apt_preferences.5.xml apt_2.2.1/doc/apt_preferences.5.xml apt_2.3.11/doc/apt_preferences.5.xml apt_2.3.6/doc/apt_preferences.5.xml apt_2.1.16/doc/apt_preferences.5.xml apt_2.3.9ubuntu0.1/doc/apt_preferences.5.xml apt_2.5.3/doc/apt_preferences.5.xml apt_2.4.0/doc/apt_preferences.5.xml apt_2.3.5/doc/apt_preferences.5.xml apt_2.2.2/doc/apt_preferences.5.xml apt_2.3.15build1/doc/apt_preferences.5.xml apt_2.3.15/doc/apt_preferences.5.xml apt_2.3.8/doc/apt_preferences.5.xml apt_2.2.4ubuntu0.1/doc/apt_preferences.5.xml apt_2.4.3/doc/apt_preferences.5.xml apt_2.1.18/doc/apt_preferences.5.xml ⏚ [sarnold:/etc/apt] $ sudo vim /etc/apt/preferences.d/phased-updates [sudo] password for sarnold: ⏚ [sarnold:/etc/apt] 11s $ apt list E: Invalid record in the preferences file /etc/apt/preferences.d/phased-updates, no Package header ⏚ [sarnold:/etc/apt] $ cat /etc/apt/preferences.d/phased-updates // To have all your machines phase the same, set the same string in this field // If commented out, apt will use /etc/machine-id to seed the random number generator APT::Machine-ID ""; // Always include phased updates APT::Get::Always-Include-Phased-Updates "1"; // Never include phased updates # APT::Get::Never-Include-Phased-Updates "1"; Considering how difficult it is to tell which of preferences vs conf should be used for which settings, mentioning phasing in both manpages would be very kind. However, both manpages should be clear about which one is actually correct. Thanks ** Affects: apt (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/2003759 Title: apt phasing should be documented in apt.conf(5) rather than apt_preferences(5) Status in apt package in Ubuntu: New Bug description: Hello, the apt documentation on controlling apt phasing is in apt_preferences(5). However, putting the records into a file in /etc/apt/preferences.d leads to an error: $ rg -l APT::Machine-ID -g '*.xml' apt_2.2.2ubuntu1/doc/apt_preferences.5.xml apt_2.3.10/doc/apt_preferences.5.xml apt_2.3.7/doc/apt_preferences.5.xml apt_2.1.17/doc/apt_preferences.5.xml apt_2.3.3/doc/apt_preferences.5.xml apt_2.3.9/doc/apt_preferences.5.xml apt_2.4.8/doc/apt_preferences.5.xml apt_2.2.3/doc/apt_preferences.5.xml apt_2.5.0/doc/apt_preferences.5.xml apt_2.4.5/doc/apt_preferences.5.xml apt_2.3.13/doc/apt_preferences.5.xml apt_2.2.1/doc/apt_preferences.5.xml apt_2.3.11/doc/apt_preferences.5.xml apt_2.3.6/doc/apt_preferences.5.xml apt_2.1.16/doc/apt_preferences.5.xml apt_2.3.9ubuntu0.1/doc/apt_preferences.5.xml apt_2.5.3/doc/apt_preferences.5.xml apt_2.4.0/doc/apt_preferences.5.xml apt_2.3.5/doc/apt_preferences.5.xml apt_2.2.2/doc/apt_preferences.5.xml apt_2.3.15build1/doc/apt_preferences.5.xml apt_2.3.15/doc/apt_preferences.5.xml apt_2.3.8/doc/apt_preferences.5.xml apt_2.2.4ubuntu0.1/doc/apt_preferences.5.xml apt_2.4.3/doc/apt_preferences.5.xml apt_2.1.18/doc/apt_preferences.5.xml ⏚ [sarnold:/etc/apt] $ sudo vim /etc/apt/preferences.d/phased-updates [sudo] password for sarnold: ⏚ [sarnold:/etc/apt] 11s $ apt list E: Invalid record in the preferences file /etc/apt/preferences.d/phased-updates, no Package header ⏚ [sarnold:/etc/apt] $ cat /etc/apt/preferences.d/phased-updates // To have all your machines phase the same, set the same string in this field // If commented out, apt will use /etc/machine-id to seed the random number generator APT::Machine-ID ""; // Always include phased updates APT::Get::Always-Include-Phased-Updates "1"; // Never include phased updates # APT::Get::Never-Include-Phased-Updates "1"; Considering how difficult it is to tell which of preferences vs conf should be used for which settings, mentioning phasing in both manpages would be very kind. However, both manpages should be clear about which one is actually correct. Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2003759/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More h
[Touch-packages] [Bug 1988819] Re: When apt keeps back packages due to phased updates, it should say nothing
So far I've been arguing that apt should be more verbose about phasing, and why these packages are held back. A friend has suggested that instead apt should say *nothing*. I can see the appeal. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1988819 Title: When apt keeps back packages due to phased updates, it should say nothing Status in apt package in Ubuntu: Triaged Bug description: After phased updates have been introduced, it may happen that apt upgrade shows packages as upgradable but ends up not upgrading them. In this case the packages are indicated as being "kept back". Unfortunately, the feedback provided about this to the user is not very informative. The user sees the packages being kept back and thinks something is going wrong on the system. When packages are kept back because of phased updates, apt should say so e.g., it should say that the upgrade is delayed. Incidentally note that aptitude does not respect phased updates. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: apt 2.4.7 ProcVersionSignature: Ubuntu 5.15.0-47.51-generic 5.15.46 Uname: Linux 5.15.0-47-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: KDE Date: Tue Sep 6 10:05:14 2022 EcryptfsInUse: Yes InstallationDate: Installed on 2020-02-16 (933 days ago) InstallationMedia: Kubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017) SourcePackage: apt UpgradeStatus: Upgraded to jammy on 2022-06-03 (94 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1988819/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916931] Re: omshell returns inconsistent results or segfaults
** Changed in: isc-dhcp (Ubuntu) Status: Expired => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu. https://bugs.launchpad.net/bugs/1916931 Title: omshell returns inconsistent results or segfaults Status in isc-dhcp package in Ubuntu: New Bug description: I have just built a Ubuntu 20.04 server and installed isc-dhcp-server 4.4.1 on it and I am seeing inconsistent returns from omshell. Initially omshell returns data as expected, but when I exit and re-enter omshell connections fail. Here is the initial, working, session: # omshell > server localhost > port 7911 > key omapi_key > connect obj: > new failover-state obj: failover-state > set name = "dhcp-failover" obj: failover-state name = "dhcp-failover" > open obj: failover-state name = "dhcp-failover" partner-address = c0:9d:e9:76:e9:55:00:00 partner-port = 00:00:02:07 local-address = 10:9d:e9:76:e9:55:00:00 local-port = 00:00:02:07 max-outstanding-updates = 00:00:00:0a mclt = 00:00:01:2c load-balance-max-secs = 00:00:00:03 load-balance-hba = ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 partner-state = 00:00:00:02 local-state = 00:00:00:02 partner-stos = 60:36:d0:68 local-stos = 60:36:8b:3b hierarchy = 00:00:00:01 last-packet-sent = 00:00:00:00 last-timestamp-received = 00:00:00:00 skew = 00:00:00:00 max-response-delay = 00:00:00:3c cur-unacked-updates = 00:00:00:00 Here is what I see when the connect fails. Well, just hangs really. # omshell > server localhost > port 7911 > key omapi_key > connect And then I hit ctrl-c to break out and tried again: # omshell > server localhost > port 7911 > key omapi_key > connect Segmentation fault (core dumped) Note, the peer to this server is still running Ubuntu 18.04 with isc-dhcp-server 4.3.5. Running the exact same commands on the peer works reliably. (They are using the same python script to drive omshell.) The DHCP server on the new system appears to be working just fine as reported by omshell on the peer and systemctl. I was curious if the problem could be with the mis-matched versions of isc-dhcp-server so I shutdown isc-dhcp-server on the 18.04 system and get the same results. I also tried using a python script with the pypureomapi module to try and determine if the problem was in omshell or the server. I got very similar results when I attempted to get information about the failover state of the server. Interestingly interrogating the server about host information seems to work just fine. This is a critical bug since I don't see how to fail over a DHCP that is running the isc-dhcp-server on 20.04 without being able to issue omapi commands. I am attaching apport output to this bug report. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1916931/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2002891] Re: avahi_service_browser_new() failed: Invalid service type
Hello Hadmut, my first inclination is that this isn't a security issue: - services should use cryptographic verification of both peers, if this is important - network administrators can use port security settings on their equipment to restrict which hosts can communicate in which fashions If I've overlooked something, please do let us know. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to avahi in Ubuntu. https://bugs.launchpad.net/bugs/2002891 Title: avahi_service_browser_new() failed: Invalid service type Status in avahi package in Ubuntu: New Bug description: Hi, on a network, where the router offers DHCP, but does not put the DHCP clients in a DNS domain, thus where it is necessary to use mdns/avahi instead, I ran into several problems with avahi. One is avahi-browse -a -t avahi_service_browser_new() failed: Invalid service type No other output. i.e. it just does not work. In this network, all Ubuntu machines show this behaviour. In my other network (with working DHCP-DNS, different router, different brand, therefore not depending on mdns) the problem does not occur Since the debugging output of avahi software is – if at all – very poor, I cannot see what causes this problem. However, dbus-monitor --system showed ... method call time=1673742811.321042 sender=:1.692 -> destination=org.freedesktop.Avahi serial=10 path=/; interface=org.freedesktop.Avahi.Server; member=ServiceBrowserNew int32 -1 int32 -1 string "_ipp._tcp" string "local" uint32 0 method return time=1673742811.321093 sender=:1.479 -> destination=:1.692 serial=557 reply_serial=10 object path "/Client29/ServiceBrowser3" method call time=1673742811.321259 sender=:1.692 -> destination=org.freedesktop.Avahi serial=11 path=/; interface=org.freedesktop.Avahi.Server; member=ServiceBrowserNew int32 -1 int32 -1 string "_scanner._tcp" string "local" uint32 0 method return time=1673742811.321301 sender=:1.479 -> destination=:1.692 serial=558 reply_serial=11 object path "/Client29/ServiceBrowser4" method call time=1673742811.321391 sender=:1.692 -> destination=org.freedesktop.Avahi serial=12 path=/; interface=org.freedesktop.Avahi.Server; member=ServiceBrowserNew int32 -1 int32 -1 string "" string "" uint32 0 error time=1673742811.321479 sender=:1.479 -> destination=:1.692 error_name=org.freedesktop.Avahi.InvalidServiceTypeError reply_serial=12 string "Invalid service type" So it seems as if the client (browser) queries one services after the other, which works, but then an empty string as a name, which is rejected by the daemon, which then makes the client to spit out this error message and then terminate immediately. Since I have similar (i.e. very similar, both created with puppet) machines, and all machines in one network fail, while similar machines in another don't, I guess that the problem is caused by some network reply, maybe a printer. This, however, could be a security problem, because if someone can cause avahi and thus mdns resolution to fail in networks like this here, where the router and dhcp server does not offer the host names in a DNS domain (Huawei glass fiber router), a malformed packet could cause the mdns resolution of avahi to fail and therefore could be used for an attack, effectively blocking certain kinds of mdns service resolution. But since I have not yet understood what really causes this problem, it is just an assumption. regards ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: avahi-utils 0.8-5ubuntu5 ProcVersionSignature: Ubuntu 5.15.0-58.64-generic 5.15.74 Uname: Linux 5.15.0-58-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu82.3 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: XFCE Date: Sun Jan 15 02:35:24 2023 InstallationDate: Installed on 2022-12-25 (20 days ago) InstallationMedia: Xubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) SourcePackage: avahi UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/2002891/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2002891] Re: avahi_service_browser_new() failed: Invalid service type
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to avahi in Ubuntu. https://bugs.launchpad.net/bugs/2002891 Title: avahi_service_browser_new() failed: Invalid service type Status in avahi package in Ubuntu: New Bug description: Hi, on a network, where the router offers DHCP, but does not put the DHCP clients in a DNS domain, thus where it is necessary to use mdns/avahi instead, I ran into several problems with avahi. One is avahi-browse -a -t avahi_service_browser_new() failed: Invalid service type No other output. i.e. it just does not work. In this network, all Ubuntu machines show this behaviour. In my other network (with working DHCP-DNS, different router, different brand, therefore not depending on mdns) the problem does not occur Since the debugging output of avahi software is – if at all – very poor, I cannot see what causes this problem. However, dbus-monitor --system showed ... method call time=1673742811.321042 sender=:1.692 -> destination=org.freedesktop.Avahi serial=10 path=/; interface=org.freedesktop.Avahi.Server; member=ServiceBrowserNew int32 -1 int32 -1 string "_ipp._tcp" string "local" uint32 0 method return time=1673742811.321093 sender=:1.479 -> destination=:1.692 serial=557 reply_serial=10 object path "/Client29/ServiceBrowser3" method call time=1673742811.321259 sender=:1.692 -> destination=org.freedesktop.Avahi serial=11 path=/; interface=org.freedesktop.Avahi.Server; member=ServiceBrowserNew int32 -1 int32 -1 string "_scanner._tcp" string "local" uint32 0 method return time=1673742811.321301 sender=:1.479 -> destination=:1.692 serial=558 reply_serial=11 object path "/Client29/ServiceBrowser4" method call time=1673742811.321391 sender=:1.692 -> destination=org.freedesktop.Avahi serial=12 path=/; interface=org.freedesktop.Avahi.Server; member=ServiceBrowserNew int32 -1 int32 -1 string "" string "" uint32 0 error time=1673742811.321479 sender=:1.479 -> destination=:1.692 error_name=org.freedesktop.Avahi.InvalidServiceTypeError reply_serial=12 string "Invalid service type" So it seems as if the client (browser) queries one services after the other, which works, but then an empty string as a name, which is rejected by the daemon, which then makes the client to spit out this error message and then terminate immediately. Since I have similar (i.e. very similar, both created with puppet) machines, and all machines in one network fail, while similar machines in another don't, I guess that the problem is caused by some network reply, maybe a printer. This, however, could be a security problem, because if someone can cause avahi and thus mdns resolution to fail in networks like this here, where the router and dhcp server does not offer the host names in a DNS domain (Huawei glass fiber router), a malformed packet could cause the mdns resolution of avahi to fail and therefore could be used for an attack, effectively blocking certain kinds of mdns service resolution. But since I have not yet understood what really causes this problem, it is just an assumption. regards ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: avahi-utils 0.8-5ubuntu5 ProcVersionSignature: Ubuntu 5.15.0-58.64-generic 5.15.74 Uname: Linux 5.15.0-58-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu82.3 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: XFCE Date: Sun Jan 15 02:35:24 2023 InstallationDate: Installed on 2022-12-25 (20 days ago) InstallationMedia: Xubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) SourcePackage: avahi UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/2002891/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916931] Re: omshell returns inconsistent results or segfaults
Bill, Lukas asked a question in comment #10 and set the bug to 'incomplete', hoping to get feedback from someone who could reproduce the problem. If you can provide an answer, please do set the bug back to 'confirmed' when answering. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu. https://bugs.launchpad.net/bugs/1916931 Title: omshell returns inconsistent results or segfaults Status in isc-dhcp package in Ubuntu: Expired Bug description: I have just built a Ubuntu 20.04 server and installed isc-dhcp-server 4.4.1 on it and I am seeing inconsistent returns from omshell. Initially omshell returns data as expected, but when I exit and re-enter omshell connections fail. Here is the initial, working, session: # omshell > server localhost > port 7911 > key omapi_key > connect obj: > new failover-state obj: failover-state > set name = "dhcp-failover" obj: failover-state name = "dhcp-failover" > open obj: failover-state name = "dhcp-failover" partner-address = c0:9d:e9:76:e9:55:00:00 partner-port = 00:00:02:07 local-address = 10:9d:e9:76:e9:55:00:00 local-port = 00:00:02:07 max-outstanding-updates = 00:00:00:0a mclt = 00:00:01:2c load-balance-max-secs = 00:00:00:03 load-balance-hba = ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 partner-state = 00:00:00:02 local-state = 00:00:00:02 partner-stos = 60:36:d0:68 local-stos = 60:36:8b:3b hierarchy = 00:00:00:01 last-packet-sent = 00:00:00:00 last-timestamp-received = 00:00:00:00 skew = 00:00:00:00 max-response-delay = 00:00:00:3c cur-unacked-updates = 00:00:00:00 Here is what I see when the connect fails. Well, just hangs really. # omshell > server localhost > port 7911 > key omapi_key > connect And then I hit ctrl-c to break out and tried again: # omshell > server localhost > port 7911 > key omapi_key > connect Segmentation fault (core dumped) Note, the peer to this server is still running Ubuntu 18.04 with isc-dhcp-server 4.3.5. Running the exact same commands on the peer works reliably. (They are using the same python script to drive omshell.) The DHCP server on the new system appears to be working just fine as reported by omshell on the peer and systemctl. I was curious if the problem could be with the mis-matched versions of isc-dhcp-server so I shutdown isc-dhcp-server on the 18.04 system and get the same results. I also tried using a python script with the pypureomapi module to try and determine if the problem was in omshell or the server. I got very similar results when I attempted to get information about the failover state of the server. Interestingly interrogating the server about host information seems to work just fine. This is a critical bug since I don't see how to fail over a DHCP that is running the isc-dhcp-server on 20.04 without being able to issue omapi commands. I am attaching apport output to this bug report. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1916931/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1999155] Re: UFW Disabled by default
Hello Pedro, thanks for the report; this was an explicit decision: https://wiki.ubuntu.com/SecurityTeam/FAQ#UFW Making firewall rules that are tight enough to stop threats yet open enough for the computer to still be useful in a wide variety of environments is very challenging. We've decided that it's better for the tools to be available but not try to provide a default configuration. Thanks ** Information type changed from Private Security to Public Security ** Changed in: ufw (Ubuntu) Status: New => Opinion -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1999155 Title: UFW Disabled by default Status in ufw package in Ubuntu: Opinion Bug description: UFW or iptables is disabled by default on both ubuntu server and desktop, which poses a major security risk as ports that shouldn't be open, are open by default, specially for incoming connections. If UFW breaks working apps on Ubuntu server and desktop, at least make it enabled by default but reject all incoming connections. Malware and exploits are out in the open, and no one in their sane mind would a Firewall suit disabled on Linux or Windows. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1999155/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998058] Re: dpkg error libflac8_1.3.2-1ubuntu0.1_i386.deb
Hector, ureadahead was more useful in the era of slow hard drives. It loads files that are needed during system boot, with the intention of having the files in memory before they are needed. It's significantly less useful with SSDs, and even with spinning hard drives it's not always a win. (It assumes there's no memory pressure during boot that would cause files to be discarded; on most systems that's probably a fine assumption, but it isn't always true.) There's no cause for concern for it to be missing. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to flac in Ubuntu. https://bugs.launchpad.net/bugs/1998058 Title: dpkg error libflac8_1.3.2-1ubuntu0.1_i386.deb Status in flac package in Ubuntu: Invalid Bug description: Hi the Recent security patch for libflac8 is not installing : Preparing to unpack .../libflac8_1.3.2-1ubuntu0.1_i386.deb ... dpkg: error processing archive /var/cache/apt/archives/libflac8_1.3.2-1ubuntu0.1_i386.deb (--unpack): triggers ci file contains unknown directive 'libcrypto' Errors were encountered while processing: /var/cache/apt/archives/libflac8_1.3.2-1ubuntu0.1_i386.deb E: Sub-process /usr/bin/dpkg returned an error code (1) I am running : Distributor ID: Ubuntu Description: Ubuntu 18.04.6 LTS Release: 18.04 Codename: bionic 4.15.0-191-generic libflac8: Installed: 1.3.2-1 Candidate: 1.3.2-1ubuntu0.1 Version table: 1.3.2-1ubuntu0.1 500 500 http://ca.archive.ubuntu.com/ubuntu bionic-security/main i386 Packages 500 http://ca.archive.ubuntu.com/ubuntu bionic-updates/main i386 Packages *** 1.3.2-1 500 500 http://ca.archive.ubuntu.com/ubuntu bionic/main i386 Packages 100 /var/lib/dpkg/status Thank you To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flac/+bug/1998058/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1996937] Re: "install vim failed"package tzdata 2022f-0ubuntu0.22.04.1 failed to install/upgrade: le paquet est dans un état vraiment incohérent; vous devriez le réinstaller ava
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tzdata in Ubuntu. https://bugs.launchpad.net/bugs/1996937 Title: "install vim failed"package tzdata 2022f-0ubuntu0.22.04.1 failed to install/upgrade: le paquet est dans un état vraiment incohérent; vous devriez le réinstaller avant de tenter de le configurer. Status in tzdata package in Ubuntu: New Bug description: trying to install vim but i occured an error ProblemType: Package DistroRelease: Ubuntu 22.04 Package: tzdata 2022f-0ubuntu0.22.04.1 ProcVersionSignature: Ubuntu 5.15.0-52.58-generic 5.15.60 Uname: Linux 5.15.0-52-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 AptOrdering: vim-runtime:amd64: Install NULL: ConfigurePending Architecture: amd64 CasperMD5CheckResult: pass Date: Thu Nov 17 20:00:11 2022 ErrorMessage: le paquet est dans un état vraiment incohérent; vous devriez le réinstaller avant de tenter de le configurer. InstallationDate: Installed on 2022-11-12 (4 days ago) InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) PackageArchitecture: all Python3Details: /usr/bin/python3.10, Python 3.10.6, python3-minimal, 3.10.6-1~22.04 PythonDetails: N/A RelatedPackageVersions: dpkg 1.21.1ubuntu2.1 apt 2.4.8 SourcePackage: tzdata Title: package tzdata 2022f-0ubuntu0.22.04.1 failed to install/upgrade: le paquet est dans un état vraiment incohérent; vous devriez le réinstaller avant de tenter de le configurer. UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tzdata/+bug/1996937/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998265] Re: OverFlow error when using cnf-extractor
Here's my guess: $ echo "l(2875204834)/l(2)" | bc -ql 31.42101759351087610555 Package: dotnet-sdk-6.0-source-built-artifacts Architecture: amd64 Version: 6.0.111-0ubuntu3 Priority: optional Section: universe/devel Source: dotnet6 Origin: Ubuntu Maintainer: Ubuntu Developers Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 2846146 Filename: pool/universe/d/dotnet6/dotnet-sdk-6.0-source-built-artifacts_6.0.111-0ubuntu3_amd64.deb Size: 2875204834 MD5sum: 8f245b799d02fc637a871183d161273a SHA1: 29728e493a97811bd1f6a25d93dd9a76bc3c95e5 SHA256: 1429baab871dfb2ba2717c99ccd55379c1a41eb75f0eb311faf18b23475f9938 SHA512: 20e5ae0ff1427ccfdf930a64aac419c66d4567420e31de6367d9d7e2aef1e6f0e47f0980fc6d5f44e70f1c1be20e56fb8a034d2022405281eaa9ca520b361d73 Homepage: https://dot.net/core Description: Internal package for building dotNet 6.0 Software Development Kit Description-md5: c5f0dc17274bcdd68c9a9d09b85e6a60 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1998265 Title: OverFlow error when using cnf-extractor Status in apt package in Ubuntu: New Status in apt source package in Bionic: New Bug description: I'm trying to update the command-not-found indexes (bin/cnf-extract.py $MIRROR $suite $component $arch) on the production cnf extractor system (running bionic) and have encountered Tracebacks when generating them for Jammy and Lunar. This is causing the command not found indexes to be out of date for all(?) releases of Ubuntu. The lunar failure: Get:1 dotnet-sdk-6.0_6.0.111-0ubuntu3_amd64.deb [79.1 MB] Fetched 79.1 MB in 0s (0 B/s) Traceback (most recent call last):64... 7% File "./bin/cnf-extract.py", line 54, in mirror_root, suite, component, arch) File "/srv/cnf-extractor/extractor/extractor.py", line 174, in command_not_found_extract debpath = pkg.candidate.fetch_binary(destdir=tmpdir) File "/usr/lib/python3/dist-packages/apt/package.py", line 883, in fetch_binary self.size, base, destfile=destfile) OverflowError: signed integer is greater than maximum I'll get more context for the Jammy failure but it wouldn't surprise me if it was the same package. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1998265/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1994912] [NEW] Custom image is not refreshed on new calls to notify-send
Public bug reported: When using a custom image with the notify-send command (e.g. notify-send -i /home//images/test.png "test") the image, once loaded, is not refreshed. This can be tested by running a command such as the example one, then overwriting "current.png" with a different image, and running the command again. The images shown in the two notifications will both be the original image. I would expect the second image to be different. Example "code": cd home//images/ cp image1.png test.png notify-send -i /home//images/test.png "test" cp image2.png test.png notify-send -i /home//images/test.png "test" Of note is that this appears to affect both the notification shown on an unlocked desktop and one shown on the lock screen; however, these can be "stuck" on different versions of the image, although they will remain stuck. That is, the notification bubble shown on the lock screen will always shown one version of an image, and the desktop notification will always show one version of the image, but these are not necessarily the same image. So a notification generated with "sleep 5; " (and you locking your desktop in the 5 seconds) will show one image, and then when you unlock your desktop the same notification can be a different image. Ubuntu 20.04.04 LTS GNOME 3.36.8 libnotify-bin 0.7.9-1ubuntu2 notify-osd notification-daemon ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: libnotify-bin 0.7.9-1ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-52.58~20.04.1-generic 5.15.60 Uname: Linux 5.15.0-52-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu27.24 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: ubuntu:GNOME Date: Wed Oct 26 21:02:54 2022 InstallationDate: Installed on 2022-04-06 (204 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: libnotify UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: libnotify (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug focal third-party-packages -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libnotify in Ubuntu. https://bugs.launchpad.net/bugs/1994912 Title: Custom image is not refreshed on new calls to notify-send Status in libnotify package in Ubuntu: New Bug description: When using a custom image with the notify-send command (e.g. notify- send -i /home//images/test.png "test") the image, once loaded, is not refreshed. This can be tested by running a command such as the example one, then overwriting "current.png" with a different image, and running the command again. The images shown in the two notifications will both be the original image. I would expect the second image to be different. Example "code": cd home//images/ cp image1.png test.png notify-send -i /home//images/test.png "test" cp image2.png test.png notify-send -i /home//images/test.png "test" Of note is that this appears to affect both the notification shown on an unlocked desktop and one shown on the lock screen; however, these can be "stuck" on different versions of the image, although they will remain stuck. That is, the notification bubble shown on the lock screen will always shown one version of an image, and the desktop notification will always show one version of the image, but these are not necessarily the same image. So a notification generated with "sleep 5; " (and you locking your desktop in the 5 seconds) will show one image, and then when you unlock your desktop the same notification can be a different image. Ubuntu 20.04.04 LTS GNOME 3.36.8 libnotify-bin 0.7.9-1ubuntu2 notify-osd notification-daemon ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: libnotify-bin 0.7.9-1ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-52.58~20.04.1-generic 5.15.60 Uname: Linux 5.15.0-52-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu27.24 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: ubuntu:GNOME Date: Wed Oct 26 21:02:54 2022 InstallationDate: Installed on 2022-04-06 (204 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: libnotify UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libnotify/+bug/1994912/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.
[Touch-packages] [Bug 1993732] Re: Sound
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to alsa-driver in Ubuntu. https://bugs.launchpad.net/bugs/1993732 Title: Sound Status in alsa-driver package in Ubuntu: New Bug description: Hi on my lenovo legion i7 10gen the same situation no sound even on kernel 6 in any distribution ubuntu 22.04,22.10, linux mint, open suse, debian, freebsd brak sound everything else works I tried everything To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1993732/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1991975] Re: dev file system is mounted without nosuid or noexec
Just a heads-up that SGX has been deprecated by Intel: https://edc.intel.com/content/www/us/en/design/ipla/software- development-platforms/client/platforms/alder-lake-desktop/12th- generation-intel-core-processors-datasheet-volume-1-of-2/004/deprecated- technologies/ === The processor has deprecated the following technologies and they are no longer supported: Intel® Memory Protection Extensions (Intel® MPX) Branch Monitoring Counters Hardware Lock Elision (HLE), part of Intel® TSX-NI Intel® Software Guard Extensions (Intel® SGX) Intel® TSX-NI Power Aware Interrupt Routing (PAIR) === I think we shouldn't put too much weight on SGX support in making this decision. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1991975 Title: dev file system is mounted without nosuid or noexec Status in linux package in Ubuntu: Confirmed Status in systemd package in Ubuntu: New Status in linux source package in Focal: In Progress Status in systemd source package in Focal: Invalid Status in linux source package in Jammy: In Progress Status in systemd source package in Jammy: Invalid Bug description: [ SRU TEMPLATE ] [ Impact ] * nosuid, and noexec bits are not set on /dev * This has the potential for nefarious actors to use this as an avenue for attack. see https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960 for more discussion around this. * It is not best security practice. [ Test Plan ] 1.Boot a Canonical Supplied EC2 instance 2.Check the mount options for /dev. 3.You will notice the lack of nosuid and noexec on /dev. [ Where problems could occur ] * As of 2022/10/06, I need to test this, but don't know how to build -aws flavored ubuntu kernels. Instructions welcome. I'm holding off on adding SRU tags until I can actually get this tested. * If this is applied to non initramfs-less kernels it could potentially cause a regression for very old hardware that does nefarious things with memory. For a larger discussion about that see: https://lore.kernel.org/lkml/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64/T/ * Low risk if a driver depends on /dev allowing suid or exec this might prevent boot. That being said, all kernels that have been booting with an initramfs have been getting nosuid, and noexec set so hopefully we can consider that risk fairly well tested. [ Other Info ] * Patch is accepted into 5.17, and will drop out quickly * Any server booting with an initramfs already has nosuid, and noexec set, so hopefully <<< ORIGINAL TEXT This is similar to https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960 but new. I discovered that my ec2 instances based off of Canonical supplied AMI ami-0a23d90349664c6ee *(us-east-2), have dev mounted mounted without the nosuid option. https://us-east-2.console.aws.amazon.com/ec2/home?region=us- east-2#Images:visibility=public-images;imageId=ami-0a23d90349664c6ee My usb installed 20.04.4 home machine does not have this problem, but it has been installed for quite some time. My 22.04 laptop machine also does not have this issue. Reproduce. Start an ec2 instance based off of ami-0a23d90349664c6ee. $ mount | grep devtmpfs nosuid is not found in the options list. I've checked the initrd, and /etc/init.d/udev script and all places I know of where dev gets mounted set nosuid, so it's non-obvious what boot code-path is being taken that results in nosuid missing. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: udev 245.4-4ubuntu3.18 ProcVersionSignature: Ubuntu 5.15.0-1020.24~20.04.1-aws 5.15.53 Uname: Linux 5.15.0-1020-aws x86_64 ApportVersion: 2.20.11-0ubuntu27.24 Architecture: amd64 CasperMD5CheckResult: skip CustomUdevRuleFiles: 60-cdrom_id.rules 70-snap.snapd.rules Date: Thu Oct 6 17:39:42 2022 Ec2AMI: ami-0a23d90349664c6ee Ec2AMIManifest: (unknown) Ec2AvailabilityZone: us-east-2c Ec2InstanceType: t2.medium Ec2Kernel: unavailable Ec2Ramdisk: unavailable Lsusb: Error: command ['lsusb'] failed with exit code 1: Lsusb-t: Lsusb-v: Error: command ['lsusb', '-v'] failed with exit code 1: MachineType: Xen HVM domU ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=C.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.15.0-1020-aws root=PARTUUID=5bb90437-9efc-421d-aa94-c512c3b666a3 ro console=tty1 console=ttyS0 nvme_core.io_timeout=4294967295 panic=-1 SourcePackage: systemd UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 08/24/2006 dmi.bios.release: 4.2 dmi.bios.vendor: Xen dmi.bios.version: 4.2.amazon dmi.chassis.type: 1 dmi.chassis.vendor: Xen dmi.modalias: dmi:bvnXen:bvr4.2.amazon:bd08/24/2006:br4.2:svnXen:pnHVMdomU:pvr4.2.amazon
[Touch-packages] [Bug 1992025] Re: When sudo does not require a password, it alters stty as though it is reading a password
I wasn't able to reproduce on 20.04 LTS. I was able to reproduce on 22.04 LTS. This little script should work out of the box: $ cat /tmp/sudo-stty #!/bin/bash sudo ls mkdir /tmp/stty for i in `seq -w 1 999`; do stty -a > /tmp/stty/before.${i}; sudo sleep 1 & stty -a > /tmp/stty/after.${i} 2>&1 ; done Your terminal won't echo anything you type afterwards if it happens, so it's not exactly subtle :) but with all those outputs saved aside, you can check: md5sum /tmp/stty/* | sort to see where exactly the race is lost on your own system. (reset(1) will restore the terminal to something useful, but clears the output when you run it.) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1992025 Title: When sudo does not require a password, it alters stty as though it is reading a password Status in sudo package in Ubuntu: Confirmed Bug description: Summary: Executing a sudo (that does not require a password) in a /bin/bash script leaves the terminal as though it is reading a password (-echo, -icrnl, -ixon, -opost, -isig, -icanon, -iexten) To recreate the problem: (See attached log) In a fresh install of 22.04.1 (desktop, minimal, do not load updates, no update done beyond iso data, running under Virtualbox on a Mac), I set up a new user that can run "sudo sleep" without a password. In a Terminal, I demonstrate this, running "stty -a" before and after the "sudo sleep". Then I create a bash script with those same commands. When that script is run, the stty after the "sudo sleep" shows that the state of the terminal has been altered (-echo, etc.) The log starts immediately after the reboot after installing 22.04.1. I decline to do the update when it is offered. (The bug appears even if I do the update on 22.04.1, but I decline the update to make sure this is repeatable.) Basically, the steps are Create user "testuser" Add a file to /etc/sudoers.d that gives testuser sudo privs, with no password required for sleep. (nor for "grep", but I dropped the use of grep in the demo) su - testuser Interactively, in the terminal, I show that "sudo sleep 30 &" does not mess with the terminal settings. I create a /bin/bash script that includes the same commands (stty -a; sudo sleep 10 &; sleep 3; stty -a) I execute the script, which alters the terminal settings.(Quite visible on the Terminal; not as easily visible in the log file.) I expect the second "stty -a" to be the same as the first. I originally saw the bug in 20.04.5 (repeatable but on someone else's computer) for "sudo tcpdump" but wasn't able to reproduce it in a fresh install. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: sudo 1.9.9-1ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-48.54-generic 5.15.53 Uname: Linux 5.15.0-48-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Thu Oct 6 10:40:03 2022 InstallationDate: Installed on 2022-10-06 (0 days ago) InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: sudo UpgradeStatus: No upgrade log present (probably fresh install) VisudoCheck: Error: command ['pkexec', '/usr/sbin/visudo', '-c'] failed with exit code 1: /etc/sudoers.d/testuser: bad permissions, should be mode 0440 /etc/sudoers: parsed OK /etc/sudoers.d/README: parsed OK modified.conffile..etc.sudoers: [inaccessible: [Errno 13] Permission denied: '/etc/sudoers'] modified.conffile..etc.sudoers.d.README: [inaccessible: [Errno 13] Permission denied: '/etc/sudoers.d/README'] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1992025/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1992025] Re: When sudo does not require a password, it alters stty as though it is reading a password
** Changed in: sudo (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1992025 Title: When sudo does not require a password, it alters stty as though it is reading a password Status in sudo package in Ubuntu: Confirmed Bug description: Summary: Executing a sudo (that does not require a password) in a /bin/bash script leaves the terminal as though it is reading a password (-echo, -icrnl, -ixon, -opost, -isig, -icanon, -iexten) To recreate the problem: (See attached log) In a fresh install of 22.04.1 (desktop, minimal, do not load updates, no update done beyond iso data, running under Virtualbox on a Mac), I set up a new user that can run "sudo sleep" without a password. In a Terminal, I demonstrate this, running "stty -a" before and after the "sudo sleep". Then I create a bash script with those same commands. When that script is run, the stty after the "sudo sleep" shows that the state of the terminal has been altered (-echo, etc.) The log starts immediately after the reboot after installing 22.04.1. I decline to do the update when it is offered. (The bug appears even if I do the update on 22.04.1, but I decline the update to make sure this is repeatable.) Basically, the steps are Create user "testuser" Add a file to /etc/sudoers.d that gives testuser sudo privs, with no password required for sleep. (nor for "grep", but I dropped the use of grep in the demo) su - testuser Interactively, in the terminal, I show that "sudo sleep 30 &" does not mess with the terminal settings. I create a /bin/bash script that includes the same commands (stty -a; sudo sleep 10 &; sleep 3; stty -a) I execute the script, which alters the terminal settings.(Quite visible on the Terminal; not as easily visible in the log file.) I expect the second "stty -a" to be the same as the first. I originally saw the bug in 20.04.5 (repeatable but on someone else's computer) for "sudo tcpdump" but wasn't able to reproduce it in a fresh install. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: sudo 1.9.9-1ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-48.54-generic 5.15.53 Uname: Linux 5.15.0-48-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Thu Oct 6 10:40:03 2022 InstallationDate: Installed on 2022-10-06 (0 days ago) InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: sudo UpgradeStatus: No upgrade log present (probably fresh install) VisudoCheck: Error: command ['pkexec', '/usr/sbin/visudo', '-c'] failed with exit code 1: /etc/sudoers.d/testuser: bad permissions, should be mode 0440 /etc/sudoers: parsed OK /etc/sudoers.d/README: parsed OK modified.conffile..etc.sudoers: [inaccessible: [Errno 13] Permission denied: '/etc/sudoers'] modified.conffile..etc.sudoers.d.README: [inaccessible: [Errno 13] Permission denied: '/etc/sudoers.d/README'] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1992025/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1842320] Re: Can't boot: "error: out of memory." immediately after the grub menu
I've been asked to prepare a summary of the current status of this bug: - there's a grub2 security update that's been published and then pulled: https://launchpad.net/ubuntu/+source/grub2-unsigned/2.06-2ubuntu10/+publishinghistory https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1990684 - apt's dependency solver is being modified to handle updates that need to phase identically - once the apt update is released, then the grub security fixes can be republished - once the grub security fixes are republished, then this issue can be addressed. It appears there's an open question about the risks of jeremyszu's changes possibly causing problems for older systems. The closest thing I found in the linked thread was on this message: https://lists.gnu.org/archive/html/grub-devel/2017-03/msg00033.html > I seem to recall that the x86_64 port was being restricted due to > known bad firmware encountered in the past. It could be that it would > be worth adding an option to configure for enabling access to higher > addresses, alternatively for retaining compatibility with the broken > systems. I haven't read through the patches nor the upstream issue tracker to find out if these are recent problems or not, but this sounds like the usual warning that grub is difficult to test, lives in firmwares that may be ignored or otherwise horrible, etc. I hope we have a representative sample of machines to test in our labs, as well as our home offices, and in our wider community. Was there a more specific problem that I missed? Are there outstanding tasks that need doing that could be done before the apt+security update steps are complete? Refreshing patches, or skimming through issue trackers to find regressions from the patches, etc? Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu. https://bugs.launchpad.net/bugs/1842320 Title: Can't boot: "error: out of memory." immediately after the grub menu Status in grub: Unknown Status in OEM Priority Project: Triaged Status in grub2-signed package in Ubuntu: Confirmed Status in initramfs-tools package in Ubuntu: Confirmed Status in linux package in Ubuntu: Confirmed Bug description: [Impact] * In some cases, if the users’ initramfs grow bigger, then it’ll likely not be able to be loaded by grub2. * Some real cases from OEM projects: In many built-in 4k monitor laptops with nvidia drivers, the u-d-c puts the nvidia*.ko to initramfs which grows the initramfs to ~120M. Also the gfxpayload=auto will remain to use 4K resolution since it’s what EFI POST passed. In this case, the grub isn't able to load initramfs because the grub_memalign() won't be able to get suitable memory for the larger file: ``` #0 grub_memalign (align=1, size=592214020) at ../../../grub-core/kern/mm.c:376 #1 0x7dd7b074 in grub_malloc (size=592214020) at ../../../grub-core/kern/mm.c:408 #2 0x7dd7a2c8 in grub_verifiers_open (io=0x7bc02d80, type=131076) at ../../../grub-core/kern/verifiers.c:150 #3 0x7dd801d4 in grub_file_open (name=0x7bc02f00 "/boot/initrd.img-5.17.0-1011-oem", type=131076) at ../../../grub-core/kern/file.c:121 #4 0x7bcd5a30 in ?? () #5 0x7fe21247 in ?? () #6 0x7bc030c8 in ?? () #7 0x00017fe21238 in ?? () #8 0x7bcd5320 in ?? () #9 0x7fe21250 in ?? () #10 0x in ?? () ``` Based on grub_mm_dump, we can see the memory fragment (some parts seem likely be used because of 4K resolution?) and doesn’t have available contiguous memory for larger file as: ``` grub_real_malloc(...) ... if (cur->size >= n + extra) ``` Based on UEFI Specification Section 7.2[1] and UEFI driver writers’ guide 4.2.3[2], we can ask 32bits+ on AllocatePages(). As most X86_64 platforms should support 64 bits addressing, we should extend GRUB_EFI_MAX_USABLE_ADDRESS to 64 bits to get more available memory. * When users grown the initramfs, then probably will get initramfs not found which really annoyed and impact the user experience (system not able to boot). [Test Plan] * detailed instructions how to reproduce the bug: 1. Any method to grow the initramfs, such as install nvidia-driver. 2. If developers would like to reproduce, then could dd if=/dev/random of=... bs=1M count=500, something like: ``` $ cat /usr/share/initramfs-tools/hooks/zzz-touch-a-file #!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case $1 in # get pre-requisites prereqs) prereqs exit 0 ;; esac . /usr/share/initramfs-tools/hook-functions dd if=/dev/random of=${DESTDIR}/test-500M bs=1M count=500 ``` And then update-initramfs * After applying my patches, the issue is gone. * I did also test my test grubx64.efi in: 1. X86_64 qemu with 1.1. 60M i
[Touch-packages] [Bug 1988819] Re: When apt keeps back packages due to phased updates, it should say so
An alternative, proposed by user avih on IRC, is to not report any of these packages to the user at all: however, these phased updates are quite a big list which adds a lot of noise to my regular dist-upgrade, and it interferes with me reviewing what's about to get updated the kept back list is quite bigger than the list of things to update... arraybolt3: if this is indeed the standard order of things, why am i being shown at all what it's NOT going to install for reasons not related to errors or conflicts? I can see a lot of appeal to not telling the user information -- from their perspective, the packages don't actually exist yet. Maybe it'll cause confusion if of two machines sitting right next to each other, one can see the updates and the other cannot. That's not ideal. But holding information back from the user doesn't require new strings, and casual users with one machine might never notice. It's just fun to see an alternative idea that's 180 degrees different from my initial thought. :) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1988819 Title: When apt keeps back packages due to phased updates, it should say so Status in apt package in Ubuntu: Confirmed Bug description: After phased updates have been introduced, it may happen that apt upgrade shows packages as upgradable but ends up not upgrading them. In this case the packages are indicated as being "kept back". Unfortunately, the feedback provided about this to the user is not very informative. The user sees the packages being kept back and thinks something is going wrong on the system. When packages are kept back because of phased updates, apt should say so e.g., it should say that the upgrade is delayed. Incidentally note that aptitude does not respect phased updates. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: apt 2.4.7 ProcVersionSignature: Ubuntu 5.15.0-47.51-generic 5.15.46 Uname: Linux 5.15.0-47-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: KDE Date: Tue Sep 6 10:05:14 2022 EcryptfsInUse: Yes InstallationDate: Installed on 2020-02-16 (933 days ago) InstallationMedia: Kubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017) SourcePackage: apt UpgradeStatus: Upgraded to jammy on 2022-06-03 (94 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1988819/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1988819] Re: When apt keeps back packages due to phased updates, it should say so
apt-cache policy knows when packages are phased; when apt needs to report that packages are held back, apt could look up each one to report phased status. Not fixing this because the strings need translating is an argument for declaring APT a finished project and moving on to the Next Big Thing. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1988819 Title: When apt keeps back packages due to phased updates, it should say so Status in apt package in Ubuntu: Confirmed Bug description: After phased updates have been introduced, it may happen that apt upgrade shows packages as upgradable but ends up not upgrading them. In this case the packages are indicated as being "kept back". Unfortunately, the feedback provided about this to the user is not very informative. The user sees the packages being kept back and thinks something is going wrong on the system. When packages are kept back because of phased updates, apt should say so e.g., it should say that the upgrade is delayed. Incidentally note that aptitude does not respect phased updates. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: apt 2.4.7 ProcVersionSignature: Ubuntu 5.15.0-47.51-generic 5.15.46 Uname: Linux 5.15.0-47-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: KDE Date: Tue Sep 6 10:05:14 2022 EcryptfsInUse: Yes InstallationDate: Installed on 2020-02-16 (933 days ago) InstallationMedia: Kubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017) SourcePackage: apt UpgradeStatus: Upgraded to jammy on 2022-06-03 (94 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1988819/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 48734] Re: Home permissions too open
On Mon, Sep 12, 2022 at 07:39:37AM -, Alkis Georgopoulos wrote: > This change takes away the ability of the users to share some of their > data WITHOUT involving the administrator. Hello Alkis, do note that it is typical for users to own their own home directory; if a user wishes to share, they can run: chmod 755 ~ or chmod 751 ~ (The choice is based on whether they want to allow listing their home directory or not.) Of course, they'd be wise to inspect the permissions on their other files and directories to make sure they're only sharing what they intend to share. Of course, if the local administrator has decided that users cannot own their own home directories, then that's another question entirely, one you'll need to take up with the local administrator. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Fix Released Status in shadow package in Ubuntu: Fix Released Status in adduser source package in Hirsute: Fix Released Status in shadow source package in Hirsute: Fix Released Status in Ubuntu RTM: Opinion Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1988819] Re: When apt keeps back packages due to phased updates, it should say so
