Public bug reported:
Right now, when an attempt is made to store two certificates on a
smartcard, where the ID of the certs are the same but the labels are
not, or the labels are the same but IDs not, the wrong certificate is
selected not matching the key. This typically happens when a
I understand this was released in net-snmpd v5.9.1 in May 2021.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1912964
Title:
[Patch] Add support for digests detected from ECC certificates
To
Same bug at RHEL: https://bugzilla.redhat.com/show_bug.cgi?id=1914656
** Bug watch added: Red Hat Bugzilla #1914656
https://bugzilla.redhat.com/show_bug.cgi?id=1914656
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
This bug is a duplicate of: https://bugs.launchpad.net/ubuntu/+source
/net-snmp/+bug/1912389
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1908995
Title:
net-snmp SIGSEGV: not enough space or error
Same bug at RHEL is here:
https://bugzilla.redhat.com/show_bug.cgi?id=1908718
** Bug watch added: Red Hat Bugzilla #1908718
https://bugzilla.redhat.com/show_bug.cgi?id=1908718
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Quick ping on this one - fixes for this issue released in
https://github.com/net-snmp/net-snmp/releases/tag/v5.9.1.rc1.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1912390
Title:
[Patch]
Quick ping on this one.
Latest net-snmp with this fixed is https://github.com/net-snmp/net-
snmp/releases/tag/v5.9.1.rc1.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1912389
Title:
[Patch]
Upstream have accepted and committed the following patch:
https://github.com/net-snmp/net-
snmp/commit/a1968db524e087a36a19a351b89bf6f1633819aa
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1912964
In theory, any Let's Encrypt certificate should cause this crash.
The serialised certificate transparency of the certificate at redwax.eu
is 1577 bytes, three times higher than the 512 byte limit that triggers
the crash.
CT Precertificate SCTs:
Signed Certificate
Public bug reported:
Previously, the digest could be detected on RSA certificates only. This
patch adds detection for ECC certificates.
https://github.com/net-snmp/net-snmp/issues/258
https://github.com/net-snmp/net-
snmp/commit/a1968db524e087a36a19a351b89bf6f1633819aa
** Affects: net-snmp
diff --git a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c
index e0e6615f0..dd202f440 100644
--- a/snmplib/snmp_openssl.c
+++ b/snmplib/snmp_openssl.c
@@ -499,6 +499,8 @@ netsnmp_openssl_cert_dump_extensions(X509 *ocert)
extension_name = OBJ_nid2sn(nid);
buf_len = sizeof(buf);
Another detail.
localCert /etc/snmp/tls/certs/snmpd.crt
The localCert parameter doesn’t accept a path, but rather a file prefix
(or a fingerprint).
It should look like this:
LocalCert snmpd
The above means “search for a file called ‘snmpd.*’ in my certificate
store”.
This too confused me
Net-snmp has an index of certs, typically /var/lib/net-snmp/cert-indexes
(from memory).
Start with this directory empty - no files called 0, 1, 2, etc.
On first run of either client or server, with no index, all the certs
are loaded correctly, and the index is populated. The loading of certs
Launchpad always seems to get the package wrong, it's odd.
To make net-snmp crash:
- Turn debugging on (the crashing happens when dumping the certificate as part
of debug logging).
- Include a cert with an extension that, when printed, is longer than 512 bytes.
- The cert I was using is an EV
Thanks for responding.
The PR is a day old, upstream needs a bit of time to take a look first
before implementing this. As long as this in the queue - DTLS was added
11 years ago, but none of the users of the net-snmp library was updated.
--
You received this bug notification because you are a
Public bug reported:
Add support for SNMPv3 TSM security.
Patch here:
https://github.com/monitoring-plugins/monitoring-plugins/pull/1657
** Affects: nagios-plugins (Ubuntu)
Importance: Undecided
Status: New
** Tags: patch
--
You received this bug notification because you are
Public bug reported:
When net-snmp is given a certificate with an extension that is longer
than 512 characters, snmp crashes on startup.
Steps to Reproduce:
1. Configure net-snmp using an EV certificate from a CA (in this case
Globalsign).
2. Start snmpd.
3.
Actual results:
[root@localhost
Public bug reported:
Certificate allowed_uses are not indexed by net-snmp. As a result, the
trustCert option works the first time snmpd is started, but fails
thereafter.
