from:"Joy"

Hi, Is this still an issue? Changing the status to incomplete.

** Changed in: pcsc-lite (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731410

Title:
  package pcscd 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade:
  подпроцесс установлен сценарий post-installation возвратил код ошибки
  1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1731410/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1683378] Re: package libpcsclite1:amd64 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configuration

Hi, Is this still an issue? Changing the status to incomplete.

** Changed in: pcsc-lite (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1683378

Title:
  package libpcsclite1:amd64 1.8.14-1ubuntu1.16.04.1 failed to
  install/upgrade: package is in a very bad inconsistent state; you
  should  reinstall it before attempting configuration

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1683378/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1690543] Re: package libpcsclite1 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: a tentar sobreescrever '/usr/share/doc/libpcsclite1/changelog.Debian.gz' partilhado, que é diferente de outras

Hi, Is this still an issue? Changing the status to incomplete.

** Changed in: pcsc-lite (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1690543

Title:
  package libpcsclite1 1.8.14-1ubuntu1.16.04.1 failed to
  install/upgrade: a tentar sobreescrever
  '/usr/share/doc/libpcsclite1/changelog.Debian.gz' partilhado, que é
  diferente de outras instâncias do pacote libpcsclite1:amd64

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1690543/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1570359] Re: pcscd crashed with SIGSEGV in __elf_set___libc_thread_subfreeres_element___rpc_thread_destroy__()

Hi, Is this still an issue? Changing the status to incomplete.

** Changed in: pcsc-lite (Ubuntu)
   Status: Confirmed => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1570359

Title:
  pcscd crashed with SIGSEGV in
  __elf_set___libc_thread_subfreeres_element___rpc_thread_destroy__()

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1570359/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1539999] Re: Omnikey Cardreader not working

Is this still an issue? Changing to incomplete.

** Changed in: pcsc-lite (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/153

Title:
  Omnikey Cardreader not working

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/153/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1366152] Re: System crash when Vasco-card-reader is plugged in at powerup

This bugreport has had no activity and has eol. Closing.

** Changed in: pcsc-lite (Ubuntu)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1366152

Title:
  System crash when Vasco-card-reader is plugged in at powerup

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1366152/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1700104] Re: package pcscd 1.8.10-1ubuntu1.1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1

Fixed in subsequent release. Closing.

** Changed in: pcsc-lite (Ubuntu)
   Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700104

Title:
  package pcscd 1.8.10-1ubuntu1.1 failed to install/upgrade: subprocess
  installed post-installation script returned error exit status 1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1700104/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1161882] Re: ACR38U Does not work on 12.10

This bug was not applicable to pcsc-lite package. Closing since no
activity and eol.

** Changed in: pcsc-lite (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1161882

Title:
  ACR38U Does not work on 12.10

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1161882/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1090238] Re: pcscd hangs after ejecting Rutoken ECP making some comunication with token

This was fixed in subsequent release. Closing.

** Changed in: pcsc-lite (Ubuntu)
   Status: Confirmed => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1090238

Title:
  pcscd hangs after ejecting Rutoken ECP making some comunication with
  token

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1090238/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1061947] Re: pcscd (auto)starting and permission troubles

This is most likely fixed via pcscd starting from systemd in current
releases. Closing this since it has had no activity and has eol.

** Changed in: pcsc-lite (Ubuntu)
   Status: Confirmed => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1061947

Title:
  pcscd (auto)starting and permission troubles

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1061947/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1004683] Re: pcscd fails to access Reiner SCT CyberJack card reader

This bugreport has had no activity and has eol. Closing.

** Changed in: pcsc-lite (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1004683

Title:
  pcscd fails to access Reiner SCT CyberJack card reader

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1004683/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 796893] Re: Rutoken Magistra init fails in natty

This bugreport has had no activity and has eol. Closing.

** Changed in: pcsc-lite (Ubuntu)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/796893

Title:
  Rutoken Magistra init fails in natty

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/796893/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 795540] Re: package pcscd 1.7.0-2ubuntu2 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1

This bugreport has had no activity and has eol. Closing.