I have seen many people on IRC *very* upset after wasting a lot of time trying to install updates that apt will not let them install. Fixing this is critical to our reputation. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1988819 Title: When apt keeps back packages due to phased updates, it should say so Status in apt package in Ubuntu: New Bug description: After phased updates have been introduced, it may happen that apt upgrade shows packages as upgradable but ends up not upgrading them. In this case the packages are indicated as being "kept back". Unfortunately, the feedback provided about this to the user is not very informative. The user sees the packages being kept back and thinks something is going wrong on the system. When packages are kept back because of phased updates, apt should say so e.g., it should say that the upgrade is delayed. Incidentally note that aptitude does not respect phased updates. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: apt 2.4.7 ProcVersionSignature: Ubuntu 5.15.0-47.51-generic 5.15.46 Uname: Linux 5.15.0-47-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: KDE Date: Tue Sep 6 10:05:14 2022 EcryptfsInUse: Yes InstallationDate: Installed on 2020-02-16 (933 days ago) InstallationMedia: Kubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017) SourcePackage: apt UpgradeStatus: Upgraded to jammy on 2022-06-03 (94 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1988819/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1988588] Re: Xeon E3-1200 v2/3rd Gen Core processor Graphics Controller Drivers missing
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/1988588 Title: Xeon E3-1200 v2/3rd Gen Core processor Graphics Controller Drivers missing Status in xorg package in Ubuntu: New Bug description: Please upgrade the Ubuntu OS and provide Graphics drivers for Ubuntu 22. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-47.51-generic 5.15.46 Uname: Linux 5.15.0-47-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: pass CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Fri Sep 2 20:59:09 2022 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu ExtraDebuggingInterest: Yes, including running git bisection searches GraphicsCard: Intel Corporation Xeon E3-1200 v2/3rd Gen Core processor Graphics Controller [8086:0152] (rev 09) (prog-if 00 [VGA controller]) Subsystem: Intel Corporation Xeon E3-1200 v2/3rd Gen Core processor Graphics Controller [8086:204d] InstallationDate: Installed on 2022-09-02 (0 days ago) InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.15.0-47-generic root=UUID=85140ee7-0511-45cd-aa7c-903f11fd90d1 ro quiet splash SourcePackage: xorg UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 09/07/2012 dmi.bios.release: 4.6 dmi.bios.vendor: Intel Corp. dmi.bios.version: MLZ7510H.86A.0006.2012.0907.1307 dmi.board.name: DZ75ML-45K dmi.board.vendor: Intel Corporation dmi.board.version: AAG75008-102 dmi.chassis.type: 3 dmi.modalias: dmi:bvnIntelCorp.:bvrMLZ7510H.86A.0006.2012.0907.1307:bd09/07/2012:br4.6:svn:pn:pvr:rvnIntelCorporation:rnDZ75ML-45K:rvrAAG75008-102:cvn:ct3:cvr:skuTobefilledbyO.E.M.: dmi.product.family: To be filled by O.E.M. dmi.product.sku: To be filled by O.E.M. version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.110.5+1038 version.libgl1-mesa-dri: libgl1-mesa-dri 22.0.5-0ubuntu0.1 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.xserver-xorg-core: xserver-xorg-core 2:21.1.3-2ubuntu2.1 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2ubuntu1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20210115-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1988588/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1988010] Re: systemd ignoring DHCP DNS servers and DNS servers set in Network Manager GUI
Cool, thanks Josh -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1988010 Title: systemd ignoring DHCP DNS servers and DNS servers set in Network Manager GUI Status in systemd package in Ubuntu: New Bug description: Hi there! I'm running ubuntu 22.04.1 LTS installed via the ISO image ubuntu-22.04.1-desktop-amd64.iso. This issue affects both the Live CD and installed operating system. I have configured my modem's DHCP server to push my adguard home DNS server (cloud-hosted) as the DNS for the network. I have an access point that is setup to do the same. With the Live CD and installed operating system, there is a local DNS server installed that runs on 127.0.0.1:53. Somehow this bypasses the DNS servers I've configured for the network and suddenly websites that have been blocked for being malicious or harmful are now accessible. There is no option in the installer or GUI to disable this. Changing the network DNS settings via the GUI of either the live cd or installation do not change the behavior and do not result in the specified DNS server(s) being used. The 127.0.0.1:53 server still overrides anything set in the GUI. The only way I have found to override this behavior is to edit /etc/systemd/resolved.conf: 1) uncomment DNSStubListener=yes 2) change yes to no 3) save file 4) run the following commands in terminal: sudo systemctl daemon-reload sudo systemctl restart systemd-networkd sudo systemctl restart systemd-resolved After doing so, the DNS servers that have been provided by DHCP are properly used. This is considered a security vulnerability due to there being no way for a normal user to change this setting without editing system configuration files and no warning given to the user that the settings they are applying in the GUI have not been applied due to this default configuration. This is considered a hack if this is the intentional configuration as it overrides network configuration options set by the DHCP server. I've resolved it for myself for now by making a custom iso image that removes this configuration by default and instead installs the /etc/systemd/resolved.conf file attached to this bug report. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: systemd 249.11-0ubuntu3.4 ProcVersionSignature: Ubuntu 5.15.0-46.49-generic 5.15.39 Uname: Linux 5.15.0-46-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sun Aug 28 21:18:35 2022 InstallationDate: Installed on 2022-08-29 (0 days ago) InstallationMedia: Ubuntu 22.04.1 2022.08.28 LTS "Custom Jammy Jellyfish" (20220828) MachineType: Micro-Star International Co., Ltd. GS75 Stealth 9SG ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-46-generic root=/dev/mapper/vgubuntu-root ro quiet splash vt.handoff=7 SourcePackage: systemd UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 03/26/2019 dmi.bios.release: 1.12 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: E17G1IMS.10C dmi.board.asset.tag: Default string dmi.board.name: MS-17G1 dmi.board.vendor: Micro-Star International Co., Ltd. dmi.board.version: REV:1.0 dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: Micro-Star International Co., Ltd. dmi.chassis.version: N/A dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrE17G1IMS.10C:bd03/26/2019:br1.12:svnMicro-StarInternationalCo.,Ltd.:pnGS75Stealth9SG:pvrREV1.0:rvnMicro-StarInternationalCo.,Ltd.:rnMS-17G1:rvrREV1.0:cvnMicro-StarInternationalCo.,Ltd.:ct10:cvrN/A:sku17G1.1: dmi.product.family: GS dmi.product.name: GS75 Stealth 9SG dmi.product.sku: 17G1.1 dmi.product.version: REV:1.0 dmi.sys.vendor: Micro-Star International Co., Ltd. mtime.conffile..etc.systemd.resolved.conf: 2022-08-28T19:29:41 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1988010/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1988010] Re: systemd ignoring DHCP DNS servers and DNS servers set in Network Manager GUI
Hello Josh, which GUI are you using to change dns or dhcp settings? Thanks ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1988010 Title: systemd ignoring DHCP DNS servers and DNS servers set in Network Manager GUI Status in systemd package in Ubuntu: New Bug description: Hi there! I'm running ubuntu 22.04.1 LTS installed via the ISO image ubuntu-22.04.1-desktop-amd64.iso. This issue affects both the Live CD and installed operating system. I have configured my modem's DHCP server to push my adguard home DNS server (cloud-hosted) as the DNS for the network. I have an access point that is setup to do the same. With the Live CD and installed operating system, there is a local DNS server installed that runs on 127.0.0.1:53. Somehow this bypasses the DNS servers I've configured for the network and suddenly websites that have been blocked for being malicious or harmful are now accessible. There is no option in the installer or GUI to disable this. Changing the network DNS settings via the GUI of either the live cd or installation do not change the behavior and do not result in the specified DNS server(s) being used. The 127.0.0.1:53 server still overrides anything set in the GUI. The only way I have found to override this behavior is to edit /etc/systemd/resolved.conf: 1) uncomment DNSStubListener=yes 2) change yes to no 3) save file 4) run the following commands in terminal: sudo systemctl daemon-reload sudo systemctl restart systemd-networkd sudo systemctl restart systemd-resolved After doing so, the DNS servers that have been provided by DHCP are properly used. This is considered a security vulnerability due to there being no way for a normal user to change this setting without editing system configuration files and no warning given to the user that the settings they are applying in the GUI have not been applied due to this default configuration. This is considered a hack if this is the intentional configuration as it overrides network configuration options set by the DHCP server. I've resolved it for myself for now by making a custom iso image that removes this configuration by default and instead installs the /etc/systemd/resolved.conf file attached to this bug report. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: systemd 249.11-0ubuntu3.4 ProcVersionSignature: Ubuntu 5.15.0-46.49-generic 5.15.39 Uname: Linux 5.15.0-46-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sun Aug 28 21:18:35 2022 InstallationDate: Installed on 2022-08-29 (0 days ago) InstallationMedia: Ubuntu 22.04.1 2022.08.28 LTS "Custom Jammy Jellyfish" (20220828) MachineType: Micro-Star International Co., Ltd. GS75 Stealth 9SG ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-46-generic root=/dev/mapper/vgubuntu-root ro quiet splash vt.handoff=7 SourcePackage: systemd UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 03/26/2019 dmi.bios.release: 1.12 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: E17G1IMS.10C dmi.board.asset.tag: Default string dmi.board.name: MS-17G1 dmi.board.vendor: Micro-Star International Co., Ltd. dmi.board.version: REV:1.0 dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 10 dmi.chassis.vendor: Micro-Star International Co., Ltd. dmi.chassis.version: N/A dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrE17G1IMS.10C:bd03/26/2019:br1.12:svnMicro-StarInternationalCo.,Ltd.:pnGS75Stealth9SG:pvrREV1.0:rvnMicro-StarInternationalCo.,Ltd.:rnMS-17G1:rvrREV1.0:cvnMicro-StarInternationalCo.,Ltd.:ct10:cvrN/A:sku17G1.1: dmi.product.family: GS dmi.product.name: GS75 Stealth 9SG dmi.product.sku: 17G1.1 dmi.product.version: REV:1.0 dmi.sys.vendor: Micro-Star International Co., Ltd. mtime.conffile..etc.systemd.resolved.conf: 2022-08-28T19:29:41 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1988010/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1987228] Re: Bug display when turning to hibernation