In addition, there is no support for intermediate certificates (they are
ignored) and as a result no possibility to use
Same bug at RHEL: https://bugzilla.redhat.com/show_bug.cgi?id=1908718
** Bug watch added: Red Hat Bugzilla #1908718
https://bugzilla.redhat.com/show_bug.cgi?id=1908718
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Public bug reported:
When a certificate contains an extension that when printed becomes
longer than 512 bytes (for example certificate transparency as used in
modern certs) net-snmp crashes on startup with a SIGSEGV.
The following patches fix the problem by:
- Increasing the buffer size from
Thank you for this, really appreciate it.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1867673
Title:
[SRU] awscli not kept up to date
To manage notifications about this bug go to:
> Could you please provide more information on how to reproduce this
bug?
To make it clear, this error report is about the vague error message, it
is not about whatever caused it, meaning that there is no need for you
to reproduce my error.
The way you analyse this is to start by searching the
Public bug reported:
After deploying a replacement machine where all setup has been
previously automaticaally orchestrated and is known to work, the
following error is encountered and login is impossible:
root@bastion01:~# /usr/bin/sss_ssh_authorizedkeys minfrin
Error looking up public keys
The
Public bug reported:
awscli is not kept up to date, and so new AWS features are not
available.
The AWS pip installation method is unaudited and unsigned, and is not a
production ready solution to the out-of-date problem.
The awscli package needs to be kept up to date and available on all
Just locked out of an AWS machine again due to this bug. Any news on a
fix?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1847902
Title:
pam_nologin should optionally exclude users of the "wheel"
Dictating to people what their PKI policy should be is outside the scope
of apt. Apt must behave properly as per standard unix behaviour, with a
proper working user and a proper working group. Trying to dictate
directory permissions to people breaks automation, breaks orchestration,
and makes it
9 years later and this bug is still unfixed when building from Bionic.
The error
Error: signing key fingerprint does not exist
Failed to add key.
might be a statement of fact, but it doesn't tell me what I must do, or
whether my system is broken or not, or what action I must take.
--
You
Deploy Ubuntu Bionic machine from AWS, try and log in:
"System is booting up. See pam_nologin(8)"
Given it is impossible to log in, it's impossible to see what's wrong,
or fix it.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Also tried the following:
network:
version: 1
config:
- type: nameserver
address:
- 172.29.248.2
This version is picked up, but is broken for the same reason xenial is
broken:
2018-11-07 14:33:06,581 - util.py[DEBUG]: Read 18 bytes from
/sys/class/net/eth0/address
Trying to upgrade from Xenial to Bionic we think we've hit this bug.
Previously in xenial we used resolvconf from bootcmd to override the DNS
server. This no longer works in Bionic.
We switched to using the "network" section in cloud init as below:
network:
version: 1
config:
- type:
We have the same problem.
Lots of painful messing around to get access to bugfixes and new AWS
services.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1783248
Title:
Update awscli to 1.15.15 from
> I'm not very keen on this from an SRU perspective. RFC or not, it's
really a feature addition
This is a bug. RFC1035 describes how long a hostname must be, and httpd
was not honouring the RFC. This doesn't implement "longer hostnames",
this implements RFC compliant hostnames.
The httpd project
The module magic number gives code that depends on the apache API an
indication of whether a particular function or variable is available or
not.
I imagine Ubuntu already has a policy for the module magic number, and I
suspect it's that the MMN doesn't change over the lifetime of a version
of the
Any chance of a fix for xenial? This is where we hit the issue.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1750356
Title:
Apache2: BalancerMember worker hostname (65.character.host.name) too
This breaks things for us:
BalancerMember
"https://xx-xx--x-x.xx--x.x-xxx.xxx.x.:443/;
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1750356
Title:
In our case it burned a number of days of dev time, so this is
definitely causing pain.
We've never seen this before because until docker, we have not
encountered a system where apt-transport-https wasn't installed by
default.
--
You received this bug notification because you are a member of
Is it possible to backport this to trusty too? This bit us hard, and
there are a lot of people out there posting this problem but with no
solution.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Public bug reported:
When "apt-get update" is run on a docker container running Ubuntu v16.04
and containing an additional apt source repository hosted on an https
webserver, the "apt-get update" command hangs.
The hang happens after connections to http ubuntu hosts are complete,
and apt-get
We just ran into this issue trying to get cloud-init to create a
dedicated partition for /var/tmp. It creates the mount, but with the
wrong permissions, and thus breaks the machine.
We've had to hack our config to work around the problem, which is really
ugly.
--
You received this bug
Public bug reported:
When an attempt is made to deploy Elasticsearch debian package on an
Ubuntu v16.04 xenial machine, elasticsearch refuses to start as follows:
Feb 28 10:54:22 els elasticsearch[1426]: [0.000s][error][logging] Invalid
decorator 'utctime'.
Feb 28 10:54:22 els
Public bug reported:
If the BalancerMember directive contains a URL with a hostname longer
than X characters, we fail as follows:
BalancerMember worker hostname (65.character.host.name) too long
The size of the hostname needs to be raised so it is RFC1035 compliant.
Bug fixed upstream at
Just tripped over this, as have these people:
https://discuss.elastic.co/t/cant-start-elasticsearch-with-
ubuntu-16-04/48730
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1535954
Title:
More details.
The ClientHello packet in this case is larger than 255 bytes, and is
triggering the handshake failure in one of two ways.
When psql linked to openssl v1.0.1f attempts to connect to postgresql
linked to openssl v1.0.1f, the client side sends 8 bytes, then 1 byte,
then 305 bytes in
I've also slammed headlong into this one.
The clue is "SSL handshake has read 0 bytes and written 317 bytes"
What the openssl v1.0.1f client side is doing is sending a clienthello
packet larger than 255 bytes to a broken SSL implementation, which slams
the phone down on you, thus "read 0 bytes".
Alas the instructions to add the symbol archive don't work, as the key
refuses to import on this machine:
root@sql01:~# sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys
428D7C01 C8CAB6595FDFF622
Executing: /tmp/tmp.DJnLBYKsvm/gpg.1.sh --keyserver
keyserver.ubuntu.com
--recv-keys
Using openssl s_client on a MacOS Sierra machine connecting to the same
postgresql server, the failure is identical.
Looks like whatever is triggering this is caused by the server, but is
being failed by the client.
--
You received this bug notification because you are a member of Ubuntu
Bugs,
Despite printing "no peer certificate available" below, the postgresql
server serves three certificates (two intermediates and a leaf) as
picked up by ssldump.
In this case it is the client side that is triggering the handshake
failure, not the server. The client side refuses to add the cause of
ssldump looks like the below.
>From ssldump, we can see that the server sent three separate
certificates. Openssl s_client however claims that no certificates were
detected.
New TCP connection #42: 172.29.231.43(33116) <-> 172.29.228.240(5432)
42 1 0.0038 (0.0038) C>SV3.1(300) Handshake
I am seeing the exact same bug, only with the server being postgresql
instead of openldap.
The same setup and certificates works fine on Trusty, but have regressed
on Xenial.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
This bug has nothing to do with the kernel, no idea why it's trying to
get me to run apport-collect.
** Package changed: linux (Ubuntu) => ssldump (Ubuntu)
** Changed in: ssldump (Ubuntu)
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of
Public bug reported:
When trying to debug a segmentation fault in ssldump, the debug symbols
are missing. This renders debugging impossible.
root@sql01:~# apt-get install ssldump-dbgsym
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to
Machine is not full:
minfrin@syslog01:~$ df -h
Filesystem Size Used Avail Use% Mounted on
udev492M 12K 492M 1% /dev
tmpfs 100M 360K 99M 1% /run
/dev/xvda1 7.8G 3.1G 4.3G 42% /
none4.0K 0 4.0K 0% /sys/fs/cgroup
none5.0M
Public bug reported:
During a routine "apt-get update; apt-get upgrade" of an Ubuntu Trusty
machine, the update failed with the error "sudo: unknown uid 4000: who
are you?".
After this error has occurred the machine is sluggish, and all attempts
to fork a process fail with "-bash: fork: Cannot
After waiting a while whatever is slamming the machine's memory stops,
and I'm able to run commands.
Running the update again fails immediately:
minfrin@syslog01:~$ sudo apt-get update; sudo apt-get upgrade; sudo apt-get
autoremove; sudo shutdown -r now
sudo: unknown uid 4000: who are you?
This bug just knocked out all of our development environments, how long
before a fix will be downloadable as an update?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1695870
Title:
[regression]
Zooming in to the behaviour of sssd, it appears the permission denied
error happens like so:
- A working sssd installation is installed and the daemon started.
Logfiles are created in /var/log/sssd, including /var/log/sssd/sssd.log,
owned by and exclusively read/writable by root:
I removed apparmor completely, and it made no difference -
postfix+overlayfs is still broken without apparmor.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1620744
Title:
sssd/ntpd/postfix +
Update the package to the linux kernel, as this bug affects multiple
services.
** Package changed: sssd (Ubuntu) => linux (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1620744
Title:
If I remove the overlayfs, postfix starts up normally.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1620744
Title:
sssd/ntpd/postfix + overlayfs startup failure: Could not open file
Zooming in on postfix specifically when /var/spool/postfix is mounted on
an overlayfs, postfix goes through the motions of starting but fails
silently without logging anything, and /var/log/mail.log remains non-
existant.
An attempt to reload postfix complains that postfix isn't running:
After an attempt to switch out Trusty for Xenial, this problem now
affects more applications.
When /var/log has an overlayfs:
Jun 6 10:34:07 syslog01 sssd: Could not open file [/var/log/sssd/sssd.log].
Error: [13][Permission denied]
Jun 6 10:34:15 syslog01 ntpd[1576]:
Looking at https://bugs.openjdk.java.net/browse/JDK-8148516, I'm not
seeing a CVE number attached. In addition, this issue is marked as an
"enhancement".
Would it be possible to confirm how an enhancement ended up inside a
security release?
--
You received this bug notification because you are
Looking at the changelog for
https://launchpad.net/ubuntu/+source/openjdk-7/7u131-2.6.9-0ubuntu0.14.04.1
I see we have a combination of security fixes and other changes rolled
up in the same security patch.
Do we know which change caused this regression?
--
You received this bug notification
I am seeing this bug in Ubuntu v14.04. No obvious cause. When it's
happened we've physically replaced the instances, as there is no console
access at AWS.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
> We could try to regen-the locale by calling:
>
> $ sudo locale-gen en_US.UTF-8
>
> Might that fix it for you?
Not seen a change:
ubuntu@bastion01:~$ sudo locale-gen en_US.UTF-8
Generating locales...
en_US.UTF-8... done
Generation complete.
ubuntu@bastion01:~$ exit
logout
Connection to
Followed instructions to add debug symbols.
The following two packages clashed with one another:
ubuntu@bastion01:~$ sudo apt-get install libc6-dbg libc6-dbgsym
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be
Looking further into the manpage for setlocale(), it says the following:
"For glibc,
first (regardless of category), the environment variable LC_ALL is
inspected, next the environment variable with the same name as the category
(LC_COLLATE, LC_CTYPE,
LC_MESSAGES, LC_MONETARY,
I thought I set this as an sssd bug, sorry about that.
I have many machines (in the tens to hundreds) across an estate all of
whom have the same sssd configuration against LDAP. Machines that came
up this morning worked with respect to LDAP, the machine that was
brought up yesterday and
Public bug reported:
Configure an Ubuntu Trusty machine with sssd against an LDAP domain.
This fails as follows:
ubuntu@bastion01:~$ /usr/bin/sss_ssh_authorizedkeys [username]
(Wed Mar 22 17:46:15:940434 2017) [/usr/bin/sss_ssh_authorizedkeys] [main]
(0x0020): set_locale() failed (5):
I have no idea, all I know is I mounted an overlay disk and managed to
completely DoS the machine.
What seems odd is that both sssd and rsyslogd log to /var/log, and both
sssd and rsyslogs have an apparmor profile. When /var/log becomes an
overlayfs, sssd breaks with permission denied, while
Public bug reported:
If an attempt is made to mount an overlay filesystem over the /var/log
directory, this causes sssd to refuse to start up.
The startup fails at the point where sssd attempts to write to its
logfiles:
sssd: Could not open file [/var/log/sssd/sssd.log]. Error:
[13][Permission
I don't follow - in theory v14.04 is a long term support release,
meaning that APIs are frozen and security fixes are backported.
In this case it looks like an API/ABI was changed, causing build
breakage, which is exactly the kind of thing we don't want in our
production environment. Can you
Public bug reported:
When attempting to rebuild the sssd package in order to patch a bug,
sssd package itself breaks during compilation:
sudo apt-get build-dep sssd
apt-get source --compile sssd
This fails to compile as follows:
In file included from ../src/providers/ad/ad_srv.c:27:0:
Public bug reported:
When an SSH key in LDAP contains a trailing newline, any attempt to use
this key fails with the following cryptic error message:
(Wed May 4 12:23:45:316306 2016) [/usr/bin/sss_ssh_authorizedkeys]
[main] (0x0040): sss_ssh_format_pubkey() failed (22): Invalid argument
Bug
The -N option also seems to be blindly unsupported on Trusty, for the
same reason (no link to openssl):
-N Attempt to parse ASN.1 when it appears, such as in
certificates and DNs.
Ssldump without SSL support is pointless. This tool either needs to be
fixed, or removed completely from
We are currently on a deadline and were forced to switch to CentOS7 to
move our project forward, which worked fine out the box.
Once our deadline is over I will run tests on the above packages to see
what difference they make.
--
You received this bug notification because you are a member of
Public bug reported:
The ns-slapd binary is currently linked to two separate SSL libraries,
NSS for server connections, and gnutls for client connections via
openldap:
r...@ldap.example.com:~/src/openldap-2.4.31# ldd /usr/sbin/ns-slapd
libnss3.so => /usr/lib/x86_64-linux-gnu/libnss3.so
Just to clarify, this bug report refers to the error message, not the
underlying thing that triggers the error message.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1558069
Title:
Login complains
Public bug reported:
On login to a brand new trusty machine with all updates applied, the
following message appears:
_
WARNING! Your environment specifies an invalid locale.
This can affect your user experience significantly,
Just to clarify, this bug report refers to the error message, not the
underlying thing that triggers the error message.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in Ubuntu.
https://bugs.launchpad.net/bugs/1558069
Public bug reported:
On login to a brand new trusty machine with all updates applied, the
following message appears:
_
WARNING! Your environment specifies an invalid locale.
This can affect your user experience significantly,
Quick bump - any news on this? Cloud-init is rendered useless due to
this bug.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1523921
Title:
cloud-init disk_setup failure: 'list' object has no
Quick bump - any news on this? Cloud-init is rendered useless due to
this bug.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in Ubuntu.
https://bugs.launchpad.net/bugs/1523921
Title:
cloud-init disk_setup failure:
This bug appears to be fixed in the dev branch of cloud-init:
http://bazaar.launchpad.net/~cloud-init-dev/cloud-
init/trunk/view/head:/cloudinit/config/cc_disk_setup.py
It doesn't appear to be fixed in the most recent Ubuntu supplied version
of cloud-init.
** Description changed:
When
The upstream fix for this problem is as follows:
http://bazaar.launchpad.net/~cloud-init-dev/cloud-
init/trunk/revision/1084.2.2
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1523921
Title:
Public bug reported:
When cloud-init is used to partition a disk provided by AWS on Ubuntu
v14.04, this fails.
Cloud-init is configured like this:
disk_setup:
/dev/xvdh:
layout: true
overwrite: false
table_type: 'mbr'
This causes cloud-init to fail as follows:
Dec 8 13:23:33
The upstream fix for this problem is as follows:
http://bazaar.launchpad.net/~cloud-init-dev/cloud-
init/trunk/revision/1084.2.2
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in Ubuntu.
This bug appears to be fixed in the dev branch of cloud-init:
http://bazaar.launchpad.net/~cloud-init-dev/cloud-
init/trunk/view/head:/cloudinit/config/cc_disk_setup.py
It doesn't appear to be fixed in the most recent Ubuntu supplied version
of cloud-init.
** Description changed:
When
Public bug reported:
When cloud-init is used to partition a disk provided by AWS on Ubuntu
v14.04, this fails.
Cloud-init is configured like this:
disk_setup:
/dev/xvdh:
layout: true
overwrite: false
table_type: 'mbr'
This causes cloud-init to fail as follows:
Dec 8 13:23:33
89 matches
Mail list logo