** Changed in: pcsc-lite (Ubuntu)
   Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/795540

Title:
  package pcscd 1.7.0-2ubuntu2 failed to install/upgrade: ErrorMessage:
  subprocess installed post-installation script returned error exit
  status 1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/795540/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 790502] Re: If OS has started the pcscd service won'n start up

This bugreport has had no activity and has eol. Closing.

** Changed in: pcsc-lite (Ubuntu)
   Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/790502

Title:
  If OS has started the pcscd service won'n start up

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/790502/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 776082] Re: pcscd spams syslog whenever mozilla is running and CAC card is not inserted/present

This bugreport has had no activity and has eol. Closing.

** Changed in: pcsc-lite (Ubuntu)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/776082

Title:
  pcscd spams syslog whenever mozilla is running and CAC card is not
  inserted/present

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/776082/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 336815] Re: Aladdin etoken pro not supported anymore with pcscd

This bug appears to have been fixed in an update. Closing.

** Changed in: pcsc-lite (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/336815

Title:
  Aladdin etoken pro not supported anymore with pcscd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/336815/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1898078] Re: FIPS OpenSSL crashes Python2.7 hashlib when using MD5

2020-10-01 Thread Joy Latten

** Description changed:

- The fix for #1835135 was not included into the python2.7 update. This
- bug has been opened to include it.
+ The fix for #1835135 was included into a python2.7 ver when python2.7
+ was updated, the fix was not included. It needs to be put pack into the
+ latest version pf python2.7 to prevent FIPS issues when using fips
+ openssl with python's hashlib. This is only a problem in latest
+ python2.7 versions in xenial, bionic, focal, and groovy. python3
+ versions do not have this problem on the above releases.
+
+ The fix was a backport of
+
https://github.com/python/cpython/pull/1777/commits/5e3e3568d27b99dabe44b8aa6283dc76d70f2dae

** Description changed:

- The fix for #1835135 was included into a python2.7 ver when python2.7
- was updated, the fix was not included. It needs to be put pack into the
- latest version pf python2.7 to prevent FIPS issues when using fips
- openssl with python's hashlib. This is only a problem in latest
- python2.7 versions in xenial, bionic, focal, and groovy. python3
- versions do not have this problem on the above releases.
+ LP #1835135 was fixed in python2.7. However, when python2.7 was updated
+ to current verion, the fix was not included. It needs to be included
+ again into current version of python2.7 to prevent FIPS issues when
+ using fips openssl with python's hashlib. This is only a problem in
+ latest python2.7 versions in xenial, bionic, focal, and groovy. python3
+ versions do not have this problem in these releases.

The fix was a backport of

https://github.com/python/cpython/pull/1777/commits/5e3e3568d27b99dabe44b8aa6283dc76d70f2dae

--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1898078

Title:
FIPS OpenSSL crashes Python2.7 hashlib when using MD5

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions

--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1898078] Re: FIPS OpenSSL crashes Python2.7 hashlib when using MD5

2020-10-01 Thread Joy Latten

** Also affects: python2.7 (Ubuntu Groovy)
   Importance: Undecided
   Status: New

** Also affects: python2.7 (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: python2.7 (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: python2.7 (Ubuntu Focal)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1898078

Title:
  FIPS OpenSSL crashes Python2.7 hashlib when using MD5

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1898078] [NEW] FIPS OpenSSL crashes Python2.7 hashlib when using MD5

2020-10-01 Thread Joy Latten

Public bug reported:

The fix for #1835135 was not included into the python2.7 update. This
bug has been opened to include it.

** Affects: python2.7 (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1898078

Title:
  FIPS OpenSSL crashes Python2.7 hashlib when using MD5

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1892559] Re: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite

2020-09-11 Thread Joy Latten

pcsc-lite source package provides pcscd and libpcsclite1 and thus is
needed for smartcard deployment.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1892559

Title:
  [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1892559/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1892559] Re: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite

2020-09-11 Thread Joy Latten

pcscd is required. When removed, I am not able to get any info from the
driver about the reader or the smartcard. pcscd loads the smartcard
driver and coordinates communications.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1892559

Title:
  [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1892559/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1892559] Re: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite

2020-09-10 Thread Joy Latten

Hi Seth and Christian,

I did a smartcard setup and confirmed I did not have to use anything
from pcsc-tools. And pcsc-tools seem to depend on libpcsc-perl, so won't
need pcsc-perl either.

My "sudo apt install opensc" pulled in libccid, libpcslite1, opensc-
pkcs11 and pcscd binary packages. I only needed one additional install
of "libpam-pkcs11".


Next, I am looking into the pcscd requirement. Will comment shortly.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1892559

Title:
  [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1892559/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1802533] Re: [MIR] pipewire

2020-08-17 Thread Joy Latten

Reassigning so that necessary work is done to get pipewire updated,
building and working in groovy.

** Changed in: pipewire (Ubuntu)
 Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1802533

Title:
  [MIR] pipewire

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1802533/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1802533] Re: [MIR] pipewire

2020-08-17 Thread Joy Latten

Hi, security team is wanting to do a MIR audit on pipewire for groovy.
Unfortunately, the current pipewire source downloaded from groovy does
not appear to have been updated nor does it build.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1802533

Title:
  [MIR] pipewire

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1802533/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1851682] Re: oscap is broken in ubuntu 19.10

2020-07-24 Thread Joy Latten

Verified this on both bionic and focal.

Testcase: (focal)
 
$ dpkg -l | grep libopenscap8
ii  libopenscap8 1.2.16-2ubuntu3.1 
amd64Set of libraries enabling integration of the SCAP line of standards

$ oscap oval eval --report cve-report.html com.ubuntu.focal.cve.oval.xml

The scan was successful and generated a report.

Testcase: (bionic)

$ dpkg -l | grep libopenscap8
ii  libopenscap8  1.2.15-1ubuntu0.2 
  amd64Set of libraries enabling integration of the SCAP line 
of standards

$oscap oval eval --report cve-report.html com.ubuntu.bionic.cve.oval.xml

The scan was successful and generate a report.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1851682

Title:
  oscap is broken in ubuntu 19.10

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1851682/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1851682] Re: oscap is broken in ubuntu 19.10

2020-07-24 Thread Joy Latten

** Tags removed: verification-needed-bionic
** Tags added: verification-done-bionic

** Tags removed: verification-needed-focal
** Tags added: verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1851682

Title:
  oscap is broken in ubuntu 19.10

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1851682/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library.

2020-07-14 Thread Joy Latten

** Description changed:

  [Impact]
  In FIPS mode on Bionic MD5 is semi-disabled causing some applications to 
segfault.
  
  ntpq uses crypto hashes to authenticate its requests. By default it uses
  md5. However, when compiled with openssl it creates a lists of
  acceptable hashes from openssl that can be used.
+ 
+ This issue is only applicable in bionic when using fips-openssl.
  
  [Test Steps]
  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)
  
  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.
  
  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());
  
  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);
  
  First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex):
  #ifdef OPENSSL_FIPS
  if (FIPS_mode()) {
  if (!(type->flags & EVP_MD_FLAG_FIPS)
  && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
  EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
  return 0;
  }
  }
  #endif
  
  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence
  
  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).
  
  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.
  
  [Regression Potential]
  
  I don't think this should regress ntpq + openssl from the Ubuntu
  archive.
  
  Current archive ntpq + openssl behaviour:
- openssl includes all message digests and hands ntpq a sorted digest-list. 
+ openssl includes all message digests and hands ntpq a sorted digest-list.
  ntpq doesn't check return from EVP_Digest(Init|Final) and assumes all is well 
and sticks all digests into its list regardless if it is working or not.
  
- i.e.  
+ i.e.
  ntpq> help keytype
  function: set key type to use for authenticated requests, one of:
- MD4, MD5, RIPEMD160, SHA1, SHAKE128
+ MD4, MD5, RIPEMD160, SHA1, SHAKE128
  
  If somehow openssl library is corrupted and sends back erroneous
  results, its possible the authentication will just not ever work.
  
  Newly fixed archive ntpq + oenssl beahviour:
  openssl includes all message digests and hands ntpq a sorted digest-list.
  ntpq checks each one and includes each working digest. With a non-corrupted 
openssl, everything works fine and ntpq includes each into its list. Ends up 
with a list identical to the one above.
-  
- If somehow opensll library is corrupted and sends back erroneous results, 
ntpq will hopefully catch it by checking return code and include only those 
algos that appear to be working. Its possible authentication will work for ntpq.
+ 
+ If somehow opensll library is corrupted and sends back erroneous
+ results, ntpq will hopefully catch it by checking return code and
+ include only those algos that appear to be working. Its possible
+ authentication will work for ntpq.
  
  The difference will be seen in ntpq + fips-openssl. ntpq will check
  return, and for fips-not-approved algos, return will indicate an error.
  So these algos will be skipped and ntpq will not include into its digest
  list. Resulting in a much shorter list of only fips-approved algos.
  
  i.e.
  ntpq> help keytype
  function: set key type to use for authenticated requests, one of:
- SHA1, SHAKE128
+ SHA1, SHAKE128
  
- Since md5 is ntpq's default auth algo, this will need to be changed to one of 
the above algos in the config files. 
+ Since md5 is ntpq's default auth algo, this will need to be changed to one of 
the above algos in the config files.
  But I think it is somewhat understood that MD5 is bad in a FIPS environment.

** Description changed:

  [Impact]
  In FIPS mode on Bionic MD5 is semi-disabled causing some applications to 
segfault.
  
  ntpq uses crypto hashes to authenticate its requests. By default it uses
  md5. However, when compiled with openssl it creates a lists of
  acceptable hashes from openssl that can be used.
  
- This issue is only applicable in bionic when using fips-openssl.
+ This issue is only applicable in bionic and when using fips-openssl.
  
  [Test Steps]
  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)
  
  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.
  
  EVP_MD_do_all_sorted eventually

[Bug 1884265] Re: [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library.

2020-07-14 Thread Joy Latten

** Summary changed:

- [fips] Not fully initialized digest segfaulting some client applications
+ [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl
  library.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

** Changed in: openssl (Ubuntu)
 Assignee: (unassigned) => Joy Latten (j-latten)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

Additional testing for ntpq authentication to ensure MD5 still works for
ntpq in archive

NOTE: The shown testing is ntpq(with patch) + openssl from archive. To ensure 
all still works.
Testing with ntpq + fips-openssl was also done successfully.
 
VM-A (ntp server) 

1. Edit /etc/ntp.keys to include,

1 SHA1 austintexas
2 MD5 cedarpark

2. Edit /etc/ntp.conf to include.

keys /etc/ntp.keys   
trustedkey 2 
controlkey 2
requestkey 2

3. restart ntp
sudo service ntp restart

VM-B (ntp client)

$ dpkg -l | grep ntp
ii  ntp1:4.2.8p10+dfsg-5ubuntu7.1+ppa1  
   amd64Network Time Protocol daemon and utility programs

1. Edit /etc/ntp.keys to include,

1 SHA1 austintexas
2 MD5 cedarpark

2. Edit /etc/ntp.conf to include,
keys /etc/ntp.keys
server  key 2
trustedkey 2
controlkey 2
requestkey 2

3. I commented out all the "pool" entries in /etc/ntp.conf

4. restart ntp
sudo service ntp restart


On the client,

$ ntpq -c as

ind assid status  conf reach auth condition  last_event cnt
===
  1 46728  f014   yes   yes   ok reject   reachable  1

Notice that "auth" is ok.

$ ntpq
ntpq> keytype
keytype is MD5 with 16 octet digests
ntpq> keyid 2
ntpq> ifstats
MD5 Password: 
interface namesend
 #  address/broadcast drop flag ttl mc received sent failed peers   uptime
==
  0 v6wildcard   D   81   0  0  0  0  0 0   96
[::]:123
  1 v4wildcard   D   89   0  0  0  0  0 0   96
0.0.0.0:123
  2 lo   .5   0  0  2  1  0 0   96
127.0.0.1:123
  3 ens3 .   19   0  0  2  2  0 1   96
192.168.122.105:123
  4 lo   .5   0  0  0  0  0 0   96
[::1]:123
  5 ens3 .   11   0  0  0  0  0 0   96
[fe80::5054:ff:fefe:b092%2]:123
ntpq> 


Note: issuing "ifstats" requires authentication.

I also tested with SHA1 and it worked as well.


And last test on client, 
ntpq -p 

remote   refid  st t when poll reach   delay   offset  jitter
==
 192.168.122.106 204.11.201.123 u   56   6471.5412.723   0.826

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

Testing:

There are no autopkgtests for ntp pkg and we do not run "make check" in
the tests dir as part of the build. So, just in case it is applicable, I
ran make check on my local build to ensure everything passes.

** Attachment added: "Results of running make check in ../tests directory"
   
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+attachment/5392383/+files/ntp-test-results

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

** Description changed:

  [Impact]
  In FIPS mode on Bionic MD5 is semi-disabled causing some applications to 
segfault.
  
- ntpq uses crypto hashes to authenticate its requests. By default it appears 
to use an internal md5 implementation. However, when compiled with openssl it 
creates a lists of acceptable hashes from openssl that can be used. 
-  
+ ntpq uses crypto hashes to authenticate its requests. By default it uses
+ md5. However, when compiled with openssl it creates a lists of
+ acceptable hashes from openssl that can be used.
+ 
  [Test Steps]
  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)
  
  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.
  
  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());
  
  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);
  
  First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex):
  #ifdef OPENSSL_FIPS
  if (FIPS_mode()) {
  if (!(type->flags & EVP_MD_FLAG_FIPS)
  && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
  EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
  return 0;
  }
  }
  #endif
  
  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence
  
  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).
  
  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.
  
  [Regression Potential]
  
- I believe the resolution to check the return code and if unsuccessful, do not 
include the hash algorithm in the internal ntpq digest list, should not 
introduce any regression.
- It will simply not add md5 and md5_sha1 to its lists of digests when compiled 
with openssl. Instead it will add the others like sha1, sha2, and sha3.
+ I don't think this should regress ntpq + openssl from the Ubuntu
+ archive.
+ 
+ Current archive ntpq + openssl behaviour:
+ openssl includes all message digests and hands ntpq a sorted digest-list. 
+ ntpq doesn't check return from EVP_Digest(Init|Final) and assumes all is well 
and sticks all digests into its list regardless if it is working or not.
+ 
+ i.e.  
+ ntpq> help keytype
+ function: set key type to use for authenticated requests, one of:
+ MD4, MD5, RIPEMD160, SHA1, SHAKE128
+ 
+ If somehow openssl library is corrupted and sends back erroneous
+ results, its possible the authentication will just not ever work.
+ 
+ Newly fixed archive ntpq + oenssl beahviour:
+ openssl includes all message digests and hands ntpq a sorted digest-list.
+ ntpq checks each one and includes each working digest. With a non-corrupted 
openssl, everything works fine and ntpq includes each into its list. Ends up 
with a list identical to the one above.
+  
+ If somehow opensll library is corrupted and sends back erroneous results, 
ntpq will hopefully catch it by checking return code and include only those 
algos that appear to be working. Its possible authentication will work for ntpq.
+ 
+ The difference will be seen in ntpq + fips-openssl. ntpq will check
+ return, and for fips-not-approved algos, return will indicate an error.
+ So these algos will be skipped and ntpq will not include into its digest
+ list. Resulting in a much shorter list of only fips-approved algos.
+ 
+ i.e.
+ ntpq> help keytype
+ function: set key type to use for authenticated requests, one of:
+ SHA1, SHAKE128
+ 
+ Since md5 is ntpq's default auth algo, this will need to be changed to one of 
the above algos in the config files. 
+ But I think it is somewhat understood that MD5 is bad in a FIPS environment.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

2020-07-10 Thread Joy Latten

** Description changed:

- In FIPS mode on Bionic MD5 is semi-disabled causing some applications to
- segfault.
+ [Impact]
+ In FIPS mode on Bionic MD5 is semi-disabled causing some applications to 
segfault.
  