** Information type changed from Private Security to Public Security ** Also affects: gnome-shell (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/1987228 Title: Bug display when turning to hibernation Status in gnome-shell package in Ubuntu: New Status in xorg package in Ubuntu: New Bug description: When I put the computer to sleep, there are small display glitches for a few seconds. Then, when I wake from sleep mode, my desktop and opened windows show up for a few seconds before the login screen. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-46.49-generic 5.15.39 Uname: Linux 5.15.0-46-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: unknown Date: Mon Aug 22 00:22:25 2022 DistUpgraded: 2022-08-11 21:55:03,477 DEBUG Running PostInstallScript: '/usr/lib/ubuntu-advantage/upgrade_lts_contract.py' DistroCodename: jammy DistroVariant: ubuntu ExtraDebuggingInterest: Yes, including running git bisection searches GraphicsCard: Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller [8086:0126] (rev 09) (prog-if 00 [VGA controller]) Subsystem: Hewlett-Packard Company 2nd Generation Core Processor Family Integrated Graphics Controller [103c:161c] InstallationDate: Installed on 2021-03-26 (513 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) MachineType: Hewlett-Packard HP EliteBook 8460p ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.15.0-46-generic root=UUID=c83ab0ab-bcc6-4f8e-a43f-c872be521021 ro quiet splash vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: Upgraded to jammy on 2022-08-11 (10 days ago) dmi.bios.date: 02/13/2018 dmi.bios.release: 15.103 dmi.bios.vendor: Hewlett-Packard dmi.bios.version: 68SCF Ver. F.67 dmi.board.name: 161C dmi.board.vendor: Hewlett-Packard dmi.board.version: KBC Version 97.4E dmi.chassis.asset.tag: CZC23633JQ dmi.chassis.type: 10 dmi.chassis.vendor: Hewlett-Packard dmi.ec.firmware.release: 151.78 dmi.modalias: dmi:bvnHewlett-Packard:bvr68SCFVer.F.67:bd02/13/2018:br15.103:efr151.78:svnHewlett-Packard:pnHPEliteBook8460p:pvrA0001D02:rvnHewlett-Packard:rn161C:rvrKBCVersion97.4E:cvnHewlett-Packard:ct10:cvr:skuSN246UP#ABF: dmi.product.family: 103C_5336AN dmi.product.name: HP EliteBook 8460p dmi.product.sku: SN246UP#ABF dmi.product.version: A0001D02 dmi.sys.vendor: Hewlett-Packard version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.110-1ubuntu1 version.libgl1-mesa-dri: libgl1-mesa-dri 22.0.5-0ubuntu0.1 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.xserver-xorg-core: xserver-xorg-core 2:21.1.3-2ubuntu2.1 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2ubuntu1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20210115-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-shell/+bug/1987228/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1839598] Re: tcp_wrappers does not whitelisting of domains, vs IPs
** Changed in: tcp-wrappers (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tcp-wrappers in Ubuntu. https://bugs.launchpad.net/bugs/1839598 Title: tcp_wrappers does not whitelisting of domains, vs IPs Status in tcp-wrappers package in Ubuntu: Won't Fix Bug description: TCP Wrappers (also known as tcp_wrappers) is a host-based networking ACL system, used to filter network access to Internet Protocol servers. It allows host or subnetwork IP addresses, names and/or ident query replies, to be used as tokens on which to filter for access control purposes. The original code was written by Wietse Venema in 1990 He maintained it until 1995, and on June 1, 2001, released it under its own BSD-style license. The tarball includes a library named Libwrap that implements the actual functionality. I had an email conversation with him that lead to nowhere. He does not agree with my request for a redesign. Very concisely, there is no way as of now to whitelist a domain, vs an IP address. You need to know the IP address to which the domain resolves to beforehand, which makes domain updates impossible to process. This causes tremendous operational problems when the person you need to give access to has an IP address that changes often. But I need to digress. Every foreign worker is a potential hacker, for there is no way to perform a security check on her/him. Many companies use them nevertheless because of the low cost. I know a company that hires North Korean engineers working out of mainland China. They log in for legitimate purposes to American corporate servers. They actually live in North Korea and are forced to back home every 3 weeks. They only have access to dynamic IP addresses, where a PTR record does not exist, thus, no reverse-hostname is possible. As a fact: no dynamic IP address has a corresponding PTR record. The question is how to whitelist a remote worker’s IP automatically. This issue cannot be easily solved since commercial VPNs do not guarantee that the same IP will be offered on the next connection. Many small companies that hire foreign workers end up creating fence servers, but that is exponentially more insecure since now you have a potential hacker sitting comfortably inside your firewall, behind your line of defense. Your network may have access to other companies networks, all the way up to a power station or a government facility, maybe a nuclear facility. A very somber scenario. Since Libwrap is the ultimate defense to keep hackers from controlling your servers, it should ONLY verify if an incoming connection resolves to a domain listed in /etc/hosts.allow. It does not. Prior, it performs a hostname check that invariably fails unless the pair IP address/ domain exists in /etc/hosts, but of course that information changes sometimes hourly. As a result of this problem, you cannot use it as a gatekeeper for remote access from dynamic IP addresses, increasing your level of insecurity. As I said, I explained all these ideas to the author, Wietse, without success. He insisted that using a public key was how you protect servers. I disagree. Without Libwrap, which means IP whitelisting, a simple public key mechanism is suicidal. It is very easy to see why. In a first step, a hacker steals the pair public-private key from a box which has legitimate access to your network. Then he uses the pair in another box located in his country, from which he will access your network as if he were the legitimate client or worker. It happened to me already. Libwrap applied to a domain plus public key will perform infinitely better than a public key alone. In fact, public key alone should not be used at all. This is obvious since by using it, you are delegating your security to the box you are allowing to connect, so your entire network is now as secure as your client or worker’s home network, which you don’t control. You just opened the doors of your company wide-open. What I suggest is to modify Libwrap so a domain listed in /etc/hosts.allow would work for real, just performing a simple DNS lookup to will match the IP address to the domain. Right now, this is impossible. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tcp-wrappers/+bug/1839598/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1958055] Re: sudo apport-kde is in a different design (stripped XDG_CURRENT_DESKTOP)
I'm a bit surprised ubuntu-bug shows a GUI when run under sudo at all. I think I'd expect the usual X11 "no cookies" failure to connect. Running X programs as another user is bound to be trouble. Perhaps ubuntu-bug should quit immediately if it detects running via sudo, su, etc things? Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1958055 Title: sudo apport-kde is in a different design (stripped XDG_CURRENT_DESKTOP) Status in sudo package in Ubuntu: Confirmed Bug description: Running ubuntu-bug as normal user has the correct theme (see screenshots attached to bug #1881640), but running "sudo ubuntu-bug" has a different, non-matching theme (see attached screenshot). This problem can be reproduce by running a KDE application on Ubuntu Desktop (GNOME): 1. Launch ubuntu-22.04-desktop-amd64.iso 2. Install apport-kde 3. Run: /usr/share/apport/apport-kde -f 4. Run: sudo /usr/share/apport/apport-kde -f 5. Compare both windows. They have different icons and font size. Same result with KDE: 1. Use kubuntu-22.04-desktop-amd64.iso 2. Run ubuntu-bug -f 3. Run: sudo ubuntu-bug -f [Analysis] Qt needs XDG_CURRENT_DESKTOP to be set to determine the correct theme, but XDG_CURRENT_DESKTOP is not in the list of environment variables to preserve (and not in env_keep in /etc/sudoers). [Workaround] Prevent sudo from dropping XDG_CURRENT_DESKTOP by running: sudo XDG_CURRENT_DESKTOP=$XDG_CURRENT_DESKTOP /usr/share/apport/apport-kde -f ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apport 2.20.9-0ubuntu7.27 ProcVersionSignature: Ubuntu 5.4.0-94.106~18.04.1-generic 5.4.157 Uname: Linux 5.4.0-94-generic i686 ApportVersion: 2.20.9-0ubuntu7.27 Architecture: i386 CurrentDesktop: KDE Date: Sun Jan 16 05:04:24 2022 InstallationDate: Installed on 2022-01-15 (0 days ago) InstallationMedia: Kubuntu 18.04.5 LTS "Bionic Beaver" - Release i386 (20200806.1) PackageArchitecture: all SourcePackage: apport UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1958055/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1982898] Re: CVE-2021-46829: Buffer overwrite in io-gif-animation.c composite_frame() in gdk-pixbuf
** Description changed: [Impact] * A buffer overwrite exists in gdk-pixbuf's thumbnailer. * The GIF loader runs out of memory with specifically crafted files with bad frame data (and images with its sizes) over the integer limit. * After gdk-pixbuf-thum runs out of memory, other apps can and on low RAM systems like my old iMac, the system can completely run out of memory. * Or, in other ways, bad gif files in other applications can open the door for exploits. * Any app using gdk-pixbuf is affected, mainly file managers and image viewers. [Test Plan] * Take the POC's - they can be found in the issue in the GNOME repo * Open them in an application that uses gdk-pixbuf. I have managed to produce reactions with: - Nautilus, GNOME's file manager - Nemo, Cinnamon's file manager - Thunar, XFCE's file manager, which has its own thumbnailere (tumbler) that also inevitably fails and crashes - PCManFM, LXDE's file manager which straight up crashes - - Caja, MATE's file manager causes libpixbufloader-gif to segfault (app still usable, no memory issues) - - Eye of GNOME (eog) triggers the segfault in syslog + - Caja, MATE's file manager causes libpixbufloader-gif to segfault (app still usable, no memory issues) + - Eye of GNOME (eog) triggers the segfault in syslog * If you or the system couldn't tell something is wrong, cat /var/log/syslog and enjoy the segfaults or out of memory warnings or even kernel spam. [Where problems could occur] * The patch itself is simple, but since gdk-pixbuf is often used with GTK apps a mistake here could be problematic. * It is possible, and has happened in the past (which has been patched) that other bad GIFs can cause other crashes. * That patch is essentially overflow checks - changes with GLib (GNOME's, not to be confused with glibc) and the functions used in not only the patch but all of gdk-pixbuf can cause problems * Other failures to properly handle GIFs and broken or intentionally tampered GIFs can continue and always will open the door for security holes for other bugs * Again, overall a simple patch but as long as the GIFs remain handled properly, and no changes to the GLib functions are made and to other apps that use gdk-pixbuf (and assuming are not affected by the change and still work), the patch does not have much regression potential. [Other Info] * Besides Buffer overwrite/overflow issues, as aforementioned out of memory errors can happen. * Files attached are examples or crashes * Again, all apps using gdk-pixbuf are affected * https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/121/ - * https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/190https://github.com/pedrib/PoC/blob/master/fuzzing/CVE-2021-46829/CVE-2021-46829.md + * https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/190 + * https://github.com/pedrib/PoC/blob/master/fuzzing/CVE-2021-46829/CVE-2021-46829.md ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: libgdk-pixbuf2.0-0 2.40.0+dfsg-3ubuntu0.2 ProcVersionSignature: Ubuntu 5.15.0-43.46~20.04.1-generic 5.15.39 Uname: Linux 5.15.0-43-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.24 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: X-Cinnamon Date: Tue Jul 26 19:33:41 2022 InstallationDate: Installed on 2021-11-24 (244 days ago) InstallationMedia: ubuntucinnamonremix "@BASECODENAME" (20210826) SourcePackage: gdk-pixbuf UpgradeStatus: No upgrade log present (probably fresh install) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gdk-pixbuf in Ubuntu. https://bugs.launchpad.net/bugs/1982898 Title: CVE-2021-46829: Buffer overwrite in io-gif-animation.c composite_frame() in gdk-pixbuf Status in gdk-pixbuf package in Ubuntu: In Progress Bug description: [Impact] * A buffer overwrite exists in gdk-pixbuf's thumbnailer. * The GIF loader runs out of memory with specifically crafted files with bad frame data (and images with its sizes) over the integer limit. * After gdk-pixbuf-thum runs out of memory, other apps can and on low RAM systems like my old iMac, the system can completely run out of memory. * Or, in other ways, bad gif files in other applications can open the door for exploits. * Any app using gdk-pixbuf is affected, mainly file managers and image viewers. [Test Plan] * Take the POC's - they can be found in the issue in the GNOME repo * Open them in an application that uses gdk-pixbuf. I have managed to produce reactions with: - Nautilus, GNOME's file manager - Nemo, Cinnamon's file manager - Thunar, XFCE's file manager, which has its own thumbnailere (tumbler) that also inevitably fails and crashes - PCManFM, LXDE's file manager which straight up crashes - Caja, MATE's file manager causes libp
[Touch-packages] [Bug 1981807] Re: qt5-network openssl3 armhf does not support tls1.3
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to qtbase-opensource-src in Ubuntu. https://bugs.launchpad.net/bugs/1981807 Title: qt5-network openssl3 armhf does not support tls1.3 Status in qtbase-opensource-src package in Ubuntu: New Bug description: lsb_release Description:Ubuntu 22.04 LTS Release:22.04 libqt5network5/jammy,now 5.15.3+dfsg-2 armhf libssl3/jammy-updates,jammy-security,now 3.0.2-0ubuntu1.6 armhf the qt5 armhf version shipped with ubuntu jammy has a regression in tls1.3 support (simply missing in runtime). openssl supports tls1.3, so the underlying library works. x86_64 is obviously not affected the short sample applications writes -1 on armhf, 15 on x86_64 (unknown protocol vs tls1.3) QSslSocket* s = new QSslSocket(); QSslConfiguration cfg = s->sslConfiguration(); cfg.setProtocol(QSsl::TlsV1_3OrLater); s->setSslConfiguration(cfg); s->connectToHostEncrypted("tls13-enabled.server",443); s->waitForConnected(); printf("%d\n",s->sessionProtocol()); marking it as security since the most secure tls protocol is not used on some platforms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1981807/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1981362] Re: rehash command not working on armhf architecture inside chroot
Hello Oscar, I didn't think systemd-nspawn would do architecture emulation on its own. Did you perhaps set up qemu-user-static yourself on systems where this is working, but not set it up on the system where it is failing? Or am I missing a new systemd-nspawn feature? Thanks ** Changed in: openssl (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1981362 Title: rehash command not working on armhf architecture inside chroot Status in openssl package in Ubuntu: Incomplete Bug description: Hi, I found a possible bug in the `openssl rehash` command: it won't do anything while running inside a armhf chroot with an amd64 host architecture. How to reproduce (confirmed on focal and hirsute): 1. Build a armhf chroot environment: `debootstrap --arch armhf --foreign focal ` 2. Go inside chroot (using systemd-nspawn): `systemd-nspawn -D ` 3. Complete debootstrap second stage: `/debootstrap/debootstrap --second-stage` 4. Run rehash in system certs dir: `openssl rehash -n -v /etc/ssl/certs` 5. Rehash shows nothing was done ``` root@ubuntuarm:~# openssl rehash -n -v /etc/ssl/certs Doing /etc/ssl/certs root@ubuntuarm:~# ``` In jammy there is no problem (openssl 3.0.2). $ lsb_release -rd Description:Ubuntu 20.04.4 LTS Release:20.04 $ apt-cache policy openssl openssl: Installed: 1.1.1f-1ubuntu2.16 Candidate: 1.1.1f-1ubuntu2.16 Version table: *** 1.1.1f-1ubuntu2.16 500 500 http://co.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages 100 /var/lib/dpkg/status 1.1.1f-1ubuntu2 500 500 http://co.archive.ubuntu.com/ubuntu focal/main amd64 Packages Full console session (on an armhf chroot, arm64 host arch): root@ubuntuarm:~# openssl rehash -n -v /etc/ssl/certs Doing /etc/ssl/certs root@ubuntuarm:~# openssl version -a OpenSSL 1.1.1f 31 Mar 2020 built on: Mon Apr 20 11:53:50 2020 UTC platform: debian-armhf options: bn(64,32) rc4(char) des(long) blowfish(ptr) compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-uC90dH/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2 OPENSSLDIR: "/usr/lib/ssl" ENGINESDIR: "/usr/lib/arm-linux-gnueabihf/engines-1.1" Seeding source: os-specifi root@ubuntuarm:~# uname -a Linux ubuntuarm 5.4.0-117-generic #132-Ubuntu SMP Thu Jun 2 00:39:06 UTC 2022 armv7l armv7l armv7l GNU/Linux To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1981362/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1978351] Re: MITM vector: ifupdown puts .domains TLD in resolv.conf
Thanks Marques, do you know if this affects Debian as well? I wonder if they already saw this and fixed it, or if they don't yet know about it. THanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ifupdown in Ubuntu. https://bugs.launchpad.net/bugs/1978351 Title: MITM vector: ifupdown puts .domains TLD in resolv.conf Status in ifupdown package in Ubuntu: New Bug description: The bug described in https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1907878?comments=all is a security vulnerability because DNS names that would normally fail are now attempted as "foo.domains". ".domains" is a real TLD, with the registrar "Donuts, Inc." based in Bellvue, WA. "google.com.domains" is registered, for example. So is "test.domains". For users with ifupdown, any Internet request (especially that does not involve some cryptographic payload and destination signature verification) is potentially sending packets to an unintended audience. It's impossible to say, but likely, that malicious registrants are squatting sensitive and common names in the .domains TLD. The ifupdown package is still used by some cloud providers that have not adopted netplan. This vulnerability affects 22.04 and potentially other releases. This issue has not been corrected in 0.8.36+nmu1ubuntu4. With 0.8.36+nmu1ubuntu3 and after an update to 0.8.36+nmu1ubuntu4, the resolv.conf looks like the following (which is vulnerable to mitm attacks): ``` root@foo:~# cat /etc/resolv.conf # This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8). # Do not edit. # # This file might be symlinked as /etc/resolv.conf. If you're looking at # /etc/resolv.conf and seeing this text, you have followed the symlink. # # This is a dynamic resolv.conf file for connecting local clients to the # internal DNS stub resolver of systemd-resolved. This file lists all # configured search domains. # # Run "resolvectl status" to see details about the uplink DNS servers # currently in use. # # Third party programs should typically not access this file directly, but only # through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a # different way, replace this symlink by a static file or a different symlink. # # See man:systemd-resolved.service(8) for details about the supported modes of # operation for /etc/resolv.conf. nameserver 127.0.0.53 options edns0 trust-ad search DOMAINS ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1978351/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp