[Touch-packages] [Bug 2036761] Re: [mantic] ppa-purge no longer purges what add-apt-repository adds
Apparently, there is nothing to be sponsored here, I am unsubscribing ~ubuntu-sponsors. If I misunderstood the status of this bug and there is something ready to be sponsored, please subscribe ~ubuntu-sponsors again. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to software-properties in Ubuntu. https://bugs.launchpad.net/bugs/2036761 Title: [mantic] ppa-purge no longer purges what add-apt-repository adds Status in ppa-purge package in Ubuntu: Fix Released Status in software-properties package in Ubuntu: Confirmed Status in ppa-purge source package in Mantic: Fix Committed Status in software-properties source package in Mantic: Confirmed Status in ppa-purge source package in Noble: Fix Released Status in software-properties source package in Noble: Confirmed Bug description: Thank you @jbicha for the original bug report! [ Impact ] Currently ppa-purge fails to purge packages on distribution using the deb822 source format. Currently mantic and noble make use of this format and are affected by this issue. When running ppa-purge to remove a custom PPA, ppa-purge fails to disable the custom PPA since it cannot disable deb822 sources and leads to apt still querying the ppa when running: $ apt update In older versions of ubuntu, PPAs used the ".list" format which could be disabled by simply commenting out the "deb" line with a "#". This was the method that ppa-purge used to disable PPAs. This new patch allows ppa-purge to detect and disable deb822 source files by adding an "Enabled: no" field in each component section of the deb822 file. It also removes any line that starts with "Enabled:" to make sure the resulting file is clean. [ Test Plan ] The changes were tested on both mantic and noble in a lxc container using the oibaf mesa PPA (https://launchpad.net/~oibaf/+archive/ubuntu/graphics-drivers) as the test PPA. The following steps were recorded in a noble lxc container. - First make sure that mesa-utils is installed in your environment: $ sudo apt update && sudo apt install mesa-utils - Add the oibaf PPA to your system using the following command: $ sudo add-apt-repository ppa:oibaf/graphics-drivers - Make sure that the mesa-utils packages were upgraded after adding the PPA: $ sudo apt update && sudo apt upgrade $ dpkg - l | grep mesa - output should be similar to the following: ii libegl-mesa0:amd64 24.1~git2402280600.41722c~oibaf~n amd64free implementation of the EGL API -- Mesa vendor library ii libgl1-mesa-dri:amd64 24.1~git2402280600.41722c~oibaf~n amd64free implementation of the OpenGL API -- DRI modules ii libglapi-mesa:amd64 24.1~git2402280600.41722c~oibaf~n amd64free implementation of the GL API -- shared library ii libglx-mesa0:amd64 24.1~git2402280600.41722c~oibaf~n amd64free implementation of the OpenGL API -- GLX vendor library ii mesa-utils 9.0.0-2 amd64Miscellaneous Mesa utilities -- symlinks ii mesa-utils-bin:amd649.0.0-2 amd64Miscellaneous Mesa utilities -- native applications ii mesa-vulkan-drivers:amd64 24.1~git2402280600.41722c~oibaf~n amd64Mesa Vulkan graphics drivers - Install and run ppa-purge: $ sudo apt install ppa-purge $ sudo ppa-purge ppa:oibaf/graphics-drivers - ppa-purge will report at the end that none of the oibaf packages need to be downgraded/removed: libglapi-mesa is already the newest version (24.1~git2402280600.41722c~oibaf~n). libglapi-mesa set to manually installed. libglx-mesa0 is already the newest version (24.1~git2402280600.41722c~oibaf~n). libglx-mesa0 set to manually installed. mesa-vulkan-drivers is already the newest version (24.1~git2402280600.41722c~oibaf~n). mesa-vulkan-drivers set to manually installed. Selected version '2.4.120+git2402271331.1b4e04~oibaf~n' (Updated Open Graphics Drivers - since 2011!:24.04/noble [amd64]) for 'libdrm-amdgpu1' Selected version '2.4.120+git2402271331.1b4e04~oibaf~n' (Updated Open Graphics Drivers - since 2011!:24.04/noble [all]) for 'libdrm-common' Selected version '2.4.120+git2402271331.1b4e04~oibaf~n' (Updated Open Graphics Drivers - since 2011!:24.04/noble [amd64]) for 'libdrm-intel1' Selected version '2.4.120+git2402271331.1b4e04~oibaf~n' (Updated Open Graphics Drivers - since 2011!:24.04/noble [amd64]) for 'libdrm-nouveau2' Selected version '2.4.120+git2402271331.1b4e04~oibaf~n' (Updated Open Graphics Drivers - since 2011!:24.04/noble [amd64]) for 'libdrm-radeon1' Selected version '2.4.120+git2402271331.1b4e04~oibaf~n' (Updated Open Graphics Drivers -
[Touch-packages] [Bug 2036467] Re: Resizing cloud-images occasionally fails due to superblock checksum mismatch in resize2fs
@Matthew I took a look at your debdiffs (I hope they are updated) and they look good in general, I checked the debdiffs for Focal, Jammy, Mantic and Noble. The Noble debdiff requires a rebase, now in Noble we have version 1.47.0-2.4~exp1ubuntu4, so we want version 1.47.0-2.4~exp1ubuntu4.1 with your changes (it will be a SRU for Noble as well at this point). This will need to be fixed in the next development release (OO series) to avoid any future regression. But at the moment the archive is not yet open for that. Please, fix that and someone can sponsor the uploads targeting all supported releases at once. I am unsubscribing ~ubuntu-sponsors, once you address the comment above please subscribe it again and someone will take a look. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to e2fsprogs in Ubuntu. https://bugs.launchpad.net/bugs/2036467 Title: Resizing cloud-images occasionally fails due to superblock checksum mismatch in resize2fs Status in cloud-images: New Status in e2fsprogs package in Ubuntu: In Progress Status in e2fsprogs source package in Trusty: Won't Fix Status in e2fsprogs source package in Xenial: Won't Fix Status in e2fsprogs source package in Bionic: Won't Fix Status in e2fsprogs source package in Focal: In Progress Status in e2fsprogs source package in Jammy: In Progress Status in e2fsprogs source package in Lunar: Won't Fix Status in e2fsprogs source package in Mantic: In Progress Status in e2fsprogs source package in Noble: In Progress Bug description: [Impact] This is a long running bug plaguing cloud-images, where on a rare occasion resize2fs would fail and the image would not resize to fit the entire disk. Online resizes would fail due to a superblock checksum mismatch, where the superblock in memory differs from what is currently on disk due to changes made to the image. $ resize2fs /dev/nvme1n1p1 resize2fs 1.47.0 (5-Feb-2023) resize2fs: Superblock checksum does not match superblock while trying to open /dev/nvme1n1p1 Couldn't find valid filesystem superblock. Changing the read of the superblock to Direct I/O solves the issue. [Testcase] Start an c5.large instance on AWS, and attach a 60gb gp3 volume for use as a scratch disk. Run the following script, courtesy of Krister Johansen and his team: #!/usr/bin/bash set -euxo pipefail while true do parted /dev/nvme1n1 mklabel gpt mkpart primary 2048s 2099200s sleep .5 mkfs.ext4 /dev/nvme1n1p1 mount -t ext4 /dev/nvme1n1p1 /mnt stress-ng --temp-path /mnt -D 4 & STRESS_PID=$! sleep 1 growpart /dev/nvme1n1 1 resize2fs /dev/nvme1n1p1 kill $STRESS_PID wait $STRESS_PID umount /mnt wipefs -a /dev/nvme1n1p1 wipefs -a /dev/nvme1n1 done Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/lp2036467-test If you install the test packages, the race no longer occurs. [Where problems could occur] We are changing how resize2fs reads the superblock from underlying disks. If a regression were to occur, resize2fs could fail to resize offline or online volumes. As all cloud-images are online resized during their initial boot, this could have a large impact to public and private clouds should a regression occur. [Other info] Upstream mailing list discussion: https://lore.kernel.org/linux-ext4/20230605225221.ga5...@templeofstupid.com/ https://lore.kernel.org/linux-ext4/20230609042239.ga1436...@mit.edu/ This was fixed in the below commit upstream: commit 43a498e938887956f393b5e45ea6ac79cc5f4b84 Author: Theodore Ts'o Date: Thu, 15 Jun 2023 00:17:01 -0400 Subject: resize2fs: use Direct I/O when reading the superblock for online resizes Link: https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=43a498e938887956f393b5e45ea6ac79cc5f4b84 The commit has not been tagged to any release. All supported Ubuntu releases require this fix, and need to be published in standard non- ESM archives to be picked up in cloud images. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-images/+bug/2036467/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1674137] Re: ifdown unknown interface net-tools is broken
** Changed in: net-tools (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to net-tools in Ubuntu. https://bugs.launchpad.net/bugs/1674137 Title: ifdown unknown interface net-tools is broken Status in Linux Mint: New Status in net-tools package in Ubuntu: Incomplete Bug description: System:Host: GT70-2PE Kernel: 4.5.4-040504-generic x86_64 (64 bit gcc: 5.3.1) Desktop: Cinnamon 3.2.7 (Gtk 3.18.9) Distro: Linux Mint 18.1 Serena Network: Card-1: Qualcomm Atheros Killer E220x Gigabit Ethernet Controller driver: alx port: d000 bus-ID: 03:00.0 IF: enp3s0 state: up speed: 1000 Mbps duplex: full Card-2: Qualcomm Atheros AR9462 Wireless Network Adapter driver: ath9k bus-ID: 04:00.0 IF: wlp4s0 state: up After mint 18.1 upgrade had various issues. After quite a few updates I started having issues with ifdown command. I use a script with qemu to setup a bridge (br0) with tap0 and the default wired connection enp3s0. The script began giving off unknown interface errors. Testing showed that the ifdown command changed behavior after the updates and now does this. The behavior is not limited to scripting. I changed the code from using ifdown to ifconfig enp3s0 down. This fails also within the script but with no error. It, however, works from a terminal just fine. I switched to using the ip command i.e. ip link set enp3s0 down. Same result, the interface does not go down, but no error. After the script is run and windows 7 boots in qemu I have to open a terminal and run the commands manually: >ifconfig enp3s0 down >ifconfig enp3s0 0.0.0.0 promisc up Then all is well. These commands will not run from within a script. The script is run as such: >sudo ./up.sh tap0 It creates br0 and tap0 and adds enp3s0 and tap0 to the bridge. The fact that ifdown no longer recognizes any interfaces seems to point to a change in net-tools that has broken something. To manage notifications about this bug go to: https://bugs.launchpad.net/linuxmint/+bug/1674137/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2039873] Re: liblxc-dev was built with LXC_DEVEL=1 in Ubuntu 22.04 and later releases
Hi Aleksandr,
Let me try to clarify this for you. The two options presented by you are
not what we want. We want to grab the package from Debian unstable (with
the latest changes) and merge what we have in Ubuntu, which means having
a complete changelog (including the previous Ubuntu changes). You can
find some info about the merge process here:
https://wiki.ubuntu.com/UbuntuDevelopment/Merging
There is some outdated content there (like using bzr), if you want to do
this using git properly you can try to use the workflow described here:
https://wiki.ubuntu.com/UbuntuDevelopment/Merging/GitWorkflow
This is also some good content maintained by the Canonical Server team
which explains well the package merge process in our team's perspective:
https://github.com/canonical/ubuntu-maintainers-
handbook/blob/main/PackageMerging.md
I hope that's useful.
Now, I took a quick look at the proposed changes and I believe you
should double check the necessity of those binary packages name changes.
We are providing some transitional packages since Jammy, maybe now it is
time to get rid off them. In Debian, those transitional packages do not
exist, a good a idea (since we are merging our changes with Debian
again) might be to follow the package names from Debian. If it makes
sense, this will make the package way simpler. As a data point, the
Ubuntu package provides 12 binary packages and the Debian one provides 6
binary packages.
In the debian/tests/control file you need to add a comma (',') between
the two restriction names. A comment here is that if you merge the
changes from Debian we will get 2 more DEP-8 tests (autopkgtest) in the
package.
Nitpick: you committed the debian/files file which is not necessary.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/2039873
Title:
liblxc-dev was built with LXC_DEVEL=1 in Ubuntu 22.04 and later
releases
Status in lxc package in Ubuntu:
Confirmed
Bug description:
[ Impact ]
LXC 5.0.0 was built with LXC_DEVEL=1 set for Jammy. But for release
build we should have LXC_DEVEL=0.
LXC_DEVEL is a variable that appears in the /usr/include/lxc/version.h
and then can be (and actually it is) used by other projects to detect
if liblxc-dev is a development build or stable.
Having LXC_DEVEL=1 makes problems for the users who want to build projects
those are depend on liblxc
from source (for example, LXD, go-lxc:
https://github.com/canonical/lxd/pull/12420).
Q: Why it was not a problem for so long?
A: Because LXC API was stable for a long time, but recently we have extended
liblxc API (https://github.com/lxc/lxc/pull/4260) and dependant package go-lxc
was updated too (https://github.com/lxc/go-lxc/pull/166).
This change was developed properly to be backward compatible with the old
versions of liblxc. But, there is a problem. If LXC_DEVEL=1 then the macro
check VERSION_AT_LEAST
(https://github.com/lxc/go-lxc/blob/ccae595aa49e779f7ecc9250329967aa546acd31/lxc-binding.h#L7)
is disabled. That's why we should *not* have LXC_DEVEL=1 for *any* release
build of LXC.
[ Test Plan ]
Install liblxc-dev package and check /usr/include/lxc/version.h file
LXC_DEVEL should be 0
[ Where problems could occur ]
Theoretically, build of a software which depends on liblxc-dev may start to
fail
if it assumes that LXC_DEVEL is 1.
[ Other Info ]
-
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2039873/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2045570] Re: dnsmasq crash when no servers in resolv.conf
Thanks for taking the time to report this bug and trying to make Ubuntu better. Also thanks for the pointers. According to the upstream discussion this is the needed fix: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=d290630d31f4517ab26392d00753d1397f9a4114 It is included in version 2.87 onward, so it affects only Jammy. ** Changed in: dnsmasq (Ubuntu) Status: New => Triaged ** Tags added: server-todo ** Also affects: dnsmasq (Ubuntu Jammy) Importance: Undecided Status: New ** Changed in: dnsmasq (Ubuntu Jammy) Status: New => Triaged ** Changed in: dnsmasq (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2045570 Title: dnsmasq crash when no servers in resolv.conf Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Jammy: Triaged Bug description: upstream discussion: https://lists.thekelleys.org.uk/pipermail/dnsmasq- discuss/2022q3/016563.html in my journal, my dns service crash and restart just after: Dec 04 17:18:38 dnsmasq[199333]: no servers found in /run/NetworkManager/no-stub-resolv.conf, will retry oops report: https://errors.ubuntu.com/oops/29cf5e2e-92b1-11ee-9bdf- fa163ec44ecd ubuntu jammy, dnsmasq-base 2.86-1.1ubuntu0.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/2045570/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2042587] Re: jammy's version breaks existing dhcp scripts with relay
Hi Timo, Thanks for the reproduction steps. I just tried them out locally and I was able to reproduce the described behavior. I am marking this as triaged and subscribing ubuntu-server. ** Changed in: dnsmasq (Ubuntu) Status: Incomplete => Triaged ** Also affects: dnsmasq (Ubuntu Jammy) Importance: Undecided Status: New ** Changed in: dnsmasq (Ubuntu Jammy) Status: New => Triaged ** Changed in: dnsmasq (Ubuntu) Status: Triaged => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/2042587 Title: jammy's version breaks existing dhcp scripts with relay Status in dnsmasq package in Ubuntu: New Status in dnsmasq source package in Jammy: Triaged Bug description: When upgrading from focal to jammy, existing dnsmasq dhcp-scripts stopped working in an environment where a DHCP relay is in use. Instead of the expected client IP address, the script gets the _relay_ IP address as an argument. From dnsmasq documentation for --dhcp- script: > The arguments to the process are "add", "old" or "del", the MAC address of the host (or DUID for IPv6) , the IP address, and the hostname, if known. I believe the change has been inadverently made in upstream commit 527c3c7d0d3bb4bf5fad699f10cf0d1a45a54692 (https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blobdiff;f=src/helper.c;h=02340a01c00031db0cc682c8a4a279cfc1db574e;hp=d81de9622e6d484a264496b2cd3638b4e15e9677;hb=527c3c7d0d3bb4bf5fad699f10cf0d1a45a54692;hpb=fcb4dcaf7cc8a86ac2533b933161b6455f75bf8f) as the commit message only speaks about inet_ntoa replacement and not the behavioral change it also introduces (previously the relay address was only set to the environment variable, now it effectively overrides the prevoiusly set client's IP address). dnsmasq 2.86-1.1ubuntu0.3 / Ubuntu 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/2042587/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2023545] Re: [UBUNTU 22.04] openssl with ibmca engine configured dumps core when creating a new certificate
Hi Adrien, You subscribed ubuntu-sponsors, do you have any debdiff or MP to be reviewed? Sorry, I did not find anything ready to review. Without that I believe the best way is to unsubscribe ubuntu-sponsors until there is something ready to be uploaded. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2023545 Title: [UBUNTU 22.04] openssl with ibmca engine configured dumps core when creating a new certificate Status in Ubuntu on IBM z Systems: In Progress Status in openssl package in Ubuntu: In Progress Status in openssl source package in Jammy: In Progress Status in openssl source package in Lunar: Fix Released Bug description: === SRU information === [Meta] This bug is part of a series of four bugs for a single SRU. The "central" bug with the global information and debdiff is http://pad.lv/2033422 [Impact] Openssl using an engine dumps core upon certificate creation; other operations are probably affected too. Overall, engines are likely mostly unusable. [Test plan] An engine is needed to test the fix and I don't think we have many in the archive. This complicates reproducing the issue. I have been relying on user reports which have been very detailled and helpful. The issue has also been reported independently and with another engine (devcrypto). The issue is fixed in openssl 3.0.8 which landed in lunar. [Where problems could occur] I don't pretend to understand the lifecycle of providers in openssl3 but the patch is simple and has been widely tested by now, including on ubuntu. Thus, I see little chance an unexpected problem would occur with it. [Patches] The patches come directly from upstream and apply cleanly. https://github.com/openssl/openssl/issues/18578 * https://git.launchpad.net/~adrien-n/ubuntu/+source/openssl/tree/debian/patches/jammy- sru-0001-Release-the-drbg-in-the-global-default-context- befor.patch?h=jammy-sru=04ef023920ab08fba214817523fba897527dfff0 === Original description === openssl req -new -newkey rsa:2048 -x509 -sha256 -nodes -out __cert.pem -keyout __key.pem --subj '/CN=US' ---Problem Description--- OpenSSL with ibmca engine configured dumps core when creating a new certificate. # openssl engine (dynamic) Dynamic engine loading support (ibmca) Ibmca hardware engine support # openssl req -new -newkey rsa:2048 -x509 -sha256 -nodes -out __cert.pem -keyout __key.pem --subj '/CN=US' Segmentation fault (core dumped) # journalctl Jun 07 13:06:08 SYSTEM kernel: User process fault: interruption code 003b ilc:2 in libc.so.6[3ffae08+1ca000] Jun 07 13:06:08 SYSTEM kernel: Failing address: TEID: 0800 Jun 07 13:06:08 SYSTEM kernel: Fault in primary space mode while using user ASCE. Jun 07 13:06:08 SYSTEM kernel: AS:9c2941c7 R3:0024 Jun 07 13:06:08 SYSTEM kernel: CPU: 2 PID: 2344 Comm: openssl Kdump: loaded Not tainted 5.15.0-73-generic #80-Ubuntu Jun 07 13:06:08 SYSTEM kernel: Hardware name: IBM 3931 A01 703 (z/VM 7.3.0) Jun 07 13:06:08 SYSTEM kernel: User PSW : 070500018000 03ffae11c708 Jun 07 13:06:08 SYSTEM kernel:R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:1 AS:0 CC:0 PM:0 RI:0 EA:3 Jun 07 13:06:08 SYSTEM kernel: User GPRS: 0007 03ffae11c6f0 02aa3289f9d0 Jun 07 13:06:08 SYSTEM kernel:02aa1825980f 02aa3289f9d0 02aa328a4300 Jun 07 13:06:08 SYSTEM kernel:03ffae870720 03ffae657128 02aa03ff Jun 07 13:06:08 SYSTEM kernel:03ffae24dd10 03ffae657120 03ffae437c22 03ffec2fe000 Jun 07 13:06:08 SYSTEM kernel: User Code: 03ffae11c6fc: b90400b2 lgr%r11,%r2 03ffae11c700: 4700bc0,0 #03ffae11c704: b24f00a0ear%r10,%a0 >03ffae11c708: 58102018l%r1,24(%r2) 03ffae11c70c: ebaa002dsllg%r10,%r10,32 03ffae11c712: b24f00a1ear%r10,%a1 03ffae11c716: 5910a0d0c%r1,208(%r10) 03ffae11c71a: a7840033brc8,03ffae11c780 Jun 07 13:06:08 SYSTEM kernel: Last Breaking-Event-Address: Jun 07 13:06:08 SYSTEM kernel: [<03ffae33242c>] 0x3ffae33242c Jun 07 13:06:08 SYSTEM systemd[1]: Started Process Core Dump (PID 2345/UID 0). Jun 07 13:06:08
[Touch-packages] [Bug 2025666] Re: Please merge 1.225-1 into mantic
