[Bug 1834315] Re: Revert x86/vdso linker changes from #1830890 as this causes glibc 2.29-0ubuntu3 FTBFS on eoan

Seth - the reason this is targeted against xenial is that the launchpad builders are running the 4.4 xenial kernel - and so glibc *from eoan- proposed* FTBFS when building on launchpad - and it would appear to be as a result of this change. Oddly, I cannot reproduce the same failure locally using

[Bug 1834315] Re: Revert x86/vdso linker changes from #1830890 as this causes glibc 2.29-0ubuntu3 FTBFS on eoan

** Tags removed: eoan -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1834315 Title: Revert x86/vdso linker changes from #1830890 as this causes glibc 2.29-0ubuntu3 FTBFS on eoan To manage

[Bug 1834315] Re: Revert x86/vdso linker changes from #1830890 as this causes glibc 2.29-0ubuntu3 FTBFS on eoan

** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1834315 Title: Revert x86/vdso linker changes from #1830890 as this causes glibc

[Bug 1834315] [NEW] Revert x86/vdso linker changes from #1830890 as this causes glibc 2.29-0ubuntu3 FTBFS on eoan

Public bug reported: [Impact] As reported in #1833067 and https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1830890/comments/7 some glibc testcases are still regressing on i386 after applying both the following commits: commit 379d98ddf41344273d9718556f761420f4dc80b3 Author: Alistair

[Bug 1829016]

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is

[Bug 1833067] Re: FTBFS on amd64 / i386 when compiled with new hardening defaults in eoan

Using the hwe-edge kernel (5.0.0-17-generic) on a bionic host with an eoan schroot seems to work - not sure what this says about the copy_file_range test on the normal hwe kernel on bionic or for the builders on launchpad...? -- You received this bug notification because you are a member of

[Bug 1833067] Re: FTBFS on amd64 / i386 when compiled with new hardening defaults in eoan

I am a bit stumped on this one - glibc_2.29-0ubuntu3 built fine in my PPA (https://launchpad.net/~alexmurray/+archive/ubuntu/gcc-stack-clash- protection2) but FTBFS on amd64/i386 for eoan-proposed - but I cannot reproduce the same failure locally either in an schroot or in an eoan VM - however, it

[Bug 1833180] [NEW] Fix test-suite failures due to -fcf-protection as default in eoan

Public bug reported: The addition of -fcf-protection by default on amd64/i386/x32 on eoan causes a bunch of gcc-test-suite failures - these can be fixed by simply overriding the build options for these tests to specify -fcf- protection=none. ** Affects: gcc-9 (Ubuntu) Importance: Undecided

[Bug 1833067] [NEW] FTBFS on amd64 / i386 when compiled with new hardening defaults in eoan

Public bug reported: In eoan we are activating new hardening defaults in gcc (-fstack-clash- protection on all non-32-bit ARM arches and -fcet-protection on i386/amd64/x32). As a result of -fcet-protection by default, glibc FTBFS since it has to be explicitly configured (./configure

[Bug 1832309] Re: netplan stores wifi-password world-readable

** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832309 Title: netplan stores wifi-password world-readable To manage notifications about

[Bug 1830629] Re: Errors when extracting ZIP files. It can not differentiate between files and directories

Thanks for reporting this issue - this would appear to have potential security implications, however as it is already public I see no reason to keep this private - if a CVE were to be assigned then this could be fixed via a security update by the security team, otherwise this would be fixed via

[Bug 1830743] Re: Ubuntu 18 ,19 doesn't launch on new hardware

*** This bug is a duplicate of bug 1829620 *** https://bugs.launchpad.net/bugs/1829620 ** This bug has been marked a duplicate of bug 1829620 intel-microcode on ASUS makes kernel stuck during loading initramfs on bionic-updates, bionic-security -- You received this bug notification

[Bug 1830812] Re: Whiskey Lake Intel CPU incompatible with microcode firmware upgrade

*** This bug is a duplicate of bug 1829620 *** https://bugs.launchpad.net/bugs/1829620 ** Information type changed from Private Security to Public ** This bug has been marked a duplicate of bug 1829620 intel-microcode on ASUS makes kernel stuck during loading initramfs on bionic-updates,

[Bug 1829071] Re: Privilege escalation via LXD (local root exploit)

Since this is already public via other sources I have no objections - I would like to see Chris' suggestions in comment:10 investigated by the LXD team to see if these would be suitable as future features to try and attenuate the authority which comes via lxd. ** Information type changed from

[Bug 1828116] Re: Password works uppercase and lowercase

** Information type changed from Private Security to Public Security ** Changed in: gdm3 (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1828116 Title:

[Bug 1828124] Re: org.gnome.evolution.dataserver.Source completely unveils account credentials in plain text while using dbus-monitor

>From a security PoV this is basic security by obscurity and effectively pointless - they are simply XORing each byte with a fixed value and then base64 encoding it - since the source code is public anyone can easily find this out and hence easily decode it - the only way to do this securely would

[Bug 1816548] Re: [MIR] usbguard

I reviewed usbguard 0.7.4+ds-1 as checked into eoan. This shouldn't be considered a full audit but rather a quick gauge of maintainability. usbguard consists of a daemon which manages the authorization of new USB devices via udev events. It provides an IPC interface (which by default is only

[Bug 1828189] Re: latest debians for glibc for ubuntu 16.04

Which fix are you referring to? There is nothing specifically mentioned in this bug report - as noted in comment#1 you can see the current status of security fix backports in the CVE tracker. As for a timeline for outstanding fixes - there are currently a reasonable number of outstanding CVEs for

[Bug 1828487] Re: The grub failed to install shim

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1828190] Re: latest wget debian for ubuntu 16.04

Which fix are you referring to? There is nothing specifically mentioned in this bug report - as noted in comment#2 you can see the current status of security fix backports in the CVE tracker. If you had looked you would have noticed there is currently no outstanding CVEs for wget therefore the

[Bug 1828191] Re: latest debian for urllib3 in ubuntu 16.04

Which fix are you referring to? There is nothing specifically mentioned in this bug report - as noted in comment#1 you can see the current status of security fix backports in the CVE tracker. As for a timeline for outstanding fixes - hopefully within a week or so. -- You received this bug

[Bug 1025525] Re: DRM buffer permission model is inadequate

** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1025525 Title: DRM buffer permission model is inadequate To manage notifications

[Bug 1828474] Re: package sudo 1.8.3p1-1ubuntu3.7 failed to install/upgrade: subprocess installed pre-removal script returned error exit status 1

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1827924] Re: Panic or segfault in Samba

** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1827924 Title: Panic or segfault in Samba To manage notifications about this bug go to:

[Bug 1828189] Re: latest debians for glibc for ubuntu 16.04

As noted in the Ubuntu Security Team FAQ we do not upgrade versions for stable Ubuntu releases - however the Security Team does backport security fixes where possible https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions To determine any possible outstanding vulnerabilities for glibc please check the

[Bug 1828190] Re: latest wget debian for ubuntu 16.04

As noted in the Ubuntu Security Team FAQ we do not upgrade versions for stable Ubuntu releases - however the Security Team does backport security fixes where possible https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions To determine any possible outstanding vulnerabilities for wget please check the

[Bug 1828190] Re: latest wget debian for ubuntu 16.04

As noted in the Ubuntu Security Team FAQ we do not upgrade versions for stable Ubuntu releases - however the Security Team does backport security fixes where possible https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions To determine any possible outstanding vulnerabilities for glibc please check the

[Bug 1828191] Re: latest debian for urllib3 in ubuntu 16.04

As noted in the Ubuntu Security Team FAQ we do not upgrade versions for stable Ubuntu releases - however the Security Team does backport security fixes where possible https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions To determine any possible outstanding vulnerabilities for python-urllib3 please

[Bug 1828324] Re: ERROR 2003 (HY000): Can't connect to MySQL server on '127.0.0.1' (111)

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1828218] Re: boeug

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1827985] Re: package acpid 1:2.0.28-1ubuntu1 failed to install/upgrade: el subproceso instalado el script post-installation devolvió el código de salida de error 1

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1820225] Re: [MIR] robot-detection as dependency of mailman3

** Changed in: robot-detection (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820225 Title: [MIR] robot-detection as

[Bug 1820798] Re: hardening-check: add support for detecting stack clash protected binaries

MR submitted in https://salsa.debian.org/debian/devscripts/merge_requests/121 Will still try and work on the tests for it in addition so expect a follow up MR later. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1827959]

*** This bug is a duplicate of bug 1827727 *** https://bugs.launchpad.net/bugs/1827727 Thank you for taking the time to report this bug and helping to make Ubuntu better. This particular bug has already been reported and is a duplicate of bug 1827727, so it is being marked as such. Please

[Bug 1827959] Re: All extensions disabled due to expiration of intermediate signing cert

*** This bug is a duplicate of bug 1827727 *** https://bugs.launchpad.net/bugs/1827727 Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as

[Bug 1824635] Re: zmq

** Changed in: zeromq (Ubuntu) Status: New => Fix Released ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1824635 Title:

[Bug 1826746] Bug is not a security issue

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1826746]

I noticed that some of the sentences in this bug report are not in English. If they were translated to English they would be accessible to more triagers. Could you please translate them? ** Information type changed from Private Security to Public -- You received this bug notification because

[Bug 1827183] Re: package phonon:amd64 4:4.8.3-0ubuntu3 failed to install/upgrade: package phonon:amd64 is not ready for configuration cannot configure (current status 'half-installed')

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1827282] Re: package sgml-base 1.29 failed to install/upgrade: triggers looping, abandoned

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1827309] Re: cant upgrade via terminal

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1781699] Re: DHCPv6 server crashes regularly (bionic)

This has been assigned CVE-2019-6470 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6470 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1781699 Title: DHCPv6 server crashes

[Bug 1781699] Re: DHCPv6 server crashes regularly (bionic)

This looks like a possible use-after-free so likely has a security impact (at a minimum it is a denial of service due to the crash, especially if it can be triggered remotely) - I've reported it to ISC as such who will hopefully assign a CVE and then we can fix it as a security update. For future

[Bug 1820798] Re: hardening-check: add support for detecting stack clash protected binaries

Sure I'll see what I can do - my understanding was the process was to get it into Ubuntu first and then submit it back to Debian but am happy to go the other way round. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1827202] Re: Apport hook may expose sensitive information

** Also affects: byobu Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1827202 Title: Apport hook may expose sensitive information To manage notifications

[Bug 1827202] [NEW] Apport hook may expose sensitive information

*** This bug is a security vulnerability *** Public security bug reported: OVERVIEW Author: Sander Bos Author's e-mail address: sbos _at_ sbosnet _dot_ nl Author's website: CVE identifier: requested Date: 2019-04-19 Report version: 2 SUMMARY --- The

[Bug 1827202] Re: Apport hook may expose sensitive information

This has been assigned CVE-2019-7306 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1827202 Title: Apport hook may expose sensitive information To manage notifications about this bug go to:

[Bug 1825753] Re: fan speed not reported with Ubuntu 18.10 and 19.04

Sounds like this is a kernel bug / change which has caused this - reassigning. ** Changed in: indicator-sensors Status: New => Invalid ** Also affects: linux (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu

[Bug 1820798] Re: hardening-check: add support for detecting stack clash protected binaries

Relaxed some of the checks to find additional stack-clash-protected binaries due to more optimisation shenanigans ** Patch added: "devscripts_2.19.4ubuntu0.1.debdiff"

[Bug 1820798] Re: hardening-check: add support for detecting stack clash protected binaries

The attached should is more robust to optimisation in gcc and is updated against the latest devscripts in disco ** Patch added: "devscripts_2.19.4ubuntu0.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/devscripts/+bug/1820798/+attachment/5254407/+files/devscripts_2.19.4ubuntu0.1.debdiff

[Bug 1822736] Re: Passwords longer than 255 characters break authentication

** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822736 Title: Passwords longer than 255 characters break authentication To

[Bug 1822013] Re: extplorer package exposes /usr/ (and /etc/extplorer/) directory over HTTP

** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822013 Title: extplorer package exposes /usr/ (and /etc/extplorer/) directory