+ ntpq uses crypto hashes to authenticate its requests. By default it appears 
to use an internal md5 implementation. However, when compiled with openssl it 
creates a lists of acceptable hashes from openssl that can be used. 
+  
+ [Test Steps]
  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)
  
  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.
  
  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());
  
  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);
  
  First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex):
  #ifdef OPENSSL_FIPS
  if (FIPS_mode()) {
  if (!(type->flags & EVP_MD_FLAG_FIPS)
  && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
  EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
  return 0;
  }
  }
  #endif
  
  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence
  
  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).
  
  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.
+ 
+ [Regression Potential]
+ 
+ I believe the resolution to check the return code and if unsuccessful, do not 
include the hash algorithm in the internal ntpq digest list, should not 
introduce any regression.
+ It will simply not add md5 and md5_sha1 to its lists of digests when compiled 
with openssl. Instead it will add the others like sha1, sha2, and sha3.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

2020-07-10 Thread Joy Latten

Build log: 
https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/19570468

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

2020-07-10 Thread Joy Latten

debdiff for bionic


** Attachment added: "debdiff.bionic"
   
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+attachment/5391374/+files/debdiff.bionic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

2020-07-09 Thread Joy Latten

I added return checks to ntpq code and this appears to solve the
problem. Is it ok to make this an SRU?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

2020-07-09 Thread Joy Latten

Also, this is only applicable in bionic. Neither xenial nor focal
experience this issue.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

2020-07-09 Thread Joy Latten

It seems 2 things are happening to generate this issue

1.fips-openssl in bionic has md5 and md5_sha1 in fips digest list with
explicit purpose of accommodating PRF use only in fips mode. But you
must pass the flag, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW to successfully use
them.

2. ntpq does not check return codes from EVP_ calls. It has,
ctx = EVP_MD_CTX_new();
EVP_DigestInit(ctx, EVP_get_digestbyname(name));
EVP_DigestFinal(ctx, digest, _len);
EVP_MD_CTX_free(ctx);
if (digest_len > (MAX_MAC_LEN - sizeof(keyid_t)))
return;

EVP_DigestInit() would have returned 0 in this case indicating a
failure.

Possible fixes:
1. in fips-libcrypto library remove md5 from fips digest list and keep md5_sha1 
for PRF and mark as fips-allowed. Can still use md5 with 
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag, but its just not in fips digest list.

Note: this fix can be put in fips-update ppa for availability. But, it
may be a while before it is re-certified.

2. ntpq should check its return codes and do appropriate thing on error.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

2020-06-19 Thread Joy Latten

Investigating.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865504] Re: hwclock reports incorrect status in audit message

2020-03-17 Thread Joy Latten

** Tags added: verification-done-eoan

** Tags added: verification-done-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865504] Re: hwclock reports incorrect status in audit message

2020-03-17 Thread Joy Latten

Successful verification on amd64 for bionic

$ dpkg -l | grep util-linux
ii  util-linux2.31.1-0.4ubuntu3.6   
  amd64miscellaneous system utilities

$ cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS"

type=USYS_CONFIG msg=audit(1584464596.658:106): pid=13437 uid=0
auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname
=bionic-fips addr=? terminal=pts/0 res=success'

type=USYS_CONFIG msg=audit(1584464615.494:117): pid=13441 uid=0
auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname
=bionic-fips addr=? terminal=pts/0 res=success'

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865504] Re: hwclock reports incorrect status in audit message

2020-03-17 Thread Joy Latten

Successful verification on amd64 for eaon

$ dpkg -l | grep util-linux
ii  util-linux   2.34-0.1ubuntu2.4  
amd64miscellaneous system utilities

Audit records found in /var/log/audit/audit.log,

type=USYS_CONFIG msg=audit(1584463433.533:68): pid=4263 uid=0 auid=1000
ses=1 msg='op=change-system-time exe="/usr/sbin/hwclock" hostname=eaon-
server addr=? terminal=pts/0 res=success'

type=USYS_CONFIG msg=audit(1584463480.497:81): pid=4268 uid=0 auid=1000
ses=1 msg='op=change-system-time exe="/usr/sbin/hwclock" hostname=eaon-
server addr=? terminal=pts/0 res=success'

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865504] Re: hwclock reports incorrect status in audit message

2020-03-13 Thread Joy Latten

Mauricio, 
Thank you so much for handling. Much appreciated. I took a quick look at the 
above #15 and #16 and perhaps a retry may be beneficial... there were some 
timeouts...

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865504] Re: hwclock reports incorrect status in audit message

2020-03-05 Thread Joy Latten

** Also affects: util-linux (Ubuntu Eoan)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865504] Re: hwclock reports incorrect status in audit message

2020-03-05 Thread Joy Latten

** Also affects: util-linux (Ubuntu Bionic)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865504] Re: hwclock reports incorrect status in audit message

2020-03-05 Thread Joy Latten

The debdiff for focal

** Attachment removed: "debdiff for focal"
   
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+attachment/5333544/+files/debdiff.focal

** Attachment added: "debdiff.focal"
   
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+attachment/5333895/+files/debdiff.focal

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865504] Re: hwclock reports incorrect status in audit message

2020-03-04 Thread Joy Latten

Build log 
https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/18795481

** Bug watch added: Debian Bug tracker #953065
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953065

** Also affects: util-linux (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953065
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865504] Re: hwclock reports incorrect status in audit message

2020-03-04 Thread Joy Latten

** Attachment added: "debdiff for focal"
   
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+attachment/5333544/+files/debdiff.focal

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865504] Re: hwclock reports incorrect status in audit message

2020-03-02 Thread Joy Latten

** Description changed:

+ [IMPACT]
+ hwclock reports incrorect status in audit message
+ 
+ hwclock calls audit_log_user_message(3) to create an audit entry.
  audit_log_user_message(3) result 1 is "success" and 0 is
  "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse
- status. Thus reports status incorrectly in audit message. This has been fixed 
upstream in 
https://github.com/karelzak/util-linux/commit/189edf1fe501ea39b35911337eab1740888fae7a
+ status. Thus reports it's status incorrectly in audit message. 
+ 
+ It is a requirement for Common Criteria Certification that hwclock
+ reports correct status in audit message.
+ 
+ This has been fixed upstream in https://github.com/karelzak/util-
+ linux/commit/189edf1fe501ea39b35911337eab1740888fae7a
+ 
+ [TEST]
+ 
+ Steps to test:
+ 1. Install auditd
+ 2. Run following testcase,
+ 
+ # hwclock
+ 2020-03-02 15:03:03.280351+
+ # hwclock --set --date "1/1/2000 00:00:00"
+ # echo $?
+ 0
+ # hwclock
+ 2000-01-01 00:00:05.413924+
+ # hwclock --utc --systohc
+ # echo $?
+ 0
+ # hwclock
+ 2020-03-02 15:07:00.264331+
+ 
+ Following audit messages from /var/log/audit/audit.log,
+ 
+ type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 
ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips 
addr=? terminal=pts/0 res=failed'
+ type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 
ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips 
addr=? terminal=pts/0 res=failed'
+ 
+ Note that last entry in each audit record produced when hardware clock
+ was modified has, "res=failed". Although, testcase shows no failure
+ occurred.
+ 
+ [Regression Potential]
+ There should not be any regression to fix the status given to auditd.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865504] [NEW] hwclock reports incorrect status in audit message

2020-03-02 Thread Joy Latten

Public bug reported:

audit_log_user_message(3) result 1 is "success" and 0 is
"failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse
status. Thus reports status incorrectly in audit message. This has been fixed 
upstream in 
https://github.com/karelzak/util-linux/commit/189edf1