Thanks Danilo, I just added a comment to your MP. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to netcat-openbsd in Ubuntu. https://bugs.launchpad.net/bugs/2025666 Title: Please merge 1.225-1 into mantic Status in netcat-openbsd package in Ubuntu: New Bug description: PPA https://launchpad.net/~danilogondolfo/+archive/ubuntu/netcat- openbsd Autopkgtest https://autopkgtest.ubuntu.com/results/autopkgtest-mantic- danilogondolfo-netcat-openbsd/mantic/amd64/n/netcat- openbsd/20230703_202110_fccf3@/log.gz To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/netcat-openbsd/+bug/2025666/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2022927] Re: Busybox mount fails to mount Snaps
Thanks for the updates Isaac, it looks much better now. The only thing I spotted that would require correction before uploading is fixing the version string, you are using 1:1.35.0-4ubuntu2~ppa2 and I'd recommend using 1:1.35.0-4ubuntu1.1. The ppa part is not wanted in an upload to the archive, and instead of ubuntu2 I'd use ubuntu1.1 to follow the security team updates guidelines: https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation FWIW you could also use ubuntu2 as well. Apart from that, your patch is targeting only lunar, but in your PPA I see the package built in mantic, lunar and jammy. If you want to fix the other series, please, provide debdiffs for them as well. And finally, you need to update your bug description to follow the SRU template: https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to busybox in Ubuntu. https://bugs.launchpad.net/bugs/2022927 Title: Busybox mount fails to mount Snaps Status in busybox package in Ubuntu: New Bug description: Snapd tries to mount squashfs Snaps with non-standard mount flags like "x-gdu.hide" and "x-gvfs-hide", both of which are used to indicate to userspace programs that a given mount should not be shown in a list of mounted partitions/filesystems. Busybox does not support these flags, and so fails with "Invalid argument". $ sudo busybox mount -t tmpfs -o x-gdu-hide test /tmp/test mount: mounting test on /tmp/test failed: Invalid argument These flags can likely be be safely ignored, as they don't actually affect the functionality of the mount. This goes for all mount options starting with "x-", as these generally denote non-standard mount option "extensions". I've created a patch against Busybox which adds an optional configuration item to ignore all mount options beginning with "x-". An additional verbose option has also been added to enable the ability to report that the mount flags have been ignored, rather than silently ignoring them. This is a requirement for a customer project, where we are limited to using Busybox (due to coreutils' GPL-3.0 licence) but would also require using Snaps like checkbox for testing and verification. This was posted on the Busybox mailing list a few months ago (http://lists.busybox.net/pipermail/busybox/2023-March/090202.html) but patch acceptance there seems to take quite a long time, and we need this for the customer. A PPA containing the patched Busybox version is available on the project's Launchpad team: https://launchpad.net/~nemos- team/+archive/ubuntu/ppa To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/2022927/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971984] Re: pcscd.socket is disabled after installation
Anyone willing to provide a debdiff (changes + changelog) to fix this issue in Jammy, Kinetic and Lunar? As Sebastien mentioned in comment #29, this bug has ~ubuntu-sponsors subscribed but there is no "ready-to- upload" debdiff attached. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/1971984 Title: pcscd.socket is disabled after installation Status in pcsc-lite package in Ubuntu: Fix Released Status in pcsc-lite source package in Jammy: Triaged Status in pcsc-lite source package in Kinetic: Triaged Status in pcsc-lite source package in Lunar: Triaged Status in pcsc-lite package in Debian: Fix Released Bug description: [ Impact ] The pscc-lite package provides an open source implementation of PC/SC, the de-facto standard to interface Personal Computers with Smart Cards/Readers. This bug is in the upstream debian packaging, and results in the pcscd.socket being disabled after installation. This prevents automatic startup of the associated pcscd.service, thus preventing automatic handling of Smart Cards/Readers w/out manual intervention to enable the socket (which doesn't persist across reboots). This is especially painful for users that require Smart Authentication for login. [ Test Plan ] Steps to reproduce: 1. If installed, remove and do a fresh install of the package pcscd (the sole version released for jammy is 1.9.5-3). 2. Verify that the pcscd.socket is disabled: $ systemctl status pcscd.socket ○ pcscd.socket - PC/SC Smart Card Daemon Activation Socket Loaded: loaded (/lib/systemd/system/pcscd.socket; disabled; vendor preset: enabled) Active: inactive (dead) Triggers: ● pcscd.service Listen: /run/pcscd/pcscd.comm (Stream) 3. [Optional] insert a Smart Card or Crypto Token (e.g. a Yubikey or Nitrokey) that's known to work on Ubuntu and verify that it fails to work. Repeating the same steps with a package built with the patch attached to comment #27 should ensure that the socket is enabled, and that interaction with a Smart Card or Crypto Token should work w/out manual intervention. [ Where problems could occur ] This is a back-ported change from upstream and is a result of a bug in dh_installsystemd (see comment #26). As such the risk is minimal. The only potential risk of failure I can come up with is a snap that stages the old version of the client library, as it would be looking in the wrong place for the socket. [ Other Info ] This bug was originally reported against Ubuntu Mate 22.04, however it applies to all derivatives of Ubuntu Desktop 22.04 LTS. Note - while there's some disagreement as to whether this bug occurs 100% of the time across all 22.04 installations, it's pretty clear from the upstream Debian bug and subsequent packaging fix that we should land this. As the upstream fix landed in 1.9.9-2 (which is already released in mantic) only the following releases are impacted by this bug: - jammy - kinetic - lunar To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1971984/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2021505] Re: Flaky DEP8 test: saslauthd
** Changed in: cyrus-sasl2 (Ubuntu)
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/2021505
Title:
Flaky DEP8 test: saslauthd
Status in cyrus-sasl2 package in Ubuntu:
Triaged
Status in cyrus-sasl2 package in Debian:
New
Bug description:
It looks like the saslauthd test is a bit flaky, and more so in
platforms like arm64[1]:
autopkgtest [15:14:52]: test saslauthd: [---
Setting up saslauthd with mecanism sasldb
Authentication of user user1887 with correct password should succeed... FAIL
exit status: 255
output:
connect() : No such file or directory
0:
autopkgtest [15:14:53]: test saslauthd: ---]
autopkgtest [15:14:53]: test saslauthd: - - - - - - - - - - results - - - -
- - - - - -
saslauthdFAIL non-zero exit status 1
The "connect()" error looks like the saslauthd unix socket isn't ready
yet. That test happens right after a saslauthd restart:
echo "Setting up saslauthd with mecanism ${mech}"
setup_saslauthd ${mech} <--- restart happens here
# test correct credentials
echo -n "Authentication of user ${sasluser} with correct password should
succeed... "
result=0
output=$(testsaslauthd -u "${sasluser}" -p "${saslpass}" 2>&1) ||
result=$? <--- this is the authentication test
Maybe we should loop for a few times in a check for the socket, and if
it still fails, add extra logging to the output so it can be
troubleshooted better.
1. https://autopkgtest.ubuntu.com/packages/c/cyrus-sasl2/mantic/arm64
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/2021505/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2012298] Re: PasswordAuthenticaion in sshd_config.d
Thanks for taking the time to report this bug and trying to make Ubuntu better. Could you please share your config files (anonymizing any necessary data)? The config file might be loaded but depending on the ordering and the content inside the config files the option you are setting can be overriden. I am setting this bug to Incomplete until you provided the requested information. Once that's done please set the bug status back to New. ** Changed in: openssh (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2012298 Title: PasswordAuthenticaion in sshd_config.d Status in openssh package in Ubuntu: Incomplete Bug description: The stanza Match User PasswordAuthentication no in /etc/ssh/sshd_config works as expected. The same stanza in /etc/ssh/sshd_config.d/username.conf does not work. The Include in /etc/ssh/sshd_config is not commented out, and /usr/sbin/sshd -D -ddd shows the username.config file being parsed. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssh-server 1:8.2p1-4ubuntu0.5 ProcVersionSignature: Ubuntu 5.4.0-131.147-generic 5.4.210 Uname: Linux 5.4.0-131-generic x86_64 NonfreeKernelModules: falcon_lsm_serviceable falcon_nf_netcontain falcon_kal falcon_lsm_pinned_14713 ApportVersion: 2.20.11-0ubuntu27.25 Architecture: amd64 CasperMD5CheckResult: skip Date: Mon Mar 20 13:34:14 2023 InstallationDate: Installed on 2022-11-04 (136 days ago) InstallationMedia: SSHDConfig: Error: command ['pkexec', '/usr/sbin/sshd', '-T'] failed with exit code 127: pkexec must be setuid root SourcePackage: openssh UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2012298/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2004011] Re: Checks are not skipped when building esm packages package from source
Thanks for reporting this bug and trying to make it better. When we are talking about the Debian Policy we need to keep in mind that it is versioned. You linked a section of the Debian Policy version 4.6.2.0, so packages complaint with that version should do what is written there (to make sure which version of Debian Policy a package is complaint you need to check the Standards-Version field in debian/control). Moreover, the very first sentence of the section is: "Supporting the standardized environment variable DEB_BUILD_OPTIONS is recommended." So those options are recommended, they are not mandatory. It is not an issue if you find a package that does not support those options. src:heimdal in xenial (16.04) is compliant with Debian Policy 3.9.6, in this version we already have the nocheck option added (actually in version 3.8.1): https://www.debian.org/doc/debian-policy/upgrading- checklist.html#version-3-8-1 But again, this is recommended, not mandatory. Due to that, we will not update a package in ESM just to introduce support to nocheck. ** Changed in: heimdal (Ubuntu) Status: New => Invalid ** Changed in: heimdal (Ubuntu) Status: Invalid => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to heimdal in Ubuntu. https://bugs.launchpad.net/bugs/2004011 Title: Checks are not skipped when building esm packages package from source Status in heimdal package in Ubuntu: Won't Fix Bug description: **Describe the bug** Under the policy, building a deb package from source should not run checks when provided with env var `DEB_BUILD_OPTIONS="nocheck"`: https://www.debian.org/doc/debian-policy/ch-source.html#debian-rules-and-deb-build-options However, this is what `override_dh_auto_test` target in `debian/rules` looks like in `heimdal=1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm3`: ``` override_dh_auto_test: $(MAKE) check ``` So checks are still run when `nocheck` in `DEB_BUILD_OPTIONS` is provided. Apparently, this has been patched: https://salsa.debian.org/debian/heimdal/-/commit/b1a7b04591873e7d0e88acaf24cc76073ee47fc9 However, the patch did not make its way to ESM packages for 16.04. Is it possible to cherry-pick this commit to the ESM packages? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/2004011/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2002994] Re: sshd_config makes some changes awkward
** Tags added: server-triage-discuss -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2002994 Title: sshd_config makes some changes awkward Status in openssh package in Ubuntu: New Bug description: As distribted, the file sshd_config has apparently been modified from an upstream version -- those lines that are NOT comments. There is no good way for me to change any of them, even though there is a sshd_config.d directory for my changes. That is because the files in the sshd_config.d directory are invoked early, and the uncommented lines in the sshd_config file override them. I would have to modify the sshd_config file which defeats the purpose of having the directory. I suggest to adopt a method that I have seen elsewhere: put all of your changes in a file and put the file in the .d directory. Start the filename with something like '50' so that it can sort before or after any file contributed by the local admin. Keep the sshd_config file as you get it from upstream. This is, after all, the reason that the .d directories exist. In this way, admins do not have to modify distributed files, which avoids awkwardness when the package is updated. The same applies to ssh_config. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssh-server 1:8.2p1-4ubuntu0.5 ProcVersionSignature: Ubuntu 5.4.0-122.138-generic 5.4.192 Uname: Linux 5.4.0-122-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.20.11-0ubuntu27.24 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: XFCE Date: Mon Jan 16 06:29:16 2023 SourcePackage: openssh UpgradeStatus: Upgraded to focal on 2021-02-19 (696 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2002994/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1917887] Re: Network Manager OpenVPN nested connections fail to setup routes correctly
The following changes were applied upstream to fix this issue in network-manager: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1491/diffs -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1917887 Title: Network Manager OpenVPN nested connections fail to setup routes correctly Status in OpenVPN: Fix Released Status in network-manager package in Ubuntu: Triaged Status in openvpn package in Ubuntu: Invalid Bug description: Setup: Host lan: 192.168.0.238/24 Host Default gw: 192.168.0.1 ip route: default via 192.168.0.1 dev eno1 proto dhcp metric 100 169.254.0.0/16 dev eno1 scope link metric 1000 192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.238 metric 100 Primary OpenVPN (check "Use this connection only for resources on its network"): server ip: public a.b.c.d OpenVPN Tunnel: 192.168.1.0/24 routes pushed: 192.168.100.0/24 First VPN works OK: default via 192.168.0.1 dev eno1 proto dhcp metric 100 169.254.0.0/16 dev eno1 scope link metric 1000 192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.238 metric 100 192.168.0.1 dev eno1 proto static scope link metric 100 192.168.100.0/24 via 192.168.10.1 dev tun0 proto static metric 50 a.b.c.d via 192.168.0.1 dev eno1 proto static metric 100 Secondary OpenVPN (check "Use this connection only for resources on its network"): server ip: private 192.168.100.10 OpenVPN Tunnel: 192.168.20.0/24 routes pushed: 192.168.200.0/24 Second VPN Connect OK, routing table is wrong: default via 192.168.0.1 dev eno1 proto dhcp metric 100 192.168.200.0/24 via 192.168.20.1 dev tun1 192.168.20.0/24 dev tun1 proto kernel scope link src 192.168.20.59 169.254.0.0/16 dev eno1 scope link metric 1000 192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.238 metric 100 192.168.0.1 dev eno1 proto static scope link metric 100 192.168.100.0/24 via 192.168.10.1 dev tun0 proto static metric 50 a.b.c.d via 192.168.0.1 dev eno1 proto static metric 100 192.168.100.10 via 192.168.0.1 dev eno1 proto static metric 100 <- this is wrong, the openVPN#2 Gateway is not on the local lan Correct routing table using "sudo /usr/sbin/openvpn /path/to/config.openvpn" (same a Network Manager) default via 192.168.0.1 dev eno1 proto dhcp metric 100 192.168.200.0/24 via 192.168.20.1 dev tun1 192.168.20.0/24 dev tun1 proto kernel scope link src 192.168.20.59 169.254.0.0/16 dev eno1 scope link metric 1000 192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.238 metric 100 192.168.0.1 dev eno1 proto static scope link metric 100 192.168.100.0/24 via 192.168.10.1 dev tun0 proto static metric 50 a.b.c.d via 192.168.0.1 dev eno1 proto static metric 100 It seems that Network Manager add a wrong additional route not added by the openvpn bin: 192.168.100.10 via 192.168.0.1 dev eno1 proto static metric 100 ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openvpn 2.4.7-1ubuntu2 ProcVersionSignature: Ubuntu 5.8.0-44.50~20.04.1-generic 5.8.18 Uname: Linux 5.8.0-44-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.16 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: ubuntu:GNOME Date: Fri Mar 5 12:44:39 2021 InstallationDate: Installed on 2021-02-19 (13 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=it_IT.UTF-8 SHELL=/bin/bash SourcePackage: openvpn UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/openvpn/+bug/1917887/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1998765] Re: libnl3 3.4.0 doesn't work with WCN3980
** Also affects: oem-priority/focal Importance: Undecided Assignee: Robert Liu (robertliu) Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libnl3 in Ubuntu. https://bugs.launchpad.net/bugs/1998765 Title: libnl3 3.4.0 doesn't work with WCN3980 Status in OEM Priority Project: New Status in OEM Priority Project focal series: New Status in libnl3 package in Ubuntu: New Bug description: [ Impact ] When testing Qualcomm qcs410 with WCN3980 with 20.04 and UC20, WCN3980 is not able connect to an AP. However, with the libnl3 (3.5.0) from BSP, WCN3980 can work correctly. After bisecting the commits from 3.4.0 to 3.5.0, this commit[1] is identified as the root cause. According to the commit, the "NLA_F_NESTED" flag should be set for kernel later than 5.2. [ Test Plan ] Verify with the updated version, the WIFI module can: 1. scan WIFI networks 2. connect to an available network 3. access to the connected network [ Where problems could occur ] 1. kernel versions without NLA_F_NESTED flag defined This flag is introduced before Linux kernel v5 (checked v3.x and v4.x have it). It would not be a problem for an older kernel to understand/work with this change. Since the GA kernel is 5.4, so a generic image would still work. 2. Drivers don't use the NESTED flag. According to hui.wang's input, this change should not affect drivers which don't use the NESTED flag. But, it'd be better to cover more Wifi modules. [ Other Info ] 22.04 is using libnl3 3.0.5-0.1, so only 20.04 needs this patch. [1] https://github.com/thom311/libnl/commit/7de65a051fb37ece16f896a7385073274b77a133 To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1998765/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1995260] Re: dnsmasq focal 2.80 NODATA instead of NXDOMAIN bug
Thanks for taking the time to report this bug and trying to make Ubuntu better. I added a task for Focal, and marked the development release as Fix Released. Could you please provided detailed steps on how to reproduce this issue? We would need that if we decide to try to update Focal with the patch you mentioned. I am setting the Focal task as Incomplete until you provide information to reproduce the bug, once you do that please set it back to New. ** Also affects: dnsmasq (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: dnsmasq (Ubuntu) Status: New => Invalid ** Changed in: dnsmasq (Ubuntu) Status: Invalid => Fix Released ** Changed in: dnsmasq (Ubuntu Focal) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/1995260 Title: dnsmasq focal 2.80 NODATA instead of NXDOMAIN bug Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Focal: Incomplete Bug description: We upgraded our openstack containers which host dnsmasq services from bionic to focal. With this we got an update of dnsmasq from 2.79 to 2.80 which introduced a bug in our setup where dnsmasq returns NODATA instead of NXDOMAIN. This is already fixed upstream with the following commit [1]. The Ubuntu dnsmasq 2.80 package should get a backport with a release for the focal packages which includes this bug fix. [1] https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=162e5e0062ce923c494cc64282f293f0ed64fc10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1995260/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1960736] Re: Libnss3 doesn't log SEC_ERROR_UNKNOWN_PKCS11_ERROR properly ( NSS error code: -8018 )
Good to hear that the issue is kind of resolved for you. The logging improvements you mentioned should be addressed by upstream, if you manage to find patches to achieve this we could take a look if it would worth a Stable Release Update (SRU). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1960736 Title: Libnss3 doesn't log SEC_ERROR_UNKNOWN_PKCS11_ERROR properly ( NSS error code: -8018 ) Status in nss package in Ubuntu: New Bug description: I've got the issue with Google Chrome not recognizing any of SSL/TSL certificates as trusted. When I look into certificate checksums it's renders all bytes of it as NULL bytes. I'm aware Google Chrome is proprietary but it depends on ubuntu provided libnss3-package. And libnss provides very nigmatic error code -8018: `/opt/google/chrome$ google-chrome [23391:23426:0213/133531.202486:ERROR:nss_util.cc(286)] After loading Root Certs, loaded==false: NSS error code: -8018 [23434:23434:0213/133531.266711:ERROR:sandbox_linux.cc(377)] InitializeSandbox() called with multiple threads in process gpu-process. [23391:23427:0213/133531.313065:ERROR:cert_verify_proc_builtin.cc(681)] CertVerifyProcBuiltin for accounts.google.com failed: - Certificate i=3 (CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE) - ERROR: No matching issuer found ' When trying to enter this particular error code into search engine nothing is found. So my suggestion with this bug is to make it more transparent by providing information to what happened - it seems other bug codes has better error messages. To get SEC_ERROR_UNKNOWN_PKCS11_ERROR string I was force to download source code and manually calculate offsets. Another issue is if failing to initialize PKCS11 token should make whole SSL/TLS crypto invalid ? I'm not sure if this is libnss or Google Chrome issue but it behaves differently in Chromium browser with same libnss so I assume either of two is doing better - it's worth to review this from security perspective. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: libnss3 2:3.35-2ubuntu2.13 Uname: Linux 5.10.0-051000rc6-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.27 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Sun Feb 13 13:33:51 2022 Dependencies: gcc-8-base 8.4.0-1ubuntu1~18.04 libc6 2.27-3ubuntu1.5 [origin: LP-PPA-ubuntu-security-proposed] libgcc1 1:8.4.0-1ubuntu1~18.04 libnspr4 2:4.18-1ubuntu1 libsqlite3-0 3.22.0-1ubuntu0.4 InstallationDate: Installed on 2015-05-08 (2473 days ago) InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=pl_PL.UTF-8 SHELL=/bin/bash SourcePackage: nss UpgradeStatus: Upgraded to bionic on 2018-08-26 (1266 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1960736/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1990863] Re: conversion from sshd service to socket is too bumpy
Thanks for taking the time to report this bug and trying to make Ubuntu better. Most relevant information can be found in the discourse post you mentioned. Could you please share your customization of the configuration file? So we can understand better the upgrade path you are going through. I am setting the status to Incomplete until you provide more information, once you do that please set it back to New and we will take a look again. ** Changed in: openssh (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1990863 Title: conversion from sshd service to socket is too bumpy Status in openssh package in Ubuntu: Incomplete Bug description: During upgrade from Jammy to Kinetic, I get asked what to do because my sshd_config has been modified. I say to do a 3-way merge. It says 3-way merge fails. I shrug, figure I'll just restore my customizations with Ansible after the upgrade like I always do, and tell it to use the vendor version of the file. This removes my custom Port settings, so they are not migrated over to the ssh.socket settings like https://discourse.ubuntu.com/t/sshd-now-uses-socket-based-activation- ubuntu-22-10-and-later/30189 says they would be. I subsequently run my Ansible which restores the customizations and enables the ssh service, but now ssh.service and ssh.socket are enabled at the same time, sshd isn't listening on my specified ports, and everything is a mess. I've never used socket-based activation before and have no idea how to configure it so now I have to go reading man pages, Googling all over the place, and generally struggle to figure out what the heck is going wrong. I don't know what the right answer is here, but I really feel like some effort needs to be put into figuring out a smoother transition for people who are upgrading to Kinetic. ProblemType: Bug DistroRelease: Ubuntu 22.10 Package: openssh-server 1:9.0p1-1ubuntu6 ProcVersionSignature: Ubuntu 5.19.0-15.15-generic 5.19.0 Uname: Linux 5.19.0-15-generic x86_64 ApportVersion: 2.23.0-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Mon Sep 26 11:41:58 2022 InstallationDate: Installed on 2019-08-16 (1136 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: openssh UpgradeStatus: Upgraded to kinetic on 2022-09-24 (1 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1990863/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1988730] Re: package libsasl2-modules provides only unsafe SASL bind mechanims
Thanks for taking the time to report this bug and trying to make Ubuntu better. This very same bug was filed against Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977360 and fixed by this commit in version 2.1.28+dfsg-4: https://salsa.debian.org/debian/cyrus- sasl2/-/commit/510c86097b7259f0033150c5a66115028736c157 We need to backport the patch above to Jammy to address this issue. ** Also affects: cyrus-sasl2 (Ubuntu Jammy) Importance: Undecided Status: New ** Changed in: cyrus-sasl2 (Ubuntu) Status: New => Fix Released ** Changed in: cyrus-sasl2 (Ubuntu Jammy) Status: New => Triaged ** Bug watch added: Debian Bug tracker #977360 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977360 ** Tags added: server-todo -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1988730 Title: package libsasl2-modules provides only unsafe SASL bind mechanims Status in cyrus-sasl2 package in Ubuntu: Fix Released Status in cyrus-sasl2 source package in Jammy: Triaged Bug description: Current Cyrus libsasl2 packaging (Ubuntu Jammy) distributes SASL bind mechanims into different packages. Plained and shared secret mechanisms are provided by package libsasl2-modules: /usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so /usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2 /usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so /usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2 /usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2 /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/liblogin.so /usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2 /usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2 /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libplain.so /usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2 /usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2.0.25 The "safest" mechanism in this list is DIGEST-MD5, which is marked as obsolete by IANA and regarded as unsafe by IETF. Current safest standard mechanisms are SCRAM based (RFC7677). All SCRAM family SASL mechanisms of Cyrus SASL are provided by Ubuntu package libsasl2-modules-gssapi-mit: /usr/lib/x86_64-linux-gnu/sasl2/libscram.so /usr/lib/x86_64-linux-gnu/sasl2/libscram.so.2 /usr/lib/x86_64-linux-gnu/sasl2/libscram.so.2.0.25 But the focus of this package is GSSAPI and GS2 SASL mechanism, which have nothing to do with SCRAM. In addition, this package conflicts with package libsasl2-modules-gssapi-heimdal. System administrators have to choose one package for support of GSSAPI or GSS-SPEGNO. If they prefer Heimdal there is no safe SASL shared secret mechanism available anymore on the server/workstation. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1988730/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971932] Re: error in rsync protocol data stream
Since there is known workaround for this I am setting the Importance to Low. ** Changed in: rsync (Ubuntu) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsync in Ubuntu. https://bugs.launchpad.net/bugs/1971932 Title: error in rsync protocol data stream Status in rsync package in Ubuntu: Confirmed Bug description: When synchronizing to other systems, rsync exits with "error in rsync protocol data stream (code 12)". The problem occurs since ubuntu 22.04 LTS with two different destination systems not running ubuntu but plain debian. The error did not occur under 20.04 LTS. Synchronisation runs fine for most other files, but always stops at the same (relative large) file. The file itself has also been changed on a test basis to make sure the file is not the problem itself. Log snippet: ... chunk[46131] len=46120 offset=2127561720 sum1=2f48caf4 chunk[46132] len=46120 offset=2127607840 sum1=5dfcb4ee chunk[46133] len=46120 offset=2127653960 sum1=d1037d81 chunk[46134] len=8870 offset=2127700080 sum1=6deedc97 send_files mapped /path/backup/subdir/.thunderbird/profile/ImapMail/imap.domain.com/INBOX of size 2135722584 calling match_sums /path/backup/subdir/.thunderbird/profile/ImapMail/imap.domain.com/INBOX built hash table hash search b=46120 len=2135722584 sum=1e1722dc k=46120 hash search s->blength=46120 len=2135722584 count=46135 potential match at 0 i=0 sum=1e1722dc match at 0 last_match=0 j=0 len=46120 n=0 potential match at 46120 i=1 sum=c482d6b6 match at 46120 last_match=46120 j=1 len=46120 n=0 potential match at 92240 i=2 sum=b21c7e11 match at 92240 last_match=92240 j=2 len=46120 n=0 potential match at 138360 i=3 sum=d066473a match at 138360 last_match=138360 j=3 len=46120 n=0 potential match at 184480 i=4 sum=a32a2984 match at 184480 last_match=184480 j=4 len=46120 n=0 potential match at 230600 i=5 sum=39cc049f match at 230600 last_match=230600 j=5 len=46120 n=0 potential match at 276720 i=6 sum=ad3de98a match at 276720 last_match=276720 j=6 len=46120 n=0 potential match at 322840 i=7 sum=83e16fa9 match at 322840 last_match=322840 j=7 len=46120 n=0 deflate on token returned 0 (8512 bytes left) rsync error: error in rsync protocol data stream (code 12) at token.c(476) [sender=3.2.3] [sender] _exit_cleanup(code=12, file=token.c, line=476): entered [sender] _exit_cleanup(code=12, file=token.c, line=476): about to call exit(12) Sender system: (rsync 3.2.3-8ubuntu3) - rsync version 3.2.3 protocol version 31 Copyright (C) 1996-2020 by Andrew Tridgell, Wayne Davison, and others. Web site: https://rsync.samba.org/ Capabilities: 64-bit files, 64-bit inums, 64-bit timestamps, 64-bit long ints, socketpairs, hardlinks, hardlink-specials, symlinks, IPv6, atimes, batchfiles, inplace, append, ACLs, xattrs, optional protect-args, iconv, symtimes, prealloc, stop-at, no crtimes Optimizations: SIMD, no asm, openssl-crypto Checksum list: xxh128 xxh3 xxh64 (xxhash) md5 md4 none Compress list: zstd lz4 zlibx zlib none rsync comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the GNU General Public Licence for details. Recipient systems: (rsync 3.1.3-6) -- rsync version 3.1.3 protocol version 31 Copyright (C) 1996-2018 by Andrew Tridgell, Wayne Davison, and others. Web site: http://rsync.samba.org/ Capabilities: 64-bit files, 64-bit inums, 64-bit timestamps, 64-bit long ints, socketpairs, hardlinks, symlinks, IPv6, batchfiles, inplace, append, ACLs, xattrs, iconv, symtimes, prealloc rsync comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the GNU General Public Licence for details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsync/+bug/1971932/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1980146] Re: dnsmasq often using 100% of CPU
Thanks for the information you provided. I set up a Ubuntu Jammy VM with
ssh and dnsmasq running and unfortunately I cannot reproduce it just
with that. There might be something else happening in your system.
If you could provide information about all processes running in your
system when this happens it would be great. It could at least serve as a
lead for us to keep investigating this issue, right now I am not sure
what's going on.
** Changed in: dnsmasq (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dnsmasq in Ubuntu.
https://bugs.launchpad.net/bugs/1980146
Title:
dnsmasq often using 100% of CPU
Status in dnsmasq package in Ubuntu:
Incomplete
Bug description:
Release: 22.04
Codename: jammy
Kernel: Linux 5.15.0-40-generic x86_64
⏵ apt-cache policy dnsmasq
Installed: 2.86-1.1ubuntu0.1
dnsmasq is caught in a loop after every dns request, resulting in 100%
CPU usage for several minutes each time. This leads to a hot and
lethargic computer. During this time thousands of the following
messages (see below) are printed from strace.
The loop tends to obsess on denied connections, but there are so many
I'm not 100% sure.
systemd-resolved is _not_ running, some bugs refer to that.
⏵ head /etc/dnsmasq.d/foo.conf
address=/#/127.0.0.2
port=53
resolv-file=/var/run/NetworkManager/resolv.conf
⏵ sudo strace -p 3519 (dnsmasq)
poll([{fd=3, events=POLLIN}, {fd=4, events=POLLIN}, {fd=5,
events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8,
events=POLLIN}, {fd=9, events=POLLIN}, {fd=13, events=POLLIN}, {fd=14,
events=POLLIN}], 9, -1) = 1 ([{fd=4, revents=POLLIN}])
recvmsg(4, {msg_name={sa_family=AF_INET, sin_port=htons(60224),
sin_addr=inet_addr("127.0.0.1")}, msg_namelen=28 => 16,
msg_iov=[{iov_base="\302\221\1\0\0\1\0\0\0\0\0\0\17classify-
client\10ser"..., iov_len=4096}], msg_iovlen=1,
msg_control=[{cmsg_len=28, cmsg_level=SOL_IP, cmsg_type=IP_PKTINFO,
cmsg_data={ipi_ifindex=if_nametoindex("lo"),
ipi_spec_dst=inet_addr("127.0.0.53"),
ipi_addr=inet_addr("127.0.0.53")}}], msg_controllen=32, msg_flags=0},
0) = 54
ioctl(4, SIOCGIFNAME, {ifr_ifindex=1, ifr_name="lo"}) = 0
sendto(14, "\302\221\1\0\0\1\0\0\0\0\0\0\17classify-client\10ser"...,
54, 0, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("127.0.0.53")}, 16) = 54
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1980146/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1979313] Re: kubeadm doesn't work with containerd version of apt install
** Also affects: apt (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: containerd (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: containerd (Ubuntu Focal) Importance: Undecided => Low ** Changed in: containerd (Ubuntu Focal) Status: New => Triaged ** Changed in: apt (Ubuntu Focal) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1979313 Title: kubeadm doesn't work with containerd version of apt install Status in apt package in Ubuntu: Invalid Status in containerd package in Ubuntu: Triaged Status in apt source package in Focal: Invalid Status in containerd source package in Focal: Triaged Bug description: Version of Ubuntu: Description:Ubuntu 22.04 LTS Release:22.04 kubeadm: Installed: 1.24.2-00 Candidate: 1.24.2-00 Package that has the problem: containerd: Installed: 1.5.9-0ubuntu3 Candidate: 1.5.9-0ubuntu3 Version table: *** 1.5.9-0ubuntu3 500 500 http://ro.archive.ubuntu.com/ubuntu jammy/main amd64 Packages 100 /var/lib/dpkg/status Problem: Kubeadm is not compatibile with this version of containerd that is installed by `apt install containerd`. If I use `kubeadm init` it will create a cluster which instead of staying alive will die after a couple of minutes. The problem is in the config file of containerd, which has the following parameter set to false: `SystemdCgroup = false` Solution: To solve this, the containerd config parameter SystemdCgroup needs to be set to true. It is set to true in the containerd v1.6.2, but by default, apt installs the version v1.5.9, which worked on Ubuntu 20.04 but does not work for Ubuntu 22.04. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1979313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1979313] Re: kubeadm doesn't work with containerd version of apt install
Thanks for taking the time to report this bug and trying to make Ubuntu better. This seems to be a real issue, in the kubernetes documentation they tell users to set this variable to true: https://kubernetes.io/docs/setup/production-environment/container- runtimes/#containerd-systemd We are planning to update containerd to the latest upstream version which will fix this issue as you mentioned. While this does not happen here users can find a simple workaround for that. ** Changed in: containerd (Ubuntu) Status: New => Triaged ** Changed in: containerd (Ubuntu) Importance: Undecided => Low ** Changed in: apt (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1979313 Title: kubeadm doesn't work with containerd version of apt install Status in apt package in Ubuntu: Invalid Status in containerd package in Ubuntu: Triaged Bug description: Version of Ubuntu: Description:Ubuntu 22.04 LTS Release:22.04 kubeadm: Installed: 1.24.2-00 Candidate: 1.24.2-00 Package that has the problem: containerd: Installed: 1.5.9-0ubuntu3 Candidate: 1.5.9-0ubuntu3 Version table: *** 1.5.9-0ubuntu3 500 500 http://ro.archive.ubuntu.com/ubuntu jammy/main amd64 Packages 100 /var/lib/dpkg/status Problem: Kubeadm is not compatibile with this version of containerd that is installed by `apt install containerd`. If I use `kubeadm init` it will create a cluster which instead of staying alive will die after a couple of minutes. The problem is in the config file of containerd, which has the following parameter set to false: `SystemdCgroup = false` Solution: To solve this, the containerd config parameter SystemdCgroup needs to be set to true. It is set to true in the containerd v1.6.2, but by default, apt installs the version v1.5.9, which worked on Ubuntu 20.04 but does not work for Ubuntu 22.04. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1979313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1975496] Re: package openssh-server 1:8.2p1-4ubuntu0.5 failed to install/upgrade: installed openssh-server package post-installation script subprocess returned error exit status
Thanks for taking the time to report this bug and trying to make Ubuntu better. >From the sshd logs in the description we can see: Error: command ['/usr/sbin/sshd', '-T'] failed with exit code 255: /etc/ssh/sshd_config: line 125: Bad configuration option: Host /etc/ssh/sshd_config: line 126: Bad configuration option: ForwardX11 /etc/ssh/sshd_config: terminating, 2 bad configuration options Which tells us that your sshd_config file has some bad configuration on line 125 and 126. Please, revisit your configuration file and fix it up. Since it seems likely to me that this is a local configuration problem, rather than a bug in Ubuntu, I am marking this bug as 'Incomplete'. However, if you believe that this is really a bug in Ubuntu, then we would be grateful if you would provide a more complete description of the problem with steps to reproduce, explain why you believe this is a bug in Ubuntu rather than a problem specific to your system, and then change the bug status back to "New". For local configuration issues, you can find assistance here: http://www.ubuntu.com/support/community ** Changed in: openssh (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1975496 Title: package openssh-server 1:8.2p1-4ubuntu0.5 failed to install/upgrade: installed openssh-server package post-installation script subprocess returned error exit status 1 Status in openssh package in Ubuntu: Incomplete Bug description: I had fixed an earlier problem with /etc/ssh/sshd_config but this error persists. I've tried removing the package, rebooting, and adding the openssh-server. package. ProblemType: Package DistroRelease: Ubuntu 20.04 Package: openssh-server 1:8.2p1-4ubuntu0.5 ProcVersionSignature: Ubuntu 5.13.0-41.46~20.04.1-generic 5.13.19 Uname: Linux 5.13.0-41-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu27.24 AptOrdering: firefox-locale-en:amd64: Install NULL: ConfigurePending Architecture: amd64 CasperMD5CheckResult: skip Date: Mon May 23 06:37:07 2022 ErrorMessage: installed openssh-server package post-installation script subprocess returned error exit status 1 InstallationDate: Installed on 2020-10-06 (593 days ago) InstallationMedia: Ubuntu 20.04.1 LTS "Focal Fossa" - Release amd64 (20200731) Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 3.8.2-0ubuntu2 PythonDetails: /usr/bin/python2.7, Python 2.7.18, python-is-python2, 2.7.17-4 RelatedPackageVersions: dpkg 1.19.7ubuntu3 apt 2.0.8 SSHDConfig: Error: command ['/usr/sbin/sshd', '-T'] failed with exit code 255: /etc/ssh/sshd_config: line 125: Bad configuration option: Host /etc/ssh/sshd_config: line 126: Bad configuration option: ForwardX11 /etc/ssh/sshd_config: terminating, 2 bad configuration options SourcePackage: openssh Title: package openssh-server 1:8.2p1-4ubuntu0.5 failed to install/upgrade: installed openssh-server package post-installation script subprocess returned error exit status 1 UpgradeStatus: Upgraded to focal on 2021-09-29 (235 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1975496/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1973217] Re: package openssh-server 1:8.2p1-4ubuntu0.5 failed to install/upgrade: installed openssh-server package post-installation script subprocess returned error exit status
Thanks for taking the time to file this bug and trying to make Ubuntu better. >From the attached logs: May 12 08:50:07 paradise sshd[59551]: /etc/ssh/sshd_config: line 125: Bad configuration option: Host May 12 08:50:07 paradise sshd[59551]: /etc/ssh/sshd_config: line 126: Bad configuration option: ForwardX11 May 12 08:50:07 paradise sshd[59551]: /etc/ssh/sshd_config: terminating, 2 bad configuration options Which tells us that this is a local configuration issue. The Host and ForwardX11 options are causing the issue, avoiding the service to start. Since it seems likely to me that this is a local configuration problem, rather than a bug in Ubuntu, I am marking this bug as 'Incomplete'. However, if you believe that this is really a bug in Ubuntu, then we would be grateful if you would provide a more complete description of the problem with steps to reproduce, explain why you believe this is a bug in Ubuntu rather than a problem specific to your system, and then change the bug status back to "New". For local configuration issues, you can find assistance here: http://www.ubuntu.com/support/community -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1973217 Title: package openssh-server 1:8.2p1-4ubuntu0.5 failed to install/upgrade: installed openssh-server package post-installation script subprocess returned error exit status 1 Status in openssh package in Ubuntu: Incomplete Bug description: It might be that two instances of update-manager seemed to be running at the same time. ProblemType: Package DistroRelease: Ubuntu 20.04 Package: openssh-server 1:8.2p1-4ubuntu0.5 ProcVersionSignature: Ubuntu 5.13.0-41.46~20.04.1-generic 5.13.19 Uname: Linux 5.13.0-41-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu27.23 Architecture: amd64 CasperMD5CheckResult: skip Date: Thu May 12 08:50:07 2022 ErrorMessage: installed openssh-server package post-installation script subprocess returned error exit status 1 InstallationDate: Installed on 2020-10-06 (582 days ago) InstallationMedia: Ubuntu 20.04.1 LTS "Focal Fossa" - Release amd64 (20200731) Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 3.8.2-0ubuntu2 PythonDetails: /usr/bin/python2.7, Python 2.7.18, python-is-python2, 2.7.17-4 RelatedPackageVersions: dpkg 1.19.7ubuntu3 apt 2.0.6 SSHDConfig: Error: command ['/usr/sbin/sshd', '-T'] failed with exit code 255: /etc/ssh/sshd_config: line 125: Bad configuration option: Host /etc/ssh/sshd_config: line 126: Bad configuration option: ForwardX11 /etc/ssh/sshd_config: terminating, 2 bad configuration options SourcePackage: openssh Title: package openssh-server 1:8.2p1-4ubuntu0.5 failed to install/upgrade: installed openssh-server package post-installation script subprocess returned error exit status 1 UpgradeStatus: Upgraded to focal on 2021-09-29 (225 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1973217/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1973137] Re: ldap_do_free_request: Assertion `lr->lr_refcnt == 1' failed
You mentioned it is taking longer to process the request but it is working. So I am setting the priority to Low and I am adding this bug to the server team backlog. It will be looked at once we find some time. ** Changed in: openldap (Ubuntu) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1973137 Title: ldap_do_free_request: Assertion `lr->lr_refcnt == 1' failed Status in openldap package in Ubuntu: New Bug description: I dont know it is openldap related: Operation System: Ubuntu 22.04 Packages: sssd-ldap 2.6.3-1ubuntu3 libldap-2.5-0:amd64 2.5.11+dfsg-1~exp1ubuntu3 libldap-common2.5.11+dfsg-1~exp1ubuntu3 I have configured sssd to use LDAPS over HAPROXY. With the latest Debian Version and Ubuntu 20.04 i have no error. But with Ubuntu 22.04 i randomly cant login. Syslog show this error: May 12 06:57:55 ingress2 sssd[870590]: sssd_be: ../../../../libraries/libldap/request.c:970: ldap_do_free_request: Assertion `lr->lr_refcnt == 1' failed. If i configured SSSD to use directly our LDAP Server, its working. Regards Sebastian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1973137/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1968305] Re: sshd_config.d overrides not working
@jamesps this applies to Ubuntu Focal 20.04 as described in the manpage. This seems to me a local configuration issue and not a bug in the package. Due to that I am marking this bug as Invalid. ** Changed in: openssh (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1968305 Title: sshd_config.d overrides not working Status in openssh package in Ubuntu: Invalid Bug description: Creating an sshd_config override file under /etc/ssh/sshd_config.d/ does not override settings from /etc/ssh/sshd_config From debugging sshd, I can see the override file is indeed being read, and the option is supposedly set. But after testing, the options are not taking effect. Specifically, in the main sshd_config, I have disabled PasswordAuthentication In my override file, PasswordAuthentication is enabled Yet, when connecting to the server, it only checks public/private keys. This is for an environment where we have our default sshd_config, and in specific use-cases, we might enable PasswordAuthentication for some servers. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openssh-server 1:8.2p1-4ubuntu0.4 ProcVersionSignature: Ubuntu 5.13.0-39.44~20.04.1-generic 5.13.19 Uname: Linux 5.13.0-39-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.21 Architecture: amd64 CasperMD5CheckResult: pass Date: Fri Apr 8 10:37:42 2022 InstallationDate: Installed on 2021-11-04 (154 days ago) InstallationMedia: Ubuntu-Server 20.04.3 LTS "Focal Fossa" - Release amd64 (20210824) SourcePackage: openssh UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1968305/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1874257] Re: SSH fails with connection timed out - in VPN and hangs here "expecting SSH2_MSG_KEX_ECDH_REPLY" + Ubuntu 16.04.6 LTS
@family-gan are you saying this is an issue in Ubuntu Impish (21.10)? It seems to be already fixed in supported releases. Could you share any steps to reproduce it? If you consider the issue you are facing different than the one discussed in this bug please consider filing a separate bug. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1874257 Title: SSH fails with connection timed out - in VPN and hangs here "expecting SSH2_MSG_KEX_ECDH_REPLY" + Ubuntu 16.04.6 LTS Status in linux package in Ubuntu: Invalid Status in openconnect package in Ubuntu: Fix Released Status in openssh package in Ubuntu: Invalid Status in openconnect source package in Xenial: Confirmed Bug description: Hello Team, SSH timeout issue, once connect to VPN. Environment == Dell XPS 9570 Ubuntu 16.04.6 Xenial Xerus) kernel - 4.15.0-55-generic $dpkg -l | grep -i openssh ii openssh-client 1:7.2p2-4ubuntu2.8 --> ii openssh-server 1:7.2p2-4ubuntu2.8 ii openssh-sftp-server 1:7.2p2-4ubuntu2.8 VPN tunnel info vpn0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:IP P-t-P:xx Mask:255.255.252.0 inet6 addr: fe80::b8e2:bea4:2e62:fe08/64 Scope:Link UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1406 Metric:1 RX packets:962 errors:0 dropped:0 overruns:0 frame:0 TX packets:1029 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:87839 (87.8 KB) TX bytes:238740 (238.7 KB) Issue Unable to connect to any host via ssh or sftp after VPN connection Tried = Reinstalled the openssh-client package and still no luck. May I know why the default cipher is not taking/hanging? Please let me know . There were no recent changes. Workaround === Able to connect to ssh / sftp $ssh -c aes128-ctr user@IP Below is the debug ssh client logs === == $ssh -vvv user@ip OpenSSH_7.2p2 Ubuntu-4ubuntu2.8, OpenSSL 1.0.2g 1 Mar 2016 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: resolving "IP" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to IP [IP] port 22. debug1: Connection established. debug1: key_load_public: No such file or directory debug1: identity file /home/user/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/user/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/user/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/user/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/user/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/user/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/user/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH* compat 0x0400 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to IP:22 as 'user' debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc debug2: ciphers stoc: chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc debug2: MACs ctos:
[Touch-packages] [Bug 1957104] Re: updating openssh-server fails, because port 22 is in use by systemd
I upgraded openssh-server in a Impish VM locally and I was not able to reproduce the issue you described. Are you able to provide some detailed steps on how to reproduce this bug? Could you check if you face the same issue with Jammy (22.04)? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1957104 Title: updating openssh-server fails, because port 22 is in use by systemd Status in openssh package in Ubuntu: Incomplete Bug description: openssh-server tries to restart itself, but openssh-server reports port 22 in use. This is true: systemd has taken port 22 to start sshd if one connects to port 22. two solutions: 1. dont start sshd after installing. configure it without starting it afterwards. 2. stop systemd listening on port 22 before starting sshd, then start sshd, terminate it after configuring, then start systemd listening on port 22 again. Second problem: starting ssh.service does not check if "/run/sshd" exists. This directory has to be created before sshd is started. Unclear if this is an error with sshd not creating this directory before dropping privileges or if this has to be done once while installing. IMHO the first is the case. Workaround: systemctl stop ssh.service systemctl disable ssh.service apt upgrade systemctl enable ssh.service killall sshd mkdir /run/sshd systemctl start ssh.service ProblemType: Bug DistroRelease: Ubuntu 21.10 Package: openssh-server 1:8.4p1-6ubuntu2.1 ProcVersionSignature: Ubuntu 5.13.0-23.23-generic 5.13.19 Uname: Linux 5.13.0-23-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu71 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: XFCE Date: Tue Jan 11 19:11:47 2022 InstallationDate: Installed on 2021-08-18 (146 days ago) InstallationMedia: Xubuntu 21.04 "Hirsute Hippo" - Release amd64 (20210420) SSHDConfig: Error: command ['pkexec', '/usr/sbin/sshd', '-T'] failed with exit code 255: Missing privilege separation directory: /run/sshd SourcePackage: openssh UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1957104/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1955347] Re: rsync works bad with encfs now
Hi Claude,
Are you able to roll rsycn back to version 3.1.3-8 to see if this gets
fixed? In 2021-11-16, we got an update to fix LP #1896251. FWIW, this is
the upstream patch that was applied:
https://github.com/WayneD/rsync/commit/af6118d98b3482cbcfc223bf2a0777bc19eccb02
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsync in Ubuntu.
https://bugs.launchpad.net/bugs/1955347
Title:
rsync works bad with encfs now
Status in rsync package in Ubuntu:
Incomplete
Bug description:
Hello,
I think rsync works bad with encfs now.
When root uses it, rsync cannot read a directory encrypted with encfs
by a user. More precisely, it cannot read the mounted directory, the
virtual one where the user can read the datas.
Until now there was only a warning like this
"rsync: readlink_stat("/home/claude/Documents_chiffres") failed:
Permission denied (13)"
and the software went on working (only ignoring the content of the mounted
directory and of course without saving this content)
But recently there is this more:
"IO error encountered -- skipping file deletion"
and because of this "skipping file deletion", the software can't work
normally. The destination gets bigger more and more because the deleted files
in the source are not deleted in the destination.
Thanks for reading me.
rsync 3.1.3-8ubuntu0.1
Description:Ubuntu 20.04.3 LTS
Release:20.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsync/+bug/1955347/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1956954] Re: Can't load seccomp filter
Thanks for taking the time to report this bug and trying to make Ubuntu better. I am not familiar with Puppeteer but since you think this might be related to kernel, could you please provide any system logs so we can understand what is happening? In a regular arm64 VM I am able to run "apt update && apt upgrade" without issues (FWIW I am not running it on AWS). I am setting the status of this bug to Incomplete, once you provide more information set it back to New and we will take a look at it again. ** Changed in: libseccomp (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1956954 Title: Can't load seccomp filter Status in libseccomp package in Ubuntu: Incomplete Bug description: After migrating from Ubuntu 20 amd64 to aarch64 I started experiencing "can't load seccomp filter" when doing `apt update && apt upgrade` and "Kernel refuses to turn on BPF filters" when using Puppeteer. I wrote about it more extensively here: https://stackoverflow.com/questions/69892137/after-a-few-days-i-can- no-longer-start-puppeteer-until-i-restart-the-server lsb_release -rd --- Description: Ubuntu 20.04.3 LTS Release: 20.04 apt-cache policy seccomp --- seccomp: Installed: (none) Candidate: 2.5.1-1ubuntu1~20.04.2 Version table: 2.5.1-1ubuntu1~20.04.2 500 500 http://us-east-1.ec2.ports.ubuntu.com/ubuntu-ports focal-updates/main arm64 Packages 500 http://ports.ubuntu.com/ubuntu-ports focal-security/main arm64 Packages 2.4.3-1ubuntu1 500 500 http://us-east-1.ec2.ports.ubuntu.com/ubuntu-ports focal/main arm64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1956954/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1915238] Re: warning: /var/spool/postfix/etc/ssl/certs/ca-certificates.crt and /etc/ssl/certs/ca-certificates.crt differ
This bug is in our backlog, we still did not have time to tackle it. Paride made a great analysis above, and I believe we should try to talk to the Debian maintainer to see if they agree with the proposed solution and land the fix there. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1915238 Title: warning: /var/spool/postfix/etc/ssl/certs/ca-certificates.crt and /etc/ssl/certs/ca-certificates.crt differ Status in ca-certificates package in Ubuntu: New Status in postfix package in Ubuntu: Triaged Status in postfix package in Debian: New Bug description: Postfix package doesn't utilize update-ca-certificate's hooks mechanism. By simply copying certs from /etc/ssl/certs/ca- certificates.crt to /var/spool/postfix/etc/ssl/certs/ca- certificates.crt, this warning and potential security issues could be avoided. Something like this would be a start: $ cat /etc/ca-certificates/update.d/postfix #!/bin/bash if [ -e /var/spool/postfix/etc/ssl/certs/ca-certificates.crt ]; then echo "Updating postfix chrooted certs" cp /etc/ssl/certs/ca-certificates.crt /var/spool/postfix/etc/ssl/certs/ca-certificates.crt systemctl reload postfix fi To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1915238/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1949535] Re: X-forwarding no longer works
This is confusing Robert, is your target system running Debian Bullseye? There is no Debian release called Bullet. Do you have any custom configuration in the server or client side? Please provide more information, for instance detailed steps, so we can attempt to reproduce it. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1949535 Title: X-forwarding no longer works Status in openssh package in Ubuntu: Incomplete Bug description: I operate a Linux based Internet hosting service that includes Linux shell servers of various flavors. I control these from home using Ubuntu 21.10 presently. Until recently, X-forwarding has worked from all but ancient Redhat 6.2 servers. I recently upgraded my debian shell server to Bullet, and after the upgrade ssh -X debian.eskimo.com from my workstation nanook.eskimo.com ceased to function. It simply says "Cannot open DISPLAY". At the time, all the others continued to work. Today, when I went to do upgrades, now ssh -X is forwarding across the board to all flavors of Linux. I did an ssh -V, nothing obvious wrong in the connection. debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering public key: /home/nanook/.ssh/id_rsa RSA SHA256:a5bReJXl7L91eGOuCYugHsY2rn2a0WTDXEBTC93YdmA agent debug1: Server accepts key: /home/nanook/.ssh/id_rsa RSA SHA256:a5bReJXl7L91eGOuCYugHsY2rn2a0WTDXEBTC93YdmA agent debug1: Authentication succeeded (publickey). Authenticated to igloo.eskimo.com ([204.122.16.128]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessi...@openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype hostkeys...@openssh.com want_reply 0 debug1: Remote: /home/nanook/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding debug1: Remote: /home/nanook/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: client_input_channel_req: channel 0 rtype e...@openssh.com reply 0 debug1: channel 0: free: client-session, nchannels 1 debug1: fd 2 clearing O_NONBLOCK Connection to igloo.eskimo.com closed. Transferred: sent 3748, received 3820 bytes, in 6.4 seconds Bytes per second: sent 589.4, received 600.8 I don't see anything obviously wrong here but still it does not work, I get: xclock Error: Can't open display: ProblemType: Bug DistroRelease: Ubuntu 21.10 Package: ssh (not installed) Uname: Linux 5.13.19 x86_64 ApportVersion: 2.20.11-0ubuntu71 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: MATE Date: Tue Nov 2 17:31:14 2021 SourcePackage: openssh UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1949535/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
** Changed in: runc (Ubuntu Xenial) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in Ubuntu on IBM z Systems: New Status in docker.io package in Ubuntu: Invalid Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: Invalid Status in libseccomp source package in Xenial: Fix Released Status in runc source package in Xenial: Invalid Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: Fix Released Status in runc source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in docker.io source package in Focal: Invalid Status in libseccomp source package in Focal: Fix Released Status in runc source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: Won't Fix Status in libseccomp source package in Groovy: Won't Fix Status in runc source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: Invalid Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ sudo tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not
[Touch-packages] [Bug 1505670] Re: "uncaptured python exception"
@Rolf and others, thanks for all the testing done so far. Since the
importance is set to Low I do not believe we will have time to tackle
this anytime soon, but I'd be happy to sponsor a fixed package if anyone
wants to work on it. In order to land this fix we would need to follow
the SRU process:
https://wiki.ubuntu.com/StableReleaseUpdates
Once we have the SRU bug description in place and a debdiff, we can
review the and sponsor your work.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1505670
Title:
"uncaptured python exception"
Status in python2.7 package in Ubuntu:
New
Status in squid-deb-proxy package in Ubuntu:
Confirmed
Status in python2.7 source package in Bionic:
New
Status in squid-deb-proxy source package in Bionic:
New
Status in python2.7 source package in Focal:
New
Status in squid-deb-proxy source package in Focal:
New
Bug description:
I get the following error when running the discovery script on the
command line.
$ /usr/share/squid-deb-proxy-client/apt-avahi-discover
error: uncaptured python exception, closing channel
('10.1.2.3', 3142): 2147483647 (:[Errno 111] Connection
refused [/usr/lib/python2.7/asyncore.py|read|83]
[/usr/lib/python2.7/asyncore.py|handle_read_event|446]
[/usr/lib/python2.7/asyncore.py|handle_connect_event|454])
error: uncaptured python exception, closing channel
('10.0.3.1', 3142): 2147483647 (:[Errno 111] Connection
refused [/usr/lib/python2.7/asyncore.py|read|83]
[/usr/lib/python2.7/asyncore.py|handle_read_event|446]
[/usr/lib/python2.7/asyncore.py|handle_connect_event|454])
error: uncaptured python exception, closing channel
('172.24.74.129', 3142): 2147483647 (:[Errno 111]
Connection refused [/usr/lib/python2.7/asyncore.py|read|83]
[/usr/lib/python2.7/asyncore.py|handle_read_event|446]
[/usr/lib/python2.7/asyncore.py|handle_connect_event|454])
http://172.24.74.145:3142/
The last line still returns the proper proxy URI so as far as I can
tell things are still working. The IP 10.1.2.3 is for an n2n VPN.
This is on trusty with version 0.8.6ubuntu1.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1505670/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1505670] Re: "uncaptured python exception"
** Also affects: python2.7 (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: squid-deb-proxy (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: python2.7 (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: squid-deb-proxy (Ubuntu Focal)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1505670
Title:
"uncaptured python exception"
Status in python2.7 package in Ubuntu:
New
Status in squid-deb-proxy package in Ubuntu:
Confirmed
Status in python2.7 source package in Bionic:
New
Status in squid-deb-proxy source package in Bionic:
New
Status in python2.7 source package in Focal:
New
Status in squid-deb-proxy source package in Focal:
New
Bug description:
I get the following error when running the discovery script on the
command line.
$ /usr/share/squid-deb-proxy-client/apt-avahi-discover
error: uncaptured python exception, closing channel
('10.1.2.3', 3142): 2147483647 (:[Errno 111] Connection
refused [/usr/lib/python2.7/asyncore.py|read|83]
[/usr/lib/python2.7/asyncore.py|handle_read_event|446]
[/usr/lib/python2.7/asyncore.py|handle_connect_event|454])
error: uncaptured python exception, closing channel
('10.0.3.1', 3142): 2147483647 (:[Errno 111] Connection
refused [/usr/lib/python2.7/asyncore.py|read|83]
[/usr/lib/python2.7/asyncore.py|handle_read_event|446]
[/usr/lib/python2.7/asyncore.py|handle_connect_event|454])
error: uncaptured python exception, closing channel
('172.24.74.129', 3142): 2147483647 (:[Errno 111]
Connection refused [/usr/lib/python2.7/asyncore.py|read|83]
[/usr/lib/python2.7/asyncore.py|handle_read_event|446]
[/usr/lib/python2.7/asyncore.py|handle_connect_event|454])
http://172.24.74.145:3142/
The last line still returns the proper proxy URI so as far as I can
tell things are still working. The IP 10.1.2.3 is for an n2n VPN.
This is on trusty with version 0.8.6ubuntu1.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1505670/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1939640] Re: libvpx FTBFS with LTO enabled
The debdiff to add libvpx to lto-disabled-list package looks good to me, +1. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libvpx in Ubuntu. https://bugs.launchpad.net/bugs/1939640 Title: libvpx FTBFS with LTO enabled Status in libvpx package in Ubuntu: Confirmed Status in lto-disabled-list package in Ubuntu: New Bug description: libvpx FTBFS with LTO enabled on GCC 11, as can be seen here: https://people.canonical.com/~doko/ftbfs-report/test- rebuild-20210805-impish-impish.html#ubuntu-server https://launchpadlibrarian.net/552670245/buildlog_ubuntu-impish- amd64.libvpx_1.9.0-1_BUILDING.txt.gz g++ -Wl,-Bsymbolic-functions -flto=auto -Wl,-z,relro -Wl,-z,now -m64 -o test_libvpx ivfenc.c.o md5_utils.c.o test/active_map_refresh_test.cc.o test/active_map_test.cc.o test/alt_ref_aq_segment_test.cc.o test/altref_test.cc.o test/aq_segment_test.cc.o test/bench.cc.o test/borders_test.cc.o test/byte_alignment_test.cc.o test/config_test.cc.o test/cpu_speed_test.cc.o test/cq_test.cc.o test/decode_api_test.cc.o test/decode_corrupted.cc.o test/decode_svc_test.cc.o test/decode_test_driver.cc.o test/encode_api_test.cc.o test/encode_test_driver.cc.o test/error_resilience_test.cc.o test/external_frame_buffer_test.cc.o test/frame_size_tests.cc.o test/invalid_file_test.cc.o test/keyframe_test.cc.o test/level_test.cc.o test/realtime_test.cc.o test/resize_test.cc.o test/svc_datarate_test.cc.o test/svc_end_to_end_test.cc.o test/svc_test.cc.o test/test_libvpx.cc.o test/test_vector_test.cc.o test/test_vectors.cc.o test/timestamp_test.cc.o test/user_priv_test.cc.o test/vp8_datarate_test.cc.o test/vp9_datarate_test.cc.o test/vp9_end_to_end_test.cc.o test/vp9_ethread_test.cc.o test/vp9_lossless_test.cc.o test/vp9_motion_vector_test.cc.o test/vp9_skip_loopfilter_test.cc.o test/y4m_test.cc.o third_party/libwebm/mkvparser/mkvparser.cc.o third_party/libwebm/mkvparser/mkvreader.cc.o webmdec.cc.o y4menc.c.o y4minput.c.o -L. -lvpx -lgtest -lpthread -lm -lpthread ln -sf libvpx.so.6.3.0 vpx-vp8-vp9-x86_64-linux-v1.9.0/lib/libvpx.so.6 /usr/bin/ld: /tmp/ccsyaUhJ.ltrans0.ltrans.o:(.debug_info+0x1586f): undefined reference to `gtest_all.cc.5c9bdf8f' /usr/bin/ld: /tmp/ccsyaUhJ.ltrans0.ltrans.o:(.debug_info+0x158a5): undefined reference to `gtest_all.cc.5c9bdf8f' /usr/bin/ld: /tmp/ccsyaUhJ.ltrans0.ltrans.o:(.debug_info+0x158b2): undefined reference to `gtest_all.cc.5c9bdf8f' /usr/bin/ld: /tmp/ccsyaUhJ.ltrans0.ltrans.o:(.debug_info+0x158b7): undefined reference to `gtest_all.cc.5c9bdf8f' /usr/bin/ld: /tmp/ccsyaUhJ.ltrans0.ltrans.o:(.debug_info+0x158dd): undefined reference to `gtest_all.cc.5c9bdf8f' /usr/bin/ld: /tmp/ccsyaUhJ.ltrans0.ltrans.o:(.debug_info+0x15903): more undefined references to `gtest_all.cc.5c9bdf8f' follow collect2: error: ld returned 1 exit status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvpx/+bug/1939640/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1900008] Re: Sessions of screen does not keep running in background
Thanks for checking Gustavo. Since you mentioned this is not reproducible in Ubuntu 20.04 I'll be marking this bug as Invalid. ** Changed in: screen (Ubuntu) Status: Incomplete => Invalid ** Changed in: systemd (Ubuntu) Status: Incomplete => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/198 Title: Sessions of screen does not keep running in background Status in screen package in Ubuntu: Invalid Status in systemd package in Ubuntu: Invalid Bug description: In a new fresh installed 20.04, when I use screen command and close the terminal (not closing screen sesion), then I can't recover it with screen -x, since does not exist. I can only recover screen sesion if the original terminal running screen is not being closed. For some reason, this is closing screen session of that user: Oct 15 13:32:45 pc-caja2 systemd[1]: session-66.scope: Succeeded. Oct 15 13:32:45 pc-caja2 systemd[1]: Stopped Session 66 of user usuario. This does not happen in an upgraded system from 18.04 to 20.04. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/screen/+bug/198/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1928604] Re: ubuntu-advantage-tools should not be auto-installed on supported Ubuntu releases
Thanks for taking the time to file this bug and trying to make Ubuntu better. ubuntu-advantage-tools does not provide only a way to enable ESM, it also provides a bunch of other services (from the project README): "The Ubuntu Advantage client provides users with a simple mechanism to view, enable, and disable offerings from Canonical on their system. The following entitlements are supported: Common Criteria EAL2 certification artifacts provisioning Canonical CIS Benchmark Audit Tool Ubuntu Extended Security Maintenance FIPS 140-2 Certified Modules FIPS 140-2 Non-Certified Module Updates Livepatch Service " Those other services might be useful in non-EOL releases. Due to that, the package is installed by default in all supported releases. ** Changed in: ubuntu-advantage-tools (Ubuntu) Status: Confirmed => Invalid ** Changed in: ubuntu-meta (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1928604 Title: ubuntu-advantage-tools should not be auto-installed on supported Ubuntu releases Status in ubuntu-advantage-tools package in Ubuntu: Invalid Status in ubuntu-meta package in Ubuntu: Invalid Bug description: I understand that Canonical thinks about financial profit. It is business and it is good. But please do not install ubuntu-advantage-tools to supported releases like 18.04 LTS, 20.04 LTS and 21.04. It may confuse users. Users do not expect ESM existence on supported systems. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1928604/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
Sorry, I forgot to update the tags. Nothing is missing in the runc verification, we can release it. ** Tags removed: verification-needed verification-needed-groovy ** Tags added: verification-done verification-done-groovy -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Released Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Committed Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Status in systemd package in Debian: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
To verify runc I am launching a docker container and calling "test -x" like was done for systemd. Groovy == ubuntu@docker-groovy:~$ cat /etc/os-release NAME="Ubuntu" VERSION="20.10 (Groovy Gorilla)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.10" VERSION_ID="20.10" HOME_URL="https://www.ubuntu.com/; SUPPORT_URL="https://help.ubuntu.com/; BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/; PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy; VERSION_CODENAME=groovy UBUNTU_CODENAME=groovy ubuntu@docker-groovy:~$ dpkg -l | grep runc ii runc 1.0.0~rc93-0ubuntu1~20.10.1 amd64Open Container Project - runtime ubuntu@docker-groovy:~$ docker run -it ubuntu:focal /bin/bash Unable to find image 'ubuntu:focal' locally focal: Pulling from library/ubuntu a70d879fa598: Pull complete c4394a92d1f8: Pull complete 10e6159c56c0: Pull complete Digest: sha256:3c9c713e0979e9bd6061ed52ac1e9e1f246c9495aa063619d9d695fb8039aa1f Status: Downloaded newer image for ubuntu:focal root@7fa381c4877b:/# which ls /usr/bin/ls root@7fa381c4877b:/# ls -l /usr/bin/ls -rwxr-xr-x 1 root root 142144 Sep 5 2019 /usr/bin/ls root@7fa381c4877b:/# test -x /usr/bin/ls || echo "fail" root@7fa381c4877b:/# Focal = ubuntu@docker-focal:~$ cat /etc/os-release NAME="Ubuntu" VERSION="20.04.2 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.2 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/; SUPPORT_URL="https://help.ubuntu.com/; BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/; PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy; VERSION_CODENAME=focal UBUNTU_CODENAME=focal ubuntu@docker-focal:~$ dpkg -l | grep runc ii runc 1.0.0~rc93-0ubuntu1~20.04.1 amd64 Open Container Project - runtime ubuntu@docker-focal:~$ sudo docker run -it ubuntu:focal /bin/bash Unable to find image 'ubuntu:focal' locally focal: Pulling from library/ubuntu a70d879fa598: Pull complete c4394a92d1f8: Pull complete 10e6159c56c0: Pull complete Digest: sha256:3c9c713e0979e9bd6061ed52ac1e9e1f246c9495aa063619d9d695fb8039aa1f Status: Downloaded newer image for ubuntu:focal root@bf6b6e1534e5:/# which ls /usr/bin/ls root@bf6b6e1534e5:/# test -x /usr/bin/ls || echo "fail" root@bf6b6e1534e5:/# Bionic == ubuntu@docker-bionic:~$ cat /etc/os-release NAME="Ubuntu" VERSION="18.04.5 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.5 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/; SUPPORT_URL="https://help.ubuntu.com/; BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/; PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy; VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic ubuntu@docker-bionic:~$ dpkg -l | grep runc ii runc 1.0.0~rc93-0ubuntu1~18.04.1 amd64Open Container Project - runtime ubuntu@docker-bionic:~$ sudo docker run -it ubuntu:focal /bin/bash Unable to find image 'ubuntu:focal' locally focal: Pulling from library/ubuntu a70d879fa598: Pull complete c4394a92d1f8: Pull complete 10e6159c56c0: Pull complete Digest: sha256:3c9c713e0979e9bd6061ed52ac1e9e1f246c9495aa063619d9d695fb8039aa1f Status: Downloaded newer image for ubuntu:focal root@1979a3f523dc:/# which ls /usr/bin/ls root@1979a3f523dc:/# test -x /usr/bin/ls || echo "fail" root@1979a3f523dc:/# -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: Invalid Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: New Status in runc source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Committed Status in docker.io source package in Groovy: New Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: Fix Committed Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: Fix Released
[Touch-packages] [Bug 1917887] Re: Network Manager OpenVPN nested connections fail to setup routes correctly
Thank you for taking the time to file a bug report. >From what you described it seems that Network Manager is the one responsible for adding the unexpected routing rule, so this might not affect OpenVPN itself. I quickly tried to reproduce your setup but did not notice the bug there. Could you please share your config files to see if I missed something? Since there is not enough information in your report to begin triage or to differentiate between a local configuration problem and a bug in Ubuntu, I am marking this bug as "Incomplete". We would be grateful if you would: provide a more complete description of the problem, explain why you believe this is a bug in Ubuntu rather than a problem specific to your system, and then change the bug status back to "New". For local configuration issues, you can find assistance here: http://www.ubuntu.com/support/community ** Also affects: network-manager (Ubuntu) Importance: Undecided Status: New ** Changed in: network-manager (Ubuntu) Status: New => Incomplete ** Changed in: openvpn (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1917887 Title: Network Manager OpenVPN nested connections fail to setup routes correctly Status in network-manager package in Ubuntu: Incomplete Status in openvpn package in Ubuntu: Incomplete Bug description: Setup: Host lan: 192.168.0.238/24 Host Default gw: 192.168.0.1 ip route: default via 192.168.0.1 dev eno1 proto dhcp metric 100 169.254.0.0/16 dev eno1 scope link metric 1000 192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.238 metric 100 Primary OpenVPN (check "Use this connection only for resources on its network"): server ip: public a.b.c.d OpenVPN Tunnel: 192.168.1.0/24 routes pushed: 192.168.100.0/24 First VPN works OK: default via 192.168.0.1 dev eno1 proto dhcp metric 100 169.254.0.0/16 dev eno1 scope link metric 1000 192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.238 metric 100 192.168.0.1 dev eno1 proto static scope link metric 100 192.168.100.0/24 via 192.168.10.1 dev tun0 proto static metric 50 a.b.c.d via 192.168.0.1 dev eno1 proto static metric 100 Secondary OpenVPN (check "Use this connection only for resources on its network"): server ip: private 192.168.100.10 OpenVPN Tunnel: 192.168.20.0/24 routes pushed: 192.168.200.0/24 Second VPN Connect OK, routing table is wrong: default via 192.168.0.1 dev eno1 proto dhcp metric 100 192.168.200.0/24 via 192.168.20.1 dev tun1 192.168.20.0/24 dev tun1 proto kernel scope link src 192.168.20.59 169.254.0.0/16 dev eno1 scope link metric 1000 192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.238 metric 100 192.168.0.1 dev eno1 proto static scope link metric 100 192.168.100.0/24 via 192.168.10.1 dev tun0 proto static metric 50 a.b.c.d via 192.168.0.1 dev eno1 proto static metric 100 192.168.100.10 via 192.168.0.1 dev eno1 proto static metric 100 <- this is wrong, the openVPN#2 Gateway is not on the local lan Correct routing table using "sudo /usr/sbin/openvpn /path/to/config.openvpn" (same a Network Manager) default via 192.168.0.1 dev eno1 proto dhcp metric 100 192.168.200.0/24 via 192.168.20.1 dev tun1 192.168.20.0/24 dev tun1 proto kernel scope link src 192.168.20.59 169.254.0.0/16 dev eno1 scope link metric 1000 192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.238 metric 100 192.168.0.1 dev eno1 proto static scope link metric 100 192.168.100.0/24 via 192.168.10.1 dev tun0 proto static metric 50 a.b.c.d via 192.168.0.1 dev eno1 proto static metric 100 It seems that Network Manager add a wrong additional route not added by the openvpn bin: 192.168.100.10 via 192.168.0.1 dev eno1 proto static metric 100 ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: openvpn 2.4.7-1ubuntu2 ProcVersionSignature: Ubuntu 5.8.0-44.50~20.04.1-generic 5.8.18 Uname: Linux 5.8.0-44-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.16 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: ubuntu:GNOME Date: Fri Mar 5 12:44:39 2021 InstallationDate: Installed on 2021-02-19 (13 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=it_IT.UTF-8 SHELL=/bin/bash SourcePackage: openvpn UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1917887/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help :
[Touch-packages] [Bug 1912950] Re: rsync halts with Permission denied (13) with a sticky dir and only recent kernels
Thank you for taking the time to report this bug and helping to make Ubuntu better. This sounds like an upstream bug to me. The best route to getting it fixed in Ubuntu in this case would be to file an bug with the upstream project. Have you tried to reproduce this bug using a newer rsync version? I was not able to find any upstream bug report about this, if you confirm this is affecting the latest version of rsync please report it here: https://github.com/WayneD/rsync/issues/new/choose Otherwise, if this is fixed in the newer versions we need to find out the appropriate fix to be backported. In this case, some detailed reproduction steps would be valuable. If you do end up filing an upstream bug, please link to it from here. Thanks! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsync in Ubuntu. https://bugs.launchpad.net/bugs/1912950 Title: rsync halts with Permission denied (13) with a sticky dir and only recent kernels Status in rsync package in Ubuntu: New Bug description: Looks like rsync should be adapted to a new policy of the Linux kernel. I found a report in the ZFS Github that looks a lot like my problem : https://github.com/openzfs/zfs/issues/10742 But on that page, the suggested solution using /proc/sys/fs/protected_regular doesn't seem to be ideal and instead rsync should be able to figure it out by itself so that users aren't encouraged to keep that security measure turned off (perhaps my idea is bad, but pros and cons have to be figured out). I'm regularly backing up a remote folder on a machine that has a different user list and that folder has sticky bit set, while being root on both sides. I had no error using Ubuntu 18.04 : it started failing just after upgrading to 20.04. If I try to rsync individual files of that folder, I get error 13 in most cases, but if I chmod -t on that folder, I can rsync them, but if I try rsyncing the folder again (by recursion), rsync does chmod +t on it before rsyncing individual files in the folder, and then it fails again. And of course, to work around the problem, rsync would probably have to catch error 13 and retry after doing chmod -t temporarily on the folder, then schedule a chmod +t after this folder is finished syncing, or at cleanup time (Ctrl+c or SIGTERM). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsync/+bug/1912950/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1912256] Re: Missing channel binding prevents authentication to ActiveDirectory
Thanks for taking the time to file this bug and try to make Ubuntu better. I subscribed ubuntu-server and Sergio who has been working on this stack recently to investigate what you described. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1912256 Title: Missing channel binding prevents authentication to ActiveDirectory Status in openldap package in Ubuntu: New Bug description: > Are you uncertain if your issue is really a bug? Effect is an authentication error. Root case is a "missing feature" (see below) and requires updating dependencies, downporting. > If you are certain this is a bug please include the source package the bug is in. It's in the interaction between three libraries: openldap, cyrus-sasl, krb5 > 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu Broken in 18.04 and also in 20.10 (I guess it's also broken in anything inbetween) > 2) The version of the package you are using, via 'apt-cache policy pkgname' or by checking in Software Center libsasl2-modules-gssapi-mit: 2.1.27+dfsg-2ubuntu1 ldap-utils: 2.4.53+dfsg-1ubuntu1.2 libgssapi-krb5-2: 1.17-10ubuntu0.1 > 3) What you expected to happen # kinit $ export LDAPSASL_CBINDING=tls-endpoint $ ldapwhoami -O minssf=0,maxssf=0 -N -Y GSSAPI -H ldaps:// SASL/GSSAPI authentication started SASL username: SASL SSF: 0 u: > 4) What happened instead SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: 80090346: LdapErr: DSID-0C090597, comment: AcceptSecurityContext error, data 80090346, v4563 --- Microsoft ActiveDirectory has "LDAP Channel Binding" and recommends activating this as a required feature. See https://access.redhat.com/articles/4661861 Authentication to any AD DC which has mandatory channel binding fails. Channel binding requires at least an update to cyrus-sasl, which is not in any release as far as I can see: https://github.com/cyrusimap/cyrus- sasl/commit/975edbb69070eba6b035f08776de771a129cfb57 It also needs this commit in openldap: https://git.openldap.org/openldap/openldap/-/commit/3cd50fa8b32a21040a9892e2a8a7a9dfc7541ce6 Which as far as I can tell is v2.5 (branch OPENLDAP_REL_ENG_2_5). RH also mentions it needs up-to-date krb5 libraries, but I can't tell what minimum version this needs. I can build all libraries from source, current master (except for krb5 where I've used 1.18.3) and can confirm that channel binding works when using those libraries. I'm not sure if Samba is affected, but at least adcli, ldap-utils, and I would guess by extension also SSSD and realmd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1912256/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1908818] Re: pure packaging of libnss3
Thanks for taking the time to report this bug and try to make Ubuntu
better.
I have checked and this is happening just in Groovy. I am subscribing
ubuntu-server for further investigation.
** Also affects: nss (Ubuntu Groovy)
Importance: Undecided
Status: New
** Changed in: nss (Ubuntu Groovy)
Status: New => Triaged
** Changed in: nss (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1908818
Title:
pure packaging of libnss3
Status in nss package in Ubuntu:
Fix Released
Status in nss source package in Groovy:
Triaged
Bug description:
dpkg -L libnss3
/.
/usr
/usr/lib
/usr/lib/${DEB_HOST_MULTIARCH}
/usr/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu/libnss3.so
/usr/lib/x86_64-linux-gnu/libnssutil3.so
/usr/lib/x86_64-linux-gnu/libsmime3.so
/usr/lib/x86_64-linux-gnu/libssl3.so
/usr/lib/x86_64-linux-gnu/nss
/usr/lib/x86_64-linux-gnu/nss/libfreebl3.chk
/usr/lib/x86_64-linux-gnu/nss/libfreebl3.so
/usr/lib/x86_64-linux-gnu/nss/libfreeblpriv3.chk
/usr/lib/x86_64-linux-gnu/nss/libfreeblpriv3.so
/usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.chk
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.so
/usr/lib/x86_64-linux-gnu/nss/libsoftokn3.chk
/usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so
/usr/share
/usr/share/doc
/usr/share/doc/libnss3
/usr/share/doc/libnss3/changelog.Debian.gz
/usr/share/doc/libnss3/copyright
/usr/share/lintian
/usr/share/lintian/overrides
/usr/share/lintian/overrides/libnss3
/usr/lib/${DEB_HOST_MULTIARCH}/libfreebl3.chk
/usr/lib/${DEB_HOST_MULTIARCH}/libfreebl3.so
/usr/lib/${DEB_HOST_MULTIARCH}/libfreeblpriv3.chk
as we can see soft links to libraries do nor resolve ${DEB_HOST_MULTIARCH} to
x86_64-linux-gnu
ProblemType: Bug
DistroRelease: Ubuntu 20.10
Package: libnss3 2:3.55-1ubuntu3
ProcVersionSignature: Ubuntu 5.8.0-33.36-generic 5.8.17
Uname: Linux 5.8.0-33-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.11-0ubuntu50.3
Architecture: amd64
CasperMD5CheckResult: skip
Date: Sun Dec 20 14:36:10 2020
SourcePackage: nss
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1908818/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1906364] Re: unattended-upgrade still restarts blacklisted daemons
** Description changed: + [Impact] + + Docker uses containerd under the hood. When containerd is upgraded it + stops and restarts its service; docker stops when containerd stops but + doesn’t restart. Particularly when doing unattended upgrades, an SRU + fix rolled out for containerd can result in unexpected and widespread + service outages for docker. + + [Test Case] + + $ sudo apt install docker.io + $ sudo systemctl start docker + $ systemctl status docker | grep Active + Active: active (running) since[...] + $ systemctl status containerd | grep Active + Active: active (running) since[...] + + $ docker pull ubuntu/redis:latest + $ docker run -e REDIS_PASSWORD=1234 --network host \ + --name test-redis -d ubuntu/redis:latest + $ telnet localhost 6379 + $ docker container logs test-redis + + $ sudo apt install --reinstall containerd + $ systemctl status containerd | grep Active + Active: active (running) since + $ systemctl status docker | grep Active + Active: inactive (dead) since [...]; 8s ago + $ docker container logs test-redis + + [Where Problems Could Occur] + + The challenge with this issue is addressing all important corner cases, + and as such the biggest risk is that we miss a corner case and fail to + keep the two services running when they should. Areas to watch will be + failures during start/stop/restart/upgrade type operations. Issues + during runtime are unlikely to relate to this change. + + [Original Report] + Hello, Today plenty of our systems running ubuntu 20.04 were restarting the docker daemon, even if i blacklisted the docker package. Since docker has an dependency on containerd thats the reason why it was restarted. IMO the blacklist should also check the full tree of dependencies... This should NOT happen! From the log you find: 2020-12-01 06:40:13,881 INFO Starting unattended upgrades script 2020-12-01 06:40:13,882 INFO Allowed origins are: o=Ubuntu,a=focal, o=Ubuntu,a=focal-security, o=UbuntuESMApps,a=focal-apps-security, o=UbuntuESM,a=focal-infra-security 2020-12-01 06:40:13,882 INFO Initial blacklist: docker docker.io 2020-12-01 06:40:13,882 INFO Initial whitelist (not strict): 2020-12-01 06:40:19,139 INFO Packages that will be upgraded: containerd qemu-block-extra qemu-kvm qemu-system-common qemu-system-data qemu-system-gui qemu-system-x86 qemu-utils 2020-12-01 06:40:19,140 INFO Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log 2020-12-01 06:40:46,996 INFO All upgrades installed 2020-12-01 06:40:50,732 INFO Starting unattended upgrades script 2020-12-01 06:40:50,732 INFO Allowed origins are: o=Ubuntu,a=focal, o=Ubuntu,a=focal-security, o=UbuntuESMApps,a=focal-apps-security, o=UbuntuESM,a=focal-infra-security 2020-12-01 06:40:50,733 INFO Initial blacklist: docker docker.io 2020-12-01 06:40:50,733 INFO Initial whitelist (not strict): Also this happened for us on plenty of our servers almost at the same (why the unattended updates are not spread over time?), which destroyed the second time an production environment. This is not how unattended-upgraded should be, sadly this package lost our trust and we disable it and schedule the 'unattended updates' now on our own. PS: Not to say that on some servers the docker daemon did not even restart.. ** Summary changed: - unattended-upgrade still restarts blacklisted daemons + [SRU] unattended-upgrade still restarts blacklisted daemons -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to unattended-upgrades in Ubuntu. https://bugs.launchpad.net/bugs/1906364 Title: [SRU] unattended-upgrade still restarts blacklisted daemons Status in docker.io package in Ubuntu: Fix Released Status in unattended-upgrades package in Ubuntu: Won't Fix Status in docker.io source package in Xenial: In Progress Status in unattended-upgrades source package in Xenial: Won't Fix Status in docker.io source package in Bionic: In Progress Status in unattended-upgrades source package in Bionic: Won't Fix Status in docker.io source package in Focal: In Progress Status in unattended-upgrades source package in Focal: Won't Fix Status in docker.io source package in Groovy: In Progress Status in unattended-upgrades source package in Groovy: Won't Fix Status in docker.io source package in Hirsute: Fix Released Status in unattended-upgrades source package in Hirsute: Won't Fix Bug description: [Impact] Docker uses containerd under the hood. When containerd is upgraded it stops and restarts its service; docker stops when containerd stops but doesn’t restart. Particularly when doing unattended upgrades, an SRU fix rolled out for containerd can result in unexpected and widespread service outages for docker. [Test Case] $ sudo apt install docker.io $ sudo systemctl start docker $ systemctl status docker | grep Active
[Touch-packages] [Bug 1903516] Re: aborted (core dumped) when using ConnectTimeout > 2147483
Thank you for taking the time to file a bug report. Could you please provide the core dump file to help us investigate your problem? Since there is not enough information in your report to begin triage or to differentiate between a local configuration problem and a bug in Ubuntu, I am marking this bug as "Incomplete". We would be grateful if you would: provide a more complete description of the problem, explain why you believe this is a bug in Ubuntu rather than a problem specific to your system, and then change the bug status back to "New". For local configuration issues, you can find assistance here: http://www.ubuntu.com/support/community ** Changed in: openssh (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1903516 Title: aborted (core dumped) when using ConnectTimeout > 2147483 Status in openssh package in Ubuntu: Incomplete Bug description: The ssh client fails with the message "Aborted (core dumped)" when setting the ConnectTimeout to 2147484 or higher. lsb_release: Linux Mint 20 (but also tested this on latest ubuntu:20.04 docker container) openssh-client version: 1:8.2p1-4ubuntu0.1 I expected that either the connect timeout would be used correctly, or that it would fail with a proper error message saying the connect timeout can't be higher than 2147483. What happened: $ ssh -o "ConnectTimeout=2147484" localhost Aborted (core dumped) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1903516/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1900396] Re: netstat man-page does not explain -t|--tcp, -u|--udp or -w|--raw
Thanks for taking the time and trying to make Ubuntu better. I am not sure if I understood your problem here. All the options you mentioned are in the netstat manpage, they are listed in the SYNOPSIS section and also OUTPUT section as "Active Internet connections (TCP, UDP, raw)". They are not regular options, they are used to specify the connection type. I do not consider this as an Ubuntu bug, if you think more explanation is required you should get in touch with upstream. I marking this bug as Invalid, if you do not agree or you have more info to provide please do it and put the status back to NEW. ** Changed in: net-tools (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to net-tools in Ubuntu. https://bugs.launchpad.net/bugs/1900396 Title: netstat man-page does not explain -t|--tcp, -u|--udp or -w|--raw Status in net-tools package in Ubuntu: Invalid Bug description: I tried looking up `netstat -tlnp` on https://explainshell.com, but there was no explanation for `-t`. It turns out that at least `-t|--tcp`, `-u|--udp` and `-w|--raw` aren't documented in the man- page (http://manpages.ubuntu.com/manpages/precise/en/man8/netstat.8.html). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-tools/+bug/1900396/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 483928] Re: ssh-keyscan(1) exits prematurely on some non-fatal errors
According to the upstream bug it was fixed in version 6.8, which Ubuntu release are you using? Ubuntu >= Xenial should be fixed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/483928 Title: ssh-keyscan(1) exits prematurely on some non-fatal errors Status in portable OpenSSH: Confirmed Status in openssh package in Ubuntu: Confirmed Bug description: Binary package hint: openssh-client This concerns openssh-client 1:5.1p1-5ubuntu1 in Karmic. I am using ssh-keyscan(1) for its intended purpose: building an ssh_known_hosts file for a large network. Most of the hosts on this network are well-maintained systems, with properly-functioning SSH servers, and present no difficulty to the program. However, a handful of hosts are barely alive, with SSH servers that are not exactly in good working order. ssh-keyscan(1) currently will scan these systems, encounter some form of error, and then---right here is the problem---exit in the middle of the scan. The last bit of stderr output may look like # A.B.C.D SSH-2.0-OpenSSH_4.3 # A.B.C.E SSH-2.0-OpenSSH_4.3 # A.B.C.F SSH-1.99-OpenSSH_3.7p1 Connection closed by A.B.C.F or # A.B.C.D SSH-2.0-OpenSSH_4.1 # A.B.C.E SSH-2.0-OpenSSH_4.1 # A.B.C.F SSH-2.0-mpSSH_0.1.0 Received disconnect from A.B.C.F: 10: Protocol error or # A.B.C.D SSH-2.0-OpenSSH_4.4p1 # A.B.C.E SSH-2.0-OpenSSH_5.0p1 # A.B.C.F SSH-2.0-mpSSH_0.1.0 Received disconnect from A.B.C.F: 11: SSH Disabled (These are the different failure modes I've observed to date) ssh-keyscan(1) needs to be robust to these kinds of errors---simply make a note of them, and continue on with the scan. I don't want to have to find out which systems are misbehaving by running and re- running the scan (each run yields at most one bad host, obviously), nor manually edit out the few bad apples from the input list of hosts (especially considering that this particular subset can change over time). Neither is feasible when the number of hosts being scanned is very large. To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/483928/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1894619] Re: [2.82 regression] router announcements have 'forever' lifetime by default
Thanks for filing this bug Iain. I am tagging it as server-next and it should be worked on by our team soon. As a source of information for the person who will work on it here is the patch submitted by Iain: http://lists.thekelleys.org.uk/pipermail/dnsmasq- discuss/2020q3/014345.html And in the reply of this message a flaw seems to be found and a new patch was proposed (asked for review): http://lists.thekelleys.org.uk/pipermail/dnsmasq- discuss/2020q3/014346.html ** Tags added: server-next -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/1894619 Title: [2.82 regression] router announcements have 'forever' lifetime by default Status in dnsmasq package in Ubuntu: Triaged Bug description: The default lifetime was changed to 1 day in 2.82 in the change corresponding to this changelog entry: Change default lease time for DHCPv6 to one day. Fine, but the same commit also did this: Alter calculation of preferred and valid times in router advertisements, so that these do not have a floor applied of the lease time in the dhcp-range if this is not explicitly specified and is merely the default. And that change is buggy and causes advertisements to have infinite lifetime, when you are using the default. See this thread http://lists.thekelleys.org.uk/pipermail/dnsmasq- discuss/2020q3/014341.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1894619/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
Hi Kartik, Are you still facing this issue? Which Ubuntu release are you using? Do you have the steps to reproduce the failure now? TIA! ** Changed in: openldap (Ubuntu) Assignee: Ryan Harper (raharper) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket Status in openldap package in Ubuntu: Incomplete Bug description: The slapd apparmor profile doesn't allow access to /run/.heim_org.h5l .kcm-socket which is used by kerberos: apparmor="DENIED" operation="connect" profile="/usr/sbin/slapd" name="/run/.heim_org.h5l.kcm-socket" pid=61289 comm="slapd" requested_mask="wr" denied_mask="wr" fsuid=389 ouid=0 This is as of 2.4.40+dfsg-1ubuntu1. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1615209] Re: ip crashes after a few times adding and removing network namespaces
I also tried to reproduce the mentioned failure in a clean Xenial container with no success. Since this is an old bug and no one replied to it for years I am removing the server-next tag. ** Tags removed: server-next -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iproute2 in Ubuntu. https://bugs.launchpad.net/bugs/1615209 Title: ip crashes after a few times adding and removing network namespaces Status in iproute2 package in Ubuntu: Expired Bug description: # which ip /sbin/ip # valgrind ip netns add black2 ==22804== Memcheck, a memory error detector ==22804== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==22804== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==22804== Command: ip netns add black2 ==22804== ==22804== Invalid write of size 1 ==22804==at 0x4031F43: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==22804==by 0x8059C83: ??? (in /bin/ip) ==22804==by 0x805AF9A: netns_map_init (in /bin/ip) ==22804==by 0x805B01F: do_netns (in /bin/ip) ==22804==by 0x804DF67: ??? (in /bin/ip) ==22804==by 0x804DA11: main (in /bin/ip) ==22804== Address 0x4227094 is 0 bytes after a block of size 28 alloc'd ==22804==at 0x402D17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==22804==by 0x8059C5E: ??? (in /bin/ip) ==22804==by 0x805AF9A: netns_map_init (in /bin/ip) ==22804==by 0x805B01F: do_netns (in /bin/ip) ==22804==by 0x804DF67: ??? (in /bin/ip) ==22804==by 0x804DA11: main (in /bin/ip) ==22804== Cannot create namespace file "/var/run/netns/black2": File exists ==22804== ==22804== HEAP SUMMARY: ==22804== in use at exit: 28 bytes in 1 blocks ==22804== total heap usage: 2 allocs, 1 frees, 32,824 bytes allocated ==22804== ==22804== LEAK SUMMARY: ==22804==definitely lost: 0 bytes in 0 blocks ==22804==indirectly lost: 0 bytes in 0 blocks ==22804== possibly lost: 0 bytes in 0 blocks ==22804==still reachable: 28 bytes in 1 blocks ==22804== suppressed: 0 bytes in 0 blocks ==22804== Rerun with --leak-check=full to see details of leaked memory ==22804== ==22804== For counts of detected and suppressed errors, rerun with: -v ==22804== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iproute2/+bug/1615209/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1887016] Re: Openssh default config has two PasswordAuthentication params
I launched a VM locally and I also was not able to find what you mentioned. Not sure what might have happened to make you get to this state. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1887016 Title: Openssh default config has two PasswordAuthentication params Status in openssh package in Ubuntu: Incomplete Bug description: In Ubuntu server 20.04 the /etc/ssh/sshd_config file has an additional `PasswordAuthentication yes` string in the end. It can lead to security problems, because there's already one string `# PasswordAuthentication yes` in the beginning of the file. It is supposed to be uncommented if it's needed to change the default value. But if the user uncomments this string and set in to "no", it will be overriden by the last line of config. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1887016/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1883495] Re: package openssh-server 1:7.2p2-4ubuntu2.8 [modified: usr/lib/tmpfiles.d/sshd.conf] failed to install/upgrade: Unterprozess installiertes post-installation-Skript gab
Thank you for taking the time to file a bug report. Checking the logs I noticed there is a bad configuration option: /etc/ssh/sshd_config: line 111: Bad configuration option: sudo Could you please share what you have changed in your sshd_config file? I set up a brand new Xenial conatainer with openssh installed and there is no occurrence of 'sudo' in /etc/ssh/sshd_config. Since it seems likely to me that this is a local configuration problem, rather than a bug in Ubuntu, I am marking this bug as 'Incomplete'. However, if you believe that this is really a bug in Ubuntu, then we would be grateful if you would provide a more complete description of the problem with steps to reproduce, explain why you believe this is a bug in Ubuntu rather than a problem specific to your system, and then change the bug status back to "New". For local configuration issues, you can find assistance here: http://www.ubuntu.com/support/community ** Changed in: openssh (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1883495 Title: package openssh-server 1:7.2p2-4ubuntu2.8 [modified: usr/lib/tmpfiles.d/sshd.conf] failed to install/upgrade: Unterprozess installiertes post-installation-Skript gab den Fehlerwert 1 zurück Status in openssh package in Ubuntu: Incomplete Bug description: since months 0penssh can not be installed - not at all tried many times - tried to deinstall using terminal reinstall - no way - something totally broken ProblemType: Package DistroRelease: Ubuntu 16.04 Package: openssh-server 1:7.2p2-4ubuntu2.8 [modified: usr/lib/tmpfiles.d/sshd.conf] ProcVersionSignature: Ubuntu 4.4.0-179.209-generic 4.4.219 Uname: Linux 4.4.0-179-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.23 AptOrdering: libwinpr-pool0.1: Install openssh-server: Configure libwinpr-pool0.1: Configure NULL: ConfigurePending Architecture: amd64 Date: Mon Jun 15 06:19:25 2020 ErrorMessage: Unterprozess installiertes post-installation-Skript gab den Fehlerwert 1 zurück InstallationDate: Installed on 2016-10-13 (1340 days ago) InstallationMedia: Ubuntu-MATE 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719) RelatedPackageVersions: dpkg 1.18.4ubuntu1.6 apt 1.2.32ubuntu0.1 SSHDConfig: Error: command ['/usr/sbin/sshd', '-T'] failed with exit code 255: /etc/ssh/sshd_config: line 111: Bad configuration option: sudo /etc/ssh/sshd_config: terminating, 1 bad configuration options SourcePackage: openssh Title: package openssh-server 1:7.2p2-4ubuntu2.8 [modified: usr/lib/tmpfiles.d/sshd.conf] failed to install/upgrade: Unterprozess installiertes post-installation-Skript gab den Fehlerwert 1 zurück UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1883495/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1876320] Re: Port parameter sshd_config is 22 AND whatever you specify
** Changed in: openssh (Ubuntu) Status: Triaged => In Progress ** Changed in: openssh (Ubuntu Focal) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1876320 Title: Port parameter sshd_config is 22 AND whatever you specify Status in portable OpenSSH: Unknown Status in openssh package in Ubuntu: In Progress Status in openssh source package in Focal: In Progress Bug description: On my Ubuntu Server 20.04 LTS with OpenSSH 1:8.2p1-4, I have TWO sshd deamons. One (on port 22) is for internal use, accepts passwords etc. The second (on port 7722) does not allow PAM use and no passwords, allows only one user(name) and uses an alternative autorized_keys file (that only root can edit). Any parameter FIRST encountered in sshd_config is the one that is accepted; others do not override (like in many other config files). There is one exception: 'Port', which is accumulative. To make life easier, I set the more restrictive parameters for port 7722 first and next include the system-default /etc/ssh/sshd_config. The /etc/ssh/sshd_config file(s) in Ubuntu Server 20.04 DO NOT specify 'Port' anywhere - the default is 22. But: it is obviously still accumulative: Setting 'Port' to 7722 makes sshd listen on port 7722 AND 22. This is unwanted. Proposed solution: Remove the accumulative behavior for 'Port' and REQUIRE the 'Port' parameter like before (and maybe have second and later parameters override the earlier ones, like 'everyone else'). Regards, Adriaan PS Searching for solutions, I found that specifying 'ListenAddress 0.0.0.0:7722' stops sshd from listening to port 22. This, however, is not documented in 'man 5 sshd_config' and may be an unreliable side- effect. To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/1876320/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1531184] Re: [SRU] dnsmasq doesn't start on boot because its interface isn't up yet
The Debian maintainer suggested to also add a WantedBy= entry in the Install section: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774970#32 ** Also affects: dnsmasq (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: dnsmasq (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: dnsmasq (Ubuntu Xenial) Importance: Undecided => Low ** Changed in: dnsmasq (Ubuntu Bionic) Importance: Undecided => Low ** Changed in: dnsmasq (Ubuntu Xenial) Status: New => Confirmed ** Changed in: dnsmasq (Ubuntu Bionic) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/1531184 Title: [SRU] dnsmasq doesn't start on boot because its interface isn't up yet Status in One Hundred Papercuts: Confirmed Status in dnsmasq package in Ubuntu: Confirmed Status in dnsmasq source package in Xenial: Confirmed Status in dnsmasq source package in Bionic: Confirmed Status in dnsmasq package in Debian: New Bug description: [Impact] dnsmasq will fail to respond on network devices that weren't up when its service started, thus not binding as expected. [Test Case] TBD [Regression Potential] The fix is just configuring the order of service startup, so is unlikely to create any regressions. Things to watch would be service related misbehaviors and general availability of the dnsmasq functionality. [Fix] Straightforward packaging fix to the service to make it delay startup until after the network is online. https://bugs.debian.org/cgi- bin/bugreport.cgi?att=1;bug=774970;filename=774970-network- online.debdiff;msg=22 [Discussion] [Original Report] My dnsmasq instance uses "interface=br-vz0" and the interface br-vz0 is managed manually in /etc/network/interfaces. During boot, dnsmasq is started before br-vz0 is created and this causes dnsmasq to exit: Jan 5 08:56:16 simon-laptop dnsmasq[1008]: dnsmasq: unknown interface br-vz0 Jan 5 08:56:16 simon-laptop dnsmasq[1008]: unknown interface br-vz0 Jan 5 08:56:16 simon-laptop dnsmasq[1008]: FAILED to start up Jan 5 08:56:17 simon-laptop NetworkManager[937]: NetworkManager (version 1.0.4) is starting... ... Jan 5 08:56:18 simon-laptop NetworkManager[937]: interface-parser: parsing file /etc/network/interfaces ... Jan 5 08:56:18 simon-laptop NetworkManager[937]: found bridge ports none for br-vz0 Jan 5 08:56:18 simon-laptop NetworkManager[937]: adding bridge port none to eni_ifaces Jan 5 08:56:18 simon-laptop NetworkManager[937]: management mode: unmanaged ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: dnsmasq 2.75-1 ProcVersionSignature: Ubuntu 4.3.0-5.16-generic 4.3.3 Uname: Linux 4.3.0-5-generic x86_64 ApportVersion: 2.19.3-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Tue Jan 5 09:53:30 2016 PackageArchitecture: all SourcePackage: dnsmasq UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/hundredpapercuts/+bug/1531184/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1868720] Re: backport time64 syscalls whitelist
** Also affects: docker.io (Ubuntu) Importance: Undecided Status: New ** Changed in: docker.io (Ubuntu Disco) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1868720 Title: backport time64 syscalls whitelist Status in docker.io package in Ubuntu: New Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: Triaged Status in docker.io source package in Disco: Won't Fix Status in libseccomp source package in Disco: Won't Fix Status in docker.io source package in Eoan: New Status in libseccomp source package in Eoan: Triaged Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: Fix Released Bug description: A number of new *time64 syscalls are introduced in newer kernel series (>=5.1.x): 403: clock_gettime64 404: clock_settime64 405: clock_adjtime64 406: clock_getres_time64 407: clock_nanosleep_time64 408: timer_gettime64 409: timer_settime64 410: timerfd_gettime64 411: timerfd_settime64 412: utimensat_time64 413: pselect6_time64 414: ppoll_time64 In particular utimensat_time64 is now used inside glibc>=2.31 In turn ubuntu with has trouble running docker images of newer distros. This problem affects libseccomp<2.4.2, ie bionic (lts), and eoan, but not focal. See a similar report at Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1770154 A solution could be to backport the related changes from 2.4.2 similarly to what happened for the statx whitelisting (https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1868720/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1876055] Re: SRU: Backport 2.4.3-1ubuntu2 from groovy to focal/eoan/bionic/xenial for newer syscalls for core20 base
** Changed in: libseccomp (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: libseccomp (Ubuntu Eoan) Importance: Undecided => Medium ** Changed in: libseccomp (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: libseccomp (Ubuntu Xenial) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1876055 Title: SRU: Backport 2.4.3-1ubuntu2 from groovy to focal/eoan/bionic/xenial for newer syscalls for core20 base Status in libseccomp package in Ubuntu: New Status in libseccomp source package in Xenial: New Status in libseccomp source package in Bionic: New Status in libseccomp source package in Eoan: New Status in libseccomp source package in Focal: New Status in libseccomp source package in Groovy: New Bug description: [Impact] The combination of snap-confine and snap-seccomp from snapd uses libseccomp to filter various system calls for confinement. The current version in eoan/bionic/xenial (2.4.1) is missing knowledge of various system calls for various architectures. As such this causes strange issues like python snaps segfaulting (https://github.com/snapcore/core20/issues/48) or the inadvertent denial of system calls which should be permitted by the base policy (https://forum.snapcraft.io/t/getrlimit-blocked-by-seccomp-on-focal- arm64/17237). libseccomp in groovy is using the latest upstream base release (2.4.3) plus it includes a patch to add some missing aarch64 system calls (https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1877633). SRUing this version back to older stable releases allows libseccomp to operate correctly on all supported architectures. Included as part of this SRU are test-suite reliability improvements - currently the xenial libseccomp package overrides test-suite failures at build time to ignore failures. This masks the fact that on ppc64el and s390x there are currently test suite failures at build time for xenial - these failures occur since libseccomp now includes knowledge of system calls for these architectures but which the linux-libc-dev package for xenial does not actually define (since this is based of the 4.4 kernel in xenial whereas libseccomp 2.4.1 in xenial has knowledge of all system calls up to 5.4). In this SRU I have instead fixed the test suite failures for xenial by including a local (test-suite specific) set of architecture specific kernel headers from the linux-libc-dev in focal for all releases. These are just the headers which define the system call numbers for each architecture *and* these are added to tests/include/$ARCH in the source package (and tests/Makefile.am is then updated to include these new headers only). As such this ensures the actual build of libseccomp or any of the tools does not reference these headers. This allows the test suite in libseccomp to then be aware of theses system calls and so all unit tests for all architectures now pass. In any future updates for libseccomp to add new system calls, we can then similarly update these local headers to ensure the unit tests continue to work as expected. [Test Case] libseccomp includes a significant unit test suite that is run during the build and as part of autopkgtests. To verify the new aarch64 system calls are resolved as expected the scmp_sys_resolver command can be used as well: $ scmp_sys_resolver -a aarch64 getrlimit 163 (whereas in the current version in focal this returns -10180 as libseccomp was not aware of this system-call at compile-time). As part of this SRU, the test suite in libseccomp has been patched to include a local copy of the architecture-specific kernel headers from the 5.4 kernel in focal *for all releases*, so that all system calls which are defined for the 5.4 kernel are known about *for the libseccomp test suite*. This allows all unit tests to pass on older releases as well and defaults the build to fail on unit test failures (whereas currently in xenial this has been overridden to ignore failures). [Regression Potential] This has a low regression potential due to significant testing with many packages that depend on libseccomp (lxc, qemu, snapd, apt, man etc) and none have shown any regression using this new version. The re-enablement of build failure on test failure at build time also ensures that we can reliably detect FTBFS issues in the future. No symbols have been removed (or added) with this update in version so there is no chance of regression due to ABI change etc. In the past, the security team has performed more significant version upgrades for libseccomp (2.2, 2.3, 2.4) -> 2.4.1 without major incident. In the case of *this* SRU, we are only doing a micro-version upgrade from 2.4.1 to 2.4.3 so this
[Touch-packages] [Bug 1876320] Re: Port parameter sshd_config is 22 AND whatever you specify
** Also affects: openssh (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: openssh (Ubuntu Focal) Status: New => Triaged ** Changed in: openssh (Ubuntu Focal) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1876320 Title: Port parameter sshd_config is 22 AND whatever you specify Status in portable OpenSSH: Unknown Status in openssh package in Ubuntu: Triaged Status in openssh source package in Focal: Triaged Bug description: On my Ubuntu Server 20.04 LTS with OpenSSH 1:8.2p1-4, I have TWO sshd deamons. One (on port 22) is for internal use, accepts passwords etc. The second (on port 7722) does not allow PAM use and no passwords, allows only one user(name) and uses an alternative autorized_keys file (that only root can edit). Any parameter FIRST encountered in sshd_config is the one that is accepted; others do not override (like in many other config files). There is one exception: 'Port', which is accumulative. To make life easier, I set the more restrictive parameters for port 7722 first and next include the system-default /etc/ssh/sshd_config. The /etc/ssh/sshd_config file(s) in Ubuntu Server 20.04 DO NOT specify 'Port' anywhere - the default is 22. But: it is obviously still accumulative: Setting 'Port' to 7722 makes sshd listen on port 7722 AND 22. This is unwanted. Proposed solution: Remove the accumulative behavior for 'Port' and REQUIRE the 'Port' parameter like before (and maybe have second and later parameters override the earlier ones, like 'everyone else'). Regards, Adriaan PS Searching for solutions, I found that specifying 'ListenAddress 0.0.0.0:7722' stops sshd from listening to port 22. This, however, is not documented in 'man 5 sshd_config' and may be an unreliable side- effect. To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/1876320/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1874257] Re: SSH fails with connection timed out - in VPN and hangs here "expecting SSH2_MSG_KEX_ECDH_REPLY" + Ubuntu 16.04.6 LTS
Thank you for taking the time to file a bug report. In order to reproduce the bug you faced, could you please share your config files? OpenSSH and OpenVPN ones. Otherwise we cannot do anything. Since there is not enough information in your report to begin triage or to differentiate between a local configuration problem and a bug in Ubuntu, I am marking this bug as "Incomplete". We would be grateful if you would: provide a more complete description of the problem, explain why you believe this is a bug in Ubuntu rather than a problem specific to your system, and then change the bug status back to "New". For local configuration issues, you can find assistance here: http://www.ubuntu.com/support/community ** Changed in: linux (Ubuntu) Status: Confirmed => Invalid ** Changed in: openssh (Ubuntu) Status: New => Incomplete ** Changed in: openvpn (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1874257 Title: SSH fails with connection timed out - in VPN and hangs here "expecting SSH2_MSG_KEX_ECDH_REPLY" + Ubuntu 16.04.6 LTS Status in linux package in Ubuntu: Invalid Status in openssh package in Ubuntu: Incomplete Status in openvpn package in Ubuntu: Incomplete Bug description: Hello Team, SSH timeout issue, once connect to VPN. Environment == Dell XPS 9570 Ubuntu 16.04.6 Xenial Xerus) kernel - 4.15.0-55-generic $dpkg -l | grep -i openssh ii openssh-client 1:7.2p2-4ubuntu2.8 --> ii openssh-server 1:7.2p2-4ubuntu2.8 ii openssh-sftp-server 1:7.2p2-4ubuntu2.8 VPN tunnel info vpn0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:IP P-t-P:xx Mask:255.255.252.0 inet6 addr: fe80::b8e2:bea4:2e62:fe08/64 Scope:Link UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1406 Metric:1 RX packets:962 errors:0 dropped:0 overruns:0 frame:0 TX packets:1029 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:87839 (87.8 KB) TX bytes:238740 (238.7 KB) Issue Unable to connect to any host via ssh or sftp after VPN connection Tried = Reinstalled the openssh-client package and still no luck. May I know why the default cipher is not taking/hanging? Please let me know . There were no recent changes. Workaround === Able to connect to ssh / sftp $ssh -c aes128-ctr user@IP Below is the debug ssh client logs === == $ssh -vvv user@ip OpenSSH_7.2p2 Ubuntu-4ubuntu2.8, OpenSSL 1.0.2g 1 Mar 2016 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: resolving "IP" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to IP [IP] port 22. debug1: Connection established. debug1: key_load_public: No such file or directory debug1: identity file /home/user/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/user/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/user/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/user/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/user/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/user/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/user/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH* compat 0x0400 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to IP:22 as 'user' debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c debug2: host key algorithms:
[Touch-packages] [Bug 1874915] Re: krb5kdc[27833]: Couldn't open log file /var/log/krb5kdc.log: Read-only file system
I agree with Sam and Andreas, we should not change the krb5kdc systemd unit file because of freeipa. I am assigning this bug back to freeipa. ** Package changed: krb5 (Ubuntu) => freeipa (Ubuntu) ** Changed in: freeipa (Ubuntu) Status: New => Triaged ** Changed in: freeipa (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1874915 Title: krb5kdc[27833]: Couldn't open log file /var/log/krb5kdc.log: Read-only file system Status in freeipa package in Ubuntu: Triaged Bug description: Hopefully this can trivially be corrected. Seems the systemd service file for the kerberos portion of freeipa could use a minor tweak. When restarting the kerberos service, it (incorrectly) reports that the default configured log file (/var/log/krb5kdc.log) is sending to a "read only filesystem". This is a misleading error, since the /var/log directory by default -IS- writeable, but systemd is in fact preventing the daemon from writing. Why systemd can't inject itself inappropriately and report that it's causing the trouble is another conversation. ;) [not personally a systemd fan] File: = /lib/systemd/system/krb5-kdc.service Command: = service krb5-kdc restart Error: = krb5kdc[27833]: Couldn't open log file /var/log/krb5kdc.log: Read-only file system Please make the following adjustment to the default systemd file. = 13c13 < ReadWriteDirectories=-/var/tmp /tmp /var/lib/krb5kdc -/var/run /run --- > ReadWriteDirectories=-/var/tmp /tmp /var/lib/krb5kdc -/var/run /run /var/log Thank you for all the help and support. :) Cheers, -Chris To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1874915/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1817077] Re: package linux-image-4.15.0-44-generic (not installed) failed to install/upgrade: run-parts: /etc/kernel/postrm.d/x-grub-legacy-ec2 exited with return code 128
@dbalde, send messages here in English please. I could translate you comment but your attachment make me think whether it is just a spam message. Anyway, you did not provide much more info, so I'll follow @cpaelzer and mark grub-legacy-ec2 as invalid again. If you have information to provide please do it and we can reconsider it. ** Changed in: grub-legacy-ec2 (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to debconf in Ubuntu. https://bugs.launchpad.net/bugs/1817077 Title: package linux-image-4.15.0-44-generic (not installed) failed to install/upgrade: run-parts: /etc/kernel/postrm.d/x-grub-legacy-ec2 exited with return code 128 Status in debconf package in Ubuntu: Confirmed Status in grub-legacy-ec2 package in Ubuntu: Invalid Bug description: I applied an system update and was presented with this error after the next login. ProblemType: Package DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-44-generic (not installed) ProcVersionSignature: Ubuntu 4.15.0-45.48-generic 4.15.18 Uname: Linux 4.15.0-45-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: Date: Thu Feb 14 00:00:24 2019 ErrorMessage: run-parts: /etc/kernel/postrm.d/x-grub-legacy-ec2 exited with return code 128 IwConfig: eth0 no wireless extensions. lono wireless extensions. Lspci: Lsusb: Error: command ['lsusb'] failed with exit code 1: MachineType: Microsoft Corporation Virtual Machine ProcFB: 0 hyperv_fb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-45-generic root=UUID=36f6b4c3-1f42-11e9-99c9-00155d195067 ro PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. Python3Details: /usr/bin/python3.6, Python 3.6.7, python3-minimal, 3.6.7-1~18.04 PythonDetails: /usr/bin/python2.7, Python 2.7.15rc1, python-minimal, 2.7.15~rc1-1 RelatedPackageVersions: dpkg 1.19.0.5ubuntu2.1 apt 1.6.8 RfKill: SourcePackage: grub-legacy-ec2 Title: package linux-image-4.15.0-44-generic (not installed) failed to install/upgrade: run-parts: /etc/kernel/postrm.d/x-grub-legacy-ec2 exited with return code 128 UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 11/26/2012 dmi.bios.vendor: Microsoft Corporation dmi.bios.version: Hyper-V UEFI Release v1.0 dmi.board.asset.tag: None dmi.board.name: Virtual Machine dmi.board.vendor: Microsoft Corporation dmi.board.version: Hyper-V UEFI Release v1.0 dmi.chassis.asset.tag: 0298-0271-9062-6147-4258-1509-89 dmi.chassis.type: 3 dmi.chassis.vendor: Microsoft Corporation dmi.chassis.version: Hyper-V UEFI Release v1.0 dmi.modalias: dmi:bvnMicrosoftCorporation:bvrHyper-VUEFIReleasev1.0:bd11/26/2012:svnMicrosoftCorporation:pnVirtualMachine:pvrHyper-VUEFIReleasev1.0:rvnMicrosoftCorporation:rnVirtualMachine:rvrHyper-VUEFIReleasev1.0:cvnMicrosoftCorporation:ct3:cvrHyper-VUEFIReleasev1.0: dmi.product.family: Virtual Machine dmi.product.name: Virtual Machine dmi.product.version: Hyper-V UEFI Release v1.0 dmi.sys.vendor: Microsoft Corporation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debconf/+bug/1817077/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1866210] Re: FTBFS against Ruby 2.7 on arm64
It seems this test is flaky on arm systems, after a re-try it built fine against Ruby 2.7. ** Changed in: vim (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to vim in Ubuntu. https://bugs.launchpad.net/bugs/1866210 Title: FTBFS against Ruby 2.7 on arm64 Status in vim package in Ubuntu: Invalid Bug description: During the Ruby 2.7 transition we got a FTBFS on arm64 [1]. [1] https://launchpadlibrarian.net/467387248/buildlog_ubuntu-focal- arm64.vim_2%3A8.1.2269-1ubuntu4_BUILDING.txt.gz To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/vim/+bug/1866210/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1866210] [NEW] FTBFS against Ruby 2.7 on arm64
Public bug reported: During the Ruby 2.7 transition we got a FTBFS on arm64 [1]. [1] https://launchpadlibrarian.net/467387248/buildlog_ubuntu-focal- arm64.vim_2%3A8.1.2269-1ubuntu4_BUILDING.txt.gz ** Affects: vim (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to vim in Ubuntu. https://bugs.launchpad.net/bugs/1866210 Title: FTBFS against Ruby 2.7 on arm64 Status in vim package in Ubuntu: New Bug description: During the Ruby 2.7 transition we got a FTBFS on arm64 [1]. [1] https://launchpadlibrarian.net/467387248/buildlog_ubuntu-focal- arm64.vim_2%3A8.1.2269-1ubuntu4_BUILDING.txt.gz To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/vim/+bug/1866210/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1815101] Re: [master] Restarting systemd-networkd breaks keepalived clusters
** Also affects: heartbeat (Ubuntu)
Importance: Undecided
Status: New
** Changed in: heartbeat (Ubuntu Bionic)
Importance: Undecided => Medium
** Changed in: heartbeat (Ubuntu Bionic)
Status: New => Triaged
** Changed in: heartbeat (Ubuntu Disco)
Importance: Undecided => Medium
** Changed in: heartbeat (Ubuntu Disco)
Status: New => Triaged
** Changed in: heartbeat (Ubuntu Eoan)
Importance: Undecided => Low
** Changed in: heartbeat (Ubuntu Eoan)
Status: New => Triaged
** Changed in: heartbeat (Ubuntu Bionic)
Assignee: (unassigned) => Rafael David Tinoco (rafaeldtinoco)
** Changed in: heartbeat (Ubuntu Disco)
Assignee: (unassigned) => Rafael David Tinoco (rafaeldtinoco)
** Changed in: heartbeat (Ubuntu Eoan)
Assignee: (unassigned) => Rafael David Tinoco (rafaeldtinoco)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1815101
Title:
[master] Restarting systemd-networkd breaks keepalived clusters
Status in netplan:
Confirmed
Status in heartbeat package in Ubuntu:
Triaged
Status in keepalived package in Ubuntu:
In Progress
Status in systemd package in Ubuntu:
In Progress
Status in heartbeat source package in Bionic:
Triaged
Status in keepalived source package in Bionic:
Confirmed
Status in systemd source package in Bionic:
Confirmed
Status in heartbeat source package in Disco:
Triaged
Status in keepalived source package in Disco:
Confirmed
Status in systemd source package in Disco:
Confirmed
Status in heartbeat source package in Eoan:
Triaged
Status in keepalived source package in Eoan:
In Progress
Status in systemd source package in Eoan:
In Progress
Bug description:
Configure netplan for interfaces, for example (a working config with
IP addresses obfuscated)
network:
ethernets:
eth0:
addresses: [192.168.0.5/24]
dhcp4: false
nameservers:
search: [blah.com, other.blah.com, hq.blah.com, cust.blah.com,
phone.blah.com]
addresses: [10.22.11.1]
eth2:
addresses:
- 12.13.14.18/29
- 12.13.14.19/29
gateway4: 12.13.14.17
dhcp4: false
nameservers:
search: [blah.com, other.blah.com, hq.blah.com, cust.blah.com,
phone.blah.com]
addresses: [10.22.11.1]
eth3:
addresses: [10.22.11.6/24]
dhcp4: false
nameservers:
search: [blah.com, other.blah.com, hq.blah.com, cust.blah.com,
phone.blah.com]
addresses: [10.22.11.1]
eth4:
addresses: [10.22.14.6/24]
dhcp4: false
nameservers:
search: [blah.com, other.blah.com, hq.blah.com, cust.blah.com,
phone.blah.com]
addresses: [10.22.11.1]
eth7:
addresses: [9.5.17.34/29]
dhcp4: false
optional: true
nameservers:
search: [blah.com, other.blah.com, hq.blah.com, cust.blah.com,
phone.blah.com]
addresses: [10.22.11.1]
version: 2
Configure keepalived (again, a working config with IP addresses
obfuscated)
global_defs # Block id
{
notification_email {
sysadm...@blah.com
}
notification_email_from keepali...@system3.hq.blah.com
smtp_server 10.22.11.7 # IP
smtp_connect_timeout 30 # integer, seconds
router_id system3 # string identifying the machine,
# (doesn't have to be hostname).
vrrp_mcast_group4 224.0.0.18 # optional, default 224.0.0.18
vrrp_mcast_group6 ff02::12 # optional, default ff02::12
enable_traps # enable SNMP traps
}
vrrp_sync_group collection {
group {
wan
lan
phone
}
vrrp_instance wan {
state MASTER
interface eth2
virtual_router_id 77
priority 150
advert_int 1
smtp_alert
authentication {
auth_type PASS
auth_pass BlahBlah
}
virtual_ipaddress {
12.13.14.20
}
}
vrrp_instance lan {
state MASTER
interface eth3
virtual_router_id 78
priority 150
advert_int 1
smtp_alert
authentication {
auth_type PASS
auth_pass MoreBlah
}
virtual_ipaddress {
10.22.11.13/24
}
}
vrrp_instance phone {
state MASTER
interface eth4
virtual_router_id 79
priority 150
advert_int 1
smtp_alert
[Touch-packages] [Bug 1843394] Re: FTBFS in Eoan - Error: operand type mismatch for `push' - gcc 9.2.1 / binutils 2.32.51.20190905-0ubuntu1
** Changed in: ipxe (Ubuntu) Status: New => Triaged ** Changed in: ipxe (Ubuntu) Importance: Undecided => High ** Tags added: server-next ** Changed in: ipxe (Ubuntu) Assignee: (unassigned) => Christian Ehrhardt (paelzer) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to binutils in Ubuntu. https://bugs.launchpad.net/bugs/1843394 Title: FTBFS in Eoan - Error: operand type mismatch for `push' - gcc 9.2.1 / binutils 2.32.51.20190905-0ubuntu1 Status in binutils: Confirmed Status in binutils package in Ubuntu: New Status in ipxe package in Ubuntu: Triaged Bug description: This might be due to new gcc-9 being more strict, but the build that worked before now fails with: arch/x86_64/core/gdbidt.S: Assembler messages: arch/x86_64/core/gdbidt.S:109: Error: operand type mismatch for `push' arch/x86_64/core/gdbidt.S:110: Error: operand type mismatch for `push' arch/x86_64/core/gdbidt.S:161: Error: operand type mismatch for `pop' arch/x86_64/core/gdbidt.S:162: Error: operand type mismatch for `pop' make[2]: *** [Makefile.housekeeping:937: bin-x86_64-efi/gdbidt.o] Error 1 Full log at: https://launchpadlibrarian.net/441262285/buildlog_ubuntu- eoan-amd64.ipxe_1.0.0+git-20190109.133f4c4-0ubuntu2_BUILDING.txt.gz Now all of this is about push/pop of %fs and %gs. That needs to match the size of the registers which depend on the current running mode. In this particular case in ./src/arch/x86_64/core/gdbidt.S The failing file is in ".code64" mode. In that I'd expect %gs/%fs to be 64 bit. Usually we see push/pop "w" in .code16 (word), l in .code32 (long) but in that sense here q (quad word) seems right at first (should be what correctly matches the .code64). That matches what I see throughout the ipxe code but also throughout the archive https://codesearch.debian.net/search?q=pop%5Ba-z%5D.*%25fs=0=2 Maybe I misread the mode it is in, or it is actually a false positives. Or the sizes of FS/GS do not change - haven't touched them in a lng time. Was it that segment registers didn't change size? I'll need to do a few checks to first see what the compiler would expect there and from there need to understand this. The command used also points to AS being in 64 bit mode when this happens: gcc -E -DARCH=x86_64 -DPLATFORM=efi -DSECUREBOOT=0 -fstrength-reduce -fomit-frame-pointer -falign-jumps=1 -falign-loops=1 -falign-functions=1 -m64 -mno-mmx -mno-sse -fshort-wchar -Ui386 -Ulinux -DNVALGRIND -fpie -mno-red-zone -Iinclude -I. -Iarch/x86/include -Iarch/x86_64/include -Iarch/x86_64/include/efi -Os -g -ffreestanding -Wall -W -Wformat-nonliteral -fno-stack-protector -fno-dwarf2-cfi-asm -fno-exceptions -fno-unwind-tables -fno-asynchronous-unwind-tables -Wno-address -Wno-stringop-truncation -ffunction-sections -fdata-sections -include include/compiler.h -DASM_TCHAR='@' -DASM_TCHAR_OPS='@' -DASSEMBLY -DOBJECT=gdbidt arch/x86_64/core/gdbidt.S | as --64-o bin-x86_64-efi/gdbidt.o To manage notifications about this bug go to: https://bugs.launchpad.net/binutils/+bug/1843394/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
I installed the package available in bionic-proposed as you can see
below:
root@openldap-bionic-sru:~# apt policy slapd
slapd:
Installed: 2.4.45+dfsg-1ubuntu1.4
Candidate: 2.4.45+dfsg-1ubuntu1.4
Version table:
*** 2.4.45+dfsg-1ubuntu1.4 500
500 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages
100 /var/lib/dpkg/status
2.4.45+dfsg-1ubuntu1.3 500
500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu bionic-security/main amd64
Packages
2.4.45+dfsg-1ubuntu1 500
500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages
And after executing the steps presented in the Test case section, the
slapd process did not die:
root@openldap-bionic-sru:~# ps aux | grep slapd
openldap 1029 0.0 4.5 2106104 730124 ? Ssl 18:51 0:00
/usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F
/etc/ldap/slapd.d
root 1488 0.0 0.0 14852 840 ?S+ 18:52 0:00 grep
--color=auto slapd
root@openldap-bionic-sru:~# ldapsearch -x -h localhost -b dc=example,dc=com
-LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
root@openldap-bionic-sru:~# ps aux | grep slapd
openldap 1029 0.0 4.5 2106104 730124 ? Ssl 18:51 0:00
/usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F
/etc/ldap/slapd.d
root 1492 0.0 0.0 14852 804 ?S+ 18:52 0:00 grep
--color=auto slapd
The PID of the slapd process is the same. Moreover, there is no sign of
crash in the syslog output nor a crash file in /var/crash:
root@openldap-bionic-sru:~# cat /var/log/syslog | grep filter_free
root@openldap-bionic-sru:~# ls /var/crash/ | grep slapd
** Tags removed: verification-needed-bionic
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1838370
Title:
slapd segfault on filter parse error
Status in openldap:
Fix Released
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Xenial:
Fix Committed
Status in openldap source package in Bionic:
Fix Committed
Status in openldap source package in Disco:
Fix Committed
Status in openldap package in Debian:
Unknown
Bug description:
[Impact]
Users willing to use the slapd rwm overlay will face a slapd
segmentation fault when trying to rewrite some rules. Backporting this
fix will allow users using stable releases to take advantage of this
feature without crashing slapd. This issue was fixed by upstream not
freeing the rwm overlay filter memory without prior checking.
[Test Case]
In this test case, the rwm overlay will be used and a rule will be
created to deny any search request for uid=root, then the 'ldapsearch'
will be invoked to trigger the failure. It is important to mention
that the 'ldapsearch' command should fail regardless the presence of
the bug in the package, the target here is the slapd crash. To
reproduce this bug one can follow the procedure below in Ubuntu
xenial, bionic or disco:
$ sudo apt-get update
Use debconf to pre-seed slapd questions before install it:
$ debconf-set-selections << EOF
slapd slapd/no_configuration boolean false
slapd slapd/domain string example.com
slapd shared/organization string example.com
slapd slapd/password1 password test
slapd slapd/password2 password test
slapd slapd/backend select MDB
slapd slapd/move_old_database boolean false
EOF
$ sudo apt-get install slapd ldap-utils -y
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
slapd process will die, and /var/crash will have a crash file for
slapd. You can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
-> Expected behavior
In this test case, as mentioned before, the 'ldapsearch' command
should fail but the 'slapd' process should not die. As result, we
don't expect a slapd crash report in /var/crash directory.
[Regression Potential]
Since the fix
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
I installed the package available in disco-proposed as you can see
below:
root@openldap-disco-sru:~# apt policy slapd
slapd:
Installed: 2.4.47+dfsg-3ubuntu2.2
Candidate: 2.4.47+dfsg-3ubuntu2.2
Version table:
*** 2.4.47+dfsg-3ubuntu2.2 500
500 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 Packages
100 /var/lib/dpkg/status
2.4.47+dfsg-3ubuntu2.1 500
500 http://archive.ubuntu.com/ubuntu disco-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu disco-security/main amd64 Packages
2.4.47+dfsg-3ubuntu2 500
500 http://archive.ubuntu.com/ubuntu disco/main amd64 Packages
And after executing the steps presented in the Test case section, the
slapd process did not die:
root@openldap-disco-sru:~# ps aux | grep slapd
openldap 1994 0.0 4.5 2003840 728176 ? Ssl 19:05 0:00
/usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F
/etc/ldap/slapd.d
root 2453 0.0 0.0 7980 1544 ?S+ 19:06 0:00 grep
--color=auto slapd
root@openldap-disco-sru:~# ldapsearch -x -h localhost -b dc=example,dc=com -LLL
uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
root@openldap-disco-sru:~# ps aux | grep slapd
openldap 1994 0.0 4.5 2003840 728176 ? Ssl 19:05 0:00
/usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F
/etc/ldap/slapd.d
root 2457 0.0 0.0 7980 684 ?S+ 19:06 0:00 grep
--color=auto slapd
The PID of the slapd process is the same. Moreover, there is no sign of
crash in the syslog output nor a crash file in /var/crash:
root@openldap-disco-sru:~# cat /var/log/syslog | grep filter_free
root@openldap-disco-sru:~# ls /var/crash/ | grep slapd
** Tags removed: verification-needed-disco
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1838370
Title:
slapd segfault on filter parse error
Status in openldap:
Fix Released
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Xenial:
Fix Committed
Status in openldap source package in Bionic:
Fix Committed
Status in openldap source package in Disco:
Fix Committed
Status in openldap package in Debian:
Unknown
Bug description:
[Impact]
Users willing to use the slapd rwm overlay will face a slapd
segmentation fault when trying to rewrite some rules. Backporting this
fix will allow users using stable releases to take advantage of this
feature without crashing slapd. This issue was fixed by upstream not
freeing the rwm overlay filter memory without prior checking.
[Test Case]
In this test case, the rwm overlay will be used and a rule will be
created to deny any search request for uid=root, then the 'ldapsearch'
will be invoked to trigger the failure. It is important to mention
that the 'ldapsearch' command should fail regardless the presence of
the bug in the package, the target here is the slapd crash. To
reproduce this bug one can follow the procedure below in Ubuntu
xenial, bionic or disco:
$ sudo apt-get update
Use debconf to pre-seed slapd questions before install it:
$ debconf-set-selections << EOF
slapd slapd/no_configuration boolean false
slapd slapd/domain string example.com
slapd shared/organization string example.com
slapd slapd/password1 password test
slapd slapd/password2 password test
slapd slapd/backend select MDB
slapd slapd/move_old_database boolean false
EOF
$ sudo apt-get install slapd ldap-utils -y
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
slapd process will die, and /var/crash will have a crash file for
slapd. You can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
-> Expected behavior
In this test case, as mentioned before, the 'ldapsearch' command
should fail but the 'slapd' process should not die. As result, we
don't expect a slapd crash report in /var/crash directory.
[Regression Potential]
Since the fix is a patch
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
I installed the package available in xenial-proposed as you can see
below:
root@openldap-xenial-sru:~# apt policy slapd
slapd:
Installed: 2.4.42+dfsg-2ubuntu3.7
Candidate: 2.4.42+dfsg-2ubuntu3.7
Version table:
*** 2.4.42+dfsg-2ubuntu3.7 500
500 http://archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
100 /var/lib/dpkg/status
2.4.42+dfsg-2ubuntu3.6 500
500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64
Packages
2.4.42+dfsg-2ubuntu3 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
And after executing the steps presented in the Test case section, the slapd
process did not die:
root@openldap-xenial-sru:~# ps aux | grep slapd
openldap 2078 0.0 4.5 2094540 730664 ? Ssl 19:02 0:00
/usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F
/etc/ldap/slapd.d
root 2147 0.0 0.0 14616 904 ?S+ 19:03 0:00 grep
--color=auto slapd
root@openldap-xenial-sru:~# ldapsearch -x -h localhost -b dc=example,dc=com
-LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
root@openldap-xenial-sru:~# ps aux | grep slapd
openldap 2078 0.0 4.5 2094540 730576 ? Ssl 19:02 0:00
/usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F
/etc/ldap/slapd.d
root 2151 0.0 0.0 14616 860 ?S+ 19:03 0:00 grep
--color=auto slapd
The PID of the slapd process is the same. Moreover, there is no sign of crash in
the syslog output nor a crash file in /var/crash:
root@openldap-xenial-sru:~# cat /var/log/syslog | grep filter_free
root@openldap-xenial-sru:~# ls /var/crash/ | grep slapd
** Tags removed: verification-needed verification-needed-xenial
** Tags added: verification-done-bionic verification-done-disco
verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1838370
Title:
slapd segfault on filter parse error
Status in openldap:
Fix Released
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Xenial:
Fix Committed
Status in openldap source package in Bionic:
Fix Committed
Status in openldap source package in Disco:
Fix Committed
Status in openldap package in Debian:
Unknown
Bug description:
[Impact]
Users willing to use the slapd rwm overlay will face a slapd
segmentation fault when trying to rewrite some rules. Backporting this
fix will allow users using stable releases to take advantage of this
feature without crashing slapd. This issue was fixed by upstream not
freeing the rwm overlay filter memory without prior checking.
[Test Case]
In this test case, the rwm overlay will be used and a rule will be
created to deny any search request for uid=root, then the 'ldapsearch'
will be invoked to trigger the failure. It is important to mention
that the 'ldapsearch' command should fail regardless the presence of
the bug in the package, the target here is the slapd crash. To
reproduce this bug one can follow the procedure below in Ubuntu
xenial, bionic or disco:
$ sudo apt-get update
Use debconf to pre-seed slapd questions before install it:
$ debconf-set-selections << EOF
slapd slapd/no_configuration boolean false
slapd slapd/domain string example.com
slapd shared/organization string example.com
slapd slapd/password1 password test
slapd slapd/password2 password test
slapd slapd/backend select MDB
slapd slapd/move_old_database boolean false
EOF
$ sudo apt-get install slapd ldap-utils -y
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
slapd process will die, and /var/crash will have a crash file for
slapd. You can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
-> Expected behavior
In this test case, as mentioned before, the 'ldapsearch' command
should fail but the 'slapd' process should not die. As
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Changed in: openldap (Ubuntu Xenial)
Assignee: (unassigned) => Lucas Kanashiro (lucaskanashiro)
** Changed in: openldap (Ubuntu Bionic)
Assignee: (unassigned) => Lucas Kanashiro (lucaskanashiro)
** Changed in: openldap (Ubuntu Disco)
Assignee: (unassigned) => Lucas Kanashiro (lucaskanashiro)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1838370
Title:
slapd segfault on filter parse error
Status in openldap:
Fix Released
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Xenial:
Confirmed
Status in openldap source package in Bionic:
Confirmed
Status in openldap source package in Disco:
Confirmed
Status in openldap package in Debian:
Unknown
Bug description:
[Impact]
Users willing to use the slapd rwm overlay will face a slapd
segmentation fault when trying to rewrite some rules. Backporting this
fix will allow users using stable releases to take advantage of this
feature without crashing slapd. This issue was fixed by upstream not
freeing the rwm overlay filter memory without prior checking.
[Test Case]
In this test case, the rwm overlay will be used and a rule will be
created to deny any search request for uid=root, then the 'ldapsearch'
will be invoked to trigger the failure. It is important to mention
that the 'ldapsearch' command should fail regardless the presence of
the bug in the package, the target here is the slapd crash. To
reproduce this bug one can follow the procedure below in Ubuntu
xenial, bionic or disco:
$ sudo apt-get update
Use debconf to pre-seed slapd questions before install it:
$ debconf-set-selections << EOF
slapd slapd/no_configuration boolean false
slapd slapd/domain string example.com
slapd shared/organization string example.com
slapd slapd/password1 password test
slapd slapd/password2 password test
slapd slapd/backend select MDB
slapd slapd/move_old_database boolean false
EOF
$ sudo apt-get install slapd ldap-utils -y
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
slapd process will die, and /var/crash will have a crash file for
slapd. You can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
-> Expected behavior
In this test case, as mentioned before, the 'ldapsearch' command
should fail but the 'slapd' process should not die. As result, we
don't expect a slapd crash report in /var/crash directory.
[Regression Potential]
Since the fix is a patch provided by upstream (reviewed by maintainers
and us) simple mistakes like typos are not expected. The patch impacts
only the rwm module which is not loaded by default. So any regression
would affect only the users that make use of this overlay. If an user
is not using rwm overlay and is facing any issue, it should be related
to other problems related to LDAP directory services.
[Original message]
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Description changed:
- Impact
- --
+ [Impact]
Users willing to use the slapd rwm overlay will face a slapd
segmentation fault when trying to rewrite some rules. Backporting this
fix will allow users using stable releases to take advantage of this
feature without crashing slapd. This issue was fixed by upstream not
freeing the rwm overlay filter memory without prior checking.
- Test Case
- -
+ [Test Case]
In this test case, the rwm overlay will be used and a rule will be
created to deny any search request for uid=root, then the 'ldapsearch'
will be invoked to trigger the failure. It is important to mention that
the 'ldapsearch' command should fail regardless the presence of the bug
in the package, the target here is the slapd crash. To reproduce this
bug one can follow the procedure below in Ubuntu xenial, bionic or
disco:
$ sudo apt-get update
-
Use debconf to pre-seed slapd questions before install it:
$ debconf-set-selections << EOF
slapd slapd/no_configuration boolean false
slapd slapd/domain string example.com
slapd shared/organization string example.com
slapd slapd/password1 password test
slapd slapd/password2 password test
slapd slapd/backend select MDB
slapd slapd/move_old_database boolean false
EOF
$ sudo apt-get install slapd ldap-utils -y
-
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
-
- slapd process will die, and /var/crash will have a crash file for slapd. You
can run the following command to confirm the error:
+ slapd process will die, and /var/crash will have a crash file for slapd.
+ You can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
-> Expected behavior
In this test case, as mentioned before, the 'ldapsearch' command should
fail but the 'slapd' process should not die. As result, we don't expect
a slapd crash report in /var/crash directory.
-
- Regression Potential
-
+ [Regression Potential]
Since the fix is a patch provided by upstream (reviewed by maintainers
and us) simple mistakes like typos are not expected. The patch impacts
only the rwm module which is not loaded by default. So any regression
would affect only the users that make use of this overlay. If an user is
not using rwm overlay and is facing any issue, it should be related to
other problems related to LDAP directory services.
-
[Original message]
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so
[7fc8d1868000+1c]
Another faulty filter example:
filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0"
filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
$ lsb_release -rd
Description: Ubuntu 16.04.5 LTS
Release: 16.04
$ slapd -VVV
@(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $
buildd@lcy01-amd64-019
:/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd
Included static backends:
config
ldif
$ apt-cache
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Description changed:
Impact
--
Users willing to use the slapd rwm overlay will face a slapd
segmentation fault when trying to rewrite some rules. Backporting this
fix will allow users using stable releases to take advantage of this
feature without crashing slapd. This issue was fixed by upstream not
freeing the rwm overlay filter memory without prior checking.
Test Case
-
In this test case, the rwm overlay will be used and a rule will be
created to deny any search request for uid=root, then the 'ldapsearch'
will be invoked to trigger the failure. It is important to mention that
the 'ldapsearch' command should fail regardless the presence of the bug
in the package, the target here is the slapd crash. To reproduce this
bug one can follow the procedure below in Ubuntu xenial, bionic or
disco:
$ sudo apt-get update
+
+
+ Use debconf to pre-seed slapd questions before install it:
+
+ $ debconf-set-selections << EOF
+ slapd slapd/no_configuration boolean false
+ slapd slapd/domain string example.com
+ slapd shared/organization string example.com
+ slapd slapd/password1 password test
+ slapd slapd/password2 password test
+ slapd slapd/backend select MDB
+ slapd slapd/move_old_database boolean false
+ EOF
$ sudo apt-get install slapd ldap-utils -y
- Reconfigure the slapd package. When asked about a domain, use "example.com".
- Choose a password you want (or just leave it blank), and accept defaults for
- everything else:
-
- $ sudo dpkg-reconfigure slapd
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
- slapd process will die, and /var/crash will have a crash file for slapd. You
- can run the following command to confirm the error:
+
+ slapd process will die, and /var/crash will have a crash file for slapd. You
can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
+
+ -> Expected behavior
+
+ In this test case, as mentioned before, the 'ldapsearch' command should
+ fail but the 'slapd' process should not die. As result, we don't expect
+ a slapd crash report in /var/crash directory.
+
Regression Potential
Since the fix is a patch provided by upstream (reviewed by maintainers
and us) simple mistakes like typos are not expected. The patch impacts
only the rwm module which is not loaded by default. So any regression
would affect only the users that make use of this overlay. If an user is
not using rwm overlay and is facing any issue, it should be related to
other problems related to LDAP directory services.
+
[Original message]
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so
[7fc8d1868000+1c]
Another faulty filter example:
filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0"
filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
$ lsb_release -rd
Description: Ubuntu 16.04.5 LTS
Release: 16.04
$ slapd -VVV
@(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $
[Touch-packages] [Bug 1838370] Re: slapd segfault on filter parse error
** Description changed:
+ Impact
+ --
+
+ Users willing to use the slapd rwm overlay will face a slapd segmentation
fault
+ when trying to rewrite some rules. Backporting this fix will allow users using
+ stable releases to take advantage of this feature without crashing slapd. This
+ issue was fixed by upstream not freeing the rwm overlay filter memory without
+ prior checking.
+
+ Test Case
+ -
+
+ In this test case, the rwm overlay will be used and a rule will be created to
+ deny any search request for uid=root, then the 'ldapsearch' will be invoked to
+ trigger the failure. It is important to mention that the 'ldapsearch' command
+ should fail regardless the presence of the bug in the package, the target here
+ is the slapd crash. To reproduce this bug one can follow the procedure below
in
+ Ubuntu xenial, bionic or disco:
+
+ $ sudo apt-get update
+ $ sudo apt-get install slapd ldap-utils -y
+
+ Reconfigure the slapd package. When asked about a domain, use "example.com".
+ Choose a password you want (or just leave it blank), and accept defaults for
+ everything else:
+
+ $ sudo dpkg-reconfigure slapd
+
+ Create a file called 'add-rwm.ldif' with the following content:
+
+ $ cat add-rwm.ldif
+ dn: cn=module{0},cn=config
+ changetype: modify
+ add: olcModuleLoad
+ olcModuleLoad: rwm
+
+ dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
+ changetype: add
+ objectClass: olcOverlayConfig
+ objectClass: olcRwmConfig
+ olcOverlay: rwm
+ olcRwmRewrite: {0} rwm-rewriteEngine "on"
+ olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
+ olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
+
+
+ With this file in place, run:
+
+ $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
+
+ Now, to trigger the crash:
+
+ $ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
+ Server is unwilling to perform (53)
+ Additional information: searchFilter/searchFilterAttrDN massage error
+
+
+ slapd process will die, and /var/crash will have a crash file for slapd. You
+ can run the following command to confirm the error:
+
+ $ cat /var/log/syslog | grep filter_free
+ Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
+
+
+ Regression Potential
+
+
+ Since the fix is a patch provided by upstream (reviewed by maintainers and us)
+ simple mistakes like typos are not expected. The patch impacts only the rwm
+ module which is not loaded by default. So any regression would affect only the
+ users that make use of this overlay. If an user is not using rwm overlay and
is
+ facing any issue, it should be related to other problems related to LDAP
+ directory services.
+
+
+
+ [Original message]
+
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
7fc8d18ec512 sp 7fc8889e2810 error 4 in libc-2.23.so
[7fc8d1868000+1c]
Another faulty filter example:
filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0"
filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
$ lsb_release -rd
Description: Ubuntu 16.04.5 LTS
Release: 16.04
$ slapd -VVV
@(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $
buildd@lcy01-amd64-019
:/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd
Included static backends:
- config
- ldif
+ config
+ ldif
$ apt-cache policy slapd
slapd:
- Installed: 2.4.42+dfsg-2ubuntu3.3
- Candidate: 2.4.42+dfsg-2ubuntu3.5
- Version table:
- 2.4.42+dfsg-2ubuntu3.5 500
- 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64
+ Installed: 2.4.42+dfsg-2ubuntu3.3
+ Candidate: 2.4.42+dfsg-2ubuntu3.5
+ Version table:
+ 2.4.42+dfsg-2ubuntu3.5 500
+ 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64
Packages
- *** 2.4.42+dfsg-2ubuntu3.3 100
- 100 /var/lib/dpkg/status
- 2.4.42+dfsg-2ubuntu3.2 500
- 500