[Bug 1820798] Re: hardening-check: add support for detecting stack clash protected binaries

Will let the foundations team decide on the importance of this but the security team is keen for this to land in 19.10 / EE to support the toolchain hardening updates so I hope this is seen as a higher priority than Wishlist. ** Changed in: devscripts (Ubuntu) Importance: Wishlist => Undecided

[Bug 1822036] [NEW] Add devicetree overlay to support the SLB9670 TPM module for RPi

Public bug reported: [Impact] * Currently it is not possible to use the SLB9670 TPM module with Ubuntu Core since we do not ship the required devicetree overlay to enable it https://github.com/raspberrypi/linux/commit/c28ac2dc08bd73963f953a757a3362c64b5524ed and there is no way for snaps to

[Bug 1742711] Re: MIR: vulkan-loader

I reviewed vulkan-loader version 1.1.101.0-2_amd64 as checked into disco. This shouldn't be considered a full security audit but rather a quick check of maintainability. - No CVE history in our database - vulkan-loader provides support for loading the main vulkan library, handling layer and

[Bug 1621386] Re: [MIR] libsodium

I reviewed libsodium version 1.0.8-5 as checked into xenial, looking for any deviations from Seth's original review since this is a different version. - No CVE history in our database - libsodium provides a programmer- and packager-friendly library around the NaCl family of cryptography APIs. -

[Bug 1821508] Re: there is a lagging while i am accessing the software or browing

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1746772] Re: [MIR] pymacaroons, python-libnacl

I reviewed pymacaroons 0.9.2-0ubuntu1 as checked in to Xenial. pymacaroons is a python implementation of the Macaroon concept - like cookies but with caveats, allowing delegation and attenuation of authority - so kind of like capabilites (the real ones, not POSIX / Linux ones). - No CVE history

[Bug 1820798] Re: hardening-check: add support for detecting stack clash protected binaries

Update the debdiff again to fix a possible runtime failure in a highly unlikely corner case. ** Patch added: "devscripts_2.19.3ubuntu0.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/devscripts/+bug/1820798/+attachment/5248326/+files/devscripts_2.19.3ubuntu0.1.debdiff -- You received

[Bug 1817327] Re: [Mir] python-libnacl

python-libnacl is a thin python wrapper over the libsodium C library, using ctypes to interact with libsodium. I reviewed python-libnacl 1.4.5-0ubuntu1 from xenial. This shouldn't be considered a full security audit but rather a quick check of maintainability. Furthermore this is not an audit of

[Bug 1746772] Re: [MIR] pymacaroons, python-libnacl

** Changed in: pymacaroons (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1746772 Title: [MIR] pymacaroons,

[Bug 1820798] Re: hardening-check: add support for detecting stack clash protected binaries

Updated debdiff with some minor improvements to the proposed changes to be a bit more efficient and add some more comments ** Patch added: "devscripts_2.19.3ubuntu0.1.debdiff"

[Bug 1772791] Re: Lock/login screen displays password in clear text occasionally

https://gitlab.gnome.org/GNOME/gnome-shell/issues/460#note_331931 seems to offer a pretty compelling explanation of why this might be seen inadvertently. ** Bug watch added: gitlab.gnome.org/GNOME/gnome-shell/issues #460 https://gitlab.gnome.org/GNOME/gnome-shell/issues/460 -- You received

[Bug 1821003] Re: Screen locking issue

*** This bug is a duplicate of bug 1772791 *** https://bugs.launchpad.net/bugs/1772791 ** This bug has been marked a duplicate of bug 1772791 Lock/login screen displays password in clear text occasionally ** Information type changed from Private Security to Public Security -- You

[Bug 1821030] Re: [To Be Filled By O.E.M., Realtek ALC662 rev1, Green Line Out, Rear] No sound at all

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1820798] [NEW] hardening-check: add support for detecting stack clash protected binaries

Public bug reported: The security team is in the process of making -fstack-clash-protection enabled by default in gcc-8/9 for 19.10 / 20.04. To support this it is useful to be able to detect binaries which include this new feature via hardening-check. Unlike previous features this can only be

[Bug 1811661] Re: Information leak (resource disk swap file created world-readable)

** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811661 Title: Information leak (resource disk swap file created world-readable)

[Bug 1820369] Re: crash while installation

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1820319] Re: [To Be Filled By O.E.M., Realtek ALC662 rev1, Blue Line In, Rear] No sound at all

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1819240] Re: Many sites will not connect. Very slow. Some siezing.

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1812527] Re: [bionic][regression] gnome-shell crashes with SIGSEGV in meta_window_actor_is_destroyed(self=NULL) called from _switchWorkspaceDone() [windowManager.js:1787]

** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1812527 Title: [bionic][regression] gnome-shell crashes with SIGSEGV in

[Bug 1819344] Re: I don't know this bug

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1819366] Re: package libstdc++-8-dev 8.2.0-7ubuntu1 failed to install/upgrade: dpkg-deb --fsys-tarfile subprocess returned error exit status 2

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1818584] Re: snaps applications can't open files on an USB key

Can you try connecting the removable-media interface for these snaps? snap connect telegram-desktop:removable-media :removable-media -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1818584 Title:

[Bug 1787630] Re: [FFe] Include HTTP support in pre-build GRUB module

** Changed in: grub2 (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787630 Title: [FFe] Include HTTP support in

[Bug 1818462] Re: exposed canonical server

people.canonical.com is publically accessible by design. There is no security issue here. ** Information type changed from Private Security to Public ** Changed in: ubuntu Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is

[Bug 1814997] Re: [MIR] libxmlb

libxmlb is a recently developed and released library written in C to allow applications to perform fast XPath queries against an XML document without having to parse the entire document into memory. This is designed to only support a subset of XPath for the purposes for fwupd and other utilities.

[Bug 1787630] Re: [FFe] Include HTTP support in pre-build GRUB module

http.c generally looks okay - errors are usually checked and handled, care is taken to ensure buffers are not overrun etc, sizes are handled well etc. From what I can see it appears to also appropriately check input to ensure it doesn't blindly trust it as well. Also the upstream history of this

[Bug 1799009] Re: Failed upgrade from Ubuntu 18.04 to 18.10

Please try running 'sudo apt-get dist-upgrade' instead -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1799009 Title: Failed upgrade from Ubuntu 18.04 to 18.10 To manage notifications about this bug

[Bug 1812545] Re: package libasprintf0v5:amd64 0.19.7-2ubuntu3.1 failed to install/upgrade: package libasprintf0v5:amd64 is already installed and configured

*** This bug is a duplicate of bug 1812544 *** https://bugs.launchpad.net/bugs/1812544 Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as

[Bug 1812468] Re: package linux-firmware 1.173.3 failed to install/upgrade: installed linux-firmware package post-installation script subprocess returned error exit status 1

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1812783] Re: package tex-common 6.09 failed to install/upgrade: installed tex-common package post-installation script subprocess returned error exit status 1

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1812480] Re: [SRU] Update to bugfix release 3.0.6 in Bionic

** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1812480 Title: [SRU] Update to bugfix release 3.0.6 in Bionic To manage notifications

[Bug 1812544] Re: package libasprintf0v5:amd64 0.19.7-2ubuntu3.1 failed to install/upgrade: package libasprintf0v5:amd64 is already installed and configured

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1812436] Re: Display locking leaves the Ubuntu dock available and functional

*** This bug is a duplicate of bug 1769383 *** https://bugs.launchpad.net/bugs/1769383 Thank you for taking the time to report this bug and helping to make Ubuntu better. This particular bug has already been reported and is a duplicate of bug 1769383, so it is being marked as such. Please

[Bug 1812554] Re: package udev 229-4ubuntu21.15 failed to install/upgrade: package udev is already installed and configured

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1802305] Re: "setup-data.conf" is saved as plaintext

Looks like upstream used to store the password as plaintext but changed this a while ago to instead store it in the keyring - https://github.com/GNOME/gnome- boxes/commit/ac552985647ebb6d7ee924cd77f0b93df44b4ff0 I suggest filing an issue directly upstream if you believe the current behaviour is

[Bug 1790855] Re: [MIR] gpsd

@cyphermox - this is assigned to the security team for security review but is still marked Incomplete from your questions earlier - plus looks like you also NAK'd it above - is this now ACK'd from your side or is it still blocked - and hence should I un-assign it from the security team? -- You

[Bug 1770871] Re: [MIR] libcue

I reviewed libcue (2.2.1-2) from disco. This is not a full security audit but rather a quick gauge of maintainability. libcue is a library to parse CUE sheets / files (metadata which describes how tracks of a CD or DVD are layed out). Stored as plain text and commonly have the .cue extension.

[Bug 1770877] Re: [MIR] tracker-miners

, libgif-dev, libgxps-dev, libosinfo-1.0-dev, libtagc0-dev, libcue-dev, libseccomp-dev, dbus, dbus-x11, procps, shared-mime-info, Security team ACK to promote to main. ** Changed in: tracker-miners (Ubuntu) Assignee: Alex Murray (alexmurray) => (unassigned) -- You received this

[Bug 1770877] Re: [MIR] tracker-miners

** Changed in: tracker-miners (Ubuntu) Assignee: (unassigned) => Alex Murray (alexmurray) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1770877 Title: [MIR] tracker-miners To man

[Bug 1770877] Re: [MIR] tracker-miners

Whoops - just noticed the comment re which version to review - will take a look at the suggested version in https://salsa.debian.org/gnome-team /tracker-miners -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1770877] Re: [MIR] tracker-miners

- ACK from security team to promote to main. ** Bug watch added: GNOME Bug Tracker #764786 https://bugzilla.gnome.org/show_bug.cgi?id=764786 ** Changed in: tracker-miners (Ubuntu) Assignee: Alex Murray (alexmurray) => (unassigned) -- You received this bug notification because you

[Bug 1805519] Re: G15 package website url invalid, leads to possible malware install

*** This bug is a duplicate of bug 1468526 *** https://bugs.launchpad.net/bugs/1468526 ** Information type changed from Private Security to Public ** This bug has been marked a duplicate of bug 1468526 g15tools.com seems to be not anymore under control be g15tools -- You received this

[Bug 1770877] Re: [MIR] tracker-miners

** Changed in: tracker-miners (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => Alex Murray (alexmurray) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1770877 Title: [MIR] trac

[Bug 1805316] Re: systemd 229-4ubuntu21.9 faulty - breaks the system!

*** This bug is a duplicate of bug 1804847 *** https://bugs.launchpad.net/bugs/1804847 I've marked this as a duplicate of bug #1804847 - please add any further comments to that bug instead. ** This bug has been marked a duplicate of bug 1804847 systemd=229-4ubuntu21.8 use of fchownat

[Bug 1800715] Re: Prompt for credential when it shouldn't

The security team consider the existing behaviour is fine - ie. automatically connect without authentication when an admin session is logged in and is an active seat (ie. the screen / session is not switched to some other users sessions / VT), and the screen is unlocked. If someone has direct

[Bug 1798725] Re: gvfs may crash when parsing non-valid UTF8 in autorun.inf

Tested the new version in cosmic-proposed on an up-to-date cosmic VM by inserting a USB drive with the attached autorun.inf and it passes. Steps to test locally as follows: 1. Enabled cosmic-proposed 2. sudo apt-get dist-upgrade 3. sudo reboot On next boot with the autorun.inf on a local USB

[Bug 1798725] Re: gvfs may crash when parsing non-valid UTF8 in autorun.inf

Tested the version from bionic-proposed in an up-to-date VM and it passed Steps to test locally as follows: 1. Enabled bionic-proposed 2. sudo apt-get dist-upgrade 3. sudo reboot On next boot with the autorun.inf on a local USB drive: $ dmesg | grep gvfs $ apt-cache policy gvfs gvfs:

[Bug 1798725] Re: gvfs may crash when parsing non-valid UTF8 in autorun.inf

Tested the version from cosmic-proposed in an up-to-date VM and it failed - looks like this is not actually applied during the build - see the build log https://launchpadlibrarian.net/398362236/buildlog_ubuntu- cosmic-amd64.gvfs_1.38.1-0ubuntu1_BUILDING.txt.gz and notice it is never listed during

<    2   3   4   5   6   7   8   9   10   11   >