[Touch-packages] [Bug 1974196] Re: Installing libudev1 on a new Jammy installation uninstalls many packages.

2022-07-28 Thread vishnunaini 
We have tested the proposed patched version 2.4.7 against the current
release version 2.4.5 posted at the above launchpad link via bug
reproduction and general package installation process via standard cli
and via python bindings and have no adverse observations.

We have also tested against a package we built from the accepted source
and the upstream salsa.debian.org source

Test environment:
root@test100:/home/sre# lsb_release -a
Distributor ID: Ubuntu
Description:Ubuntu 22.04 LTS
Release:22.04
Codename:   jammy

Test Cases for both versions 2.4.5 and 2.4.7:
1. Manual APT Bash CLI
2. SaltStack 3004.2 via APT Python bindings

Current release version 2.4.5:

root@test100:/home/user# apt --version
apt 2.4.5 (amd64)
root@test100:/home/user# dpkg -l | grep apt
ii  apt   2.4.5 
 amd64commandline package manager
ii  apt-utils 2.4.5 
 amd64package management related utility programs
ii  libapt-pkg6.0:amd64   2.4.5 
 amd64package management runtime library
ii  libpcap0.8:amd64  1.10.1-4build1
 amd64system interface for user-level packet capture
ii  python-apt-common 2.3.0ubuntu2  
 all  Python interface to libapt-pkg (locales)
ii  python3-apt   2.3.0ubuntu2  
 amd64Python 3 interface to libapt-pkg

root@cor-uefitest100:/home/sre# apt install libudev1
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  busybox-initramfs cryptsetup finalrd gir1.2-packagekitglib-1.0 
initramfs-tools-bin klibc-utils libappstream4 libdw1 libglib2.0-bin 
libgstreamer1.0-0 libisns0 libklibc libnetplan0 libopeniscsiusr 
libpackagekit-glib2-18 libplymouth5
  libpolkit-agent-1-0 libpolkit-gobject-1-0 libsgutils2-2 libstemmer0d liburcu8 
libxmlb2 python3-software-properties sg3-utils
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  libnetplan0
The following packages will be REMOVED:
  cloud-init cloud-initramfs-copymods cloud-initramfs-dyn-netconf 
cryptsetup-initramfs dbus-user-session friendly-recovery initramfs-tools 
initramfs-tools-core kpartx libnss-systemd libpam-systemd mdadm multipath-tools 
netplan.io open-iscsi
  overlayroot packagekit packagekit-tools pkexec plymouth 
plymouth-theme-ubuntu-text policykit-1 polkitd sg3-utils-udev 
software-properties-common ubuntu-minimal ubuntu-server ubuntu-standard udev
The following packages will be upgraded:
  libnetplan0 libudev1
2 upgraded, 0 newly installed, 29 to remove and 35 not upgraded.
Need to get 166 kB of archives.
After this operation, 22.4 MB disk space will be freed.
Do you want to continue? [Y/n]

Proposed release version 2.4.7:
root@test101:/home/user/apt# apt install ./apt_2.4.7_amd64.deb 
./libapt-pkg6.0_2.4.7_amd64.deb ./apt-utils_2.4.7_amd64.deb

root@test101:/home/user/apt# apt --version
apt 2.4.7 (amd64)

root@test101:/home/user/apt# dpkg -l | grep apt
ii  apt   2.4.7 
 amd64commandline package manager
ii  apt-utils 2.4.7 
 amd64package management related utility programs
ii  libapt-pkg6.0:amd64   2.4.7 
 amd64package management runtime library
ii  libpcap0.8:amd64  1.10.1-4build1
 amd64system interface for user-level packet capture
ii  python-apt-common 2.3.0ubuntu2  
 all  Python interface to libapt-pkg (locales)
ii  python3-apt   2.3.0ubuntu2  
 amd64Python 3 interface to libapt-pkg

root@test101:/home/user/apt# apt install libudev1
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libnss-systemd libpam-systemd libsystemd0 systemd systemd-sysv udev
Suggested packages:
  systemd-container libtss2-esys-3.0.2-0 libtss2-mu0 libtss2-rc0
The following packages will be upgraded:
  libnss-systemd libpam-systemd libsystemd0 libudev1 systemd systemd-sysv udev
7 upgraded, 0 newly installed, 0 to remove and 44 not upgraded.
Need to get 6875 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libnss-systemd 
amd64 249.11-0ubuntu3.4 [133 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libsystemd0 
amd64

[Touch-packages] [Bug 1638922] Re: [needs-packaging] tar : CVE-2016-6321 not patched in stable

2016-11-03 Thread vishnunaini 
I removed the needs-packaging tag. Wasn't aware that it is only for new
packages.

** Tags removed: needs-packaging

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to tar in Ubuntu.
https://bugs.launchpad.net/bugs/1638922

Title:
  [needs-packaging] tar : CVE-2016-6321 not patched in stable

Status in tar package in Ubuntu:
  New

Bug description:
  CVE-2016-6321 path name extract bypass vulnerability is not patched in
  stable releases of yakkety, xenial and other supported releases.

  The maintainer appears to have only pushed the patch to zesty
  proposed.

  Please push the patch for the stable releases as this bug could have
  seroius implications in certain environments.

  Upstream debian has already pushed the patch to stable.

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842339

  https://people.canonical.com/~ubuntu-
  security/cve/2016/CVE-2016-6321.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1638922/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1638922] [NEW] tar : CVE-2016-6321 not patched in stable

2016-11-03 Thread vishnunaini 
Public bug reported:

CVE-2016-6321 path name extract bypass vulnerability is not patched in
stable releases of yakkety, xenial and other supported releases.

The maintainer appears to have only pushed the patch to zesty proposed.

Please push the patch for the stable releases as this bug could have
seroius implications in certain environments.

Upstream debian has already pushed the patch to stable.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842339

https://people.canonical.com/~ubuntu-
security/cve/2016/CVE-2016-6321.html

** Affects: tar (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: cve-2016-6321 needs-packaging patch-accepted-upstream

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-6321

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to tar in Ubuntu.
https://bugs.launchpad.net/bugs/1638922

Title:
  tar : CVE-2016-6321 not patched in stable

Status in tar package in Ubuntu:
  New

Bug description:
  CVE-2016-6321 path name extract bypass vulnerability is not patched in
  stable releases of yakkety, xenial and other supported releases.

  The maintainer appears to have only pushed the patch to zesty
  proposed.

  Please push the patch for the stable releases as this bug could have
  seroius implications in certain environments.

  Upstream debian has already pushed the patch to stable.

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842339

  https://people.canonical.com/~ubuntu-
  security/cve/2016/CVE-2016-6321.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1638922/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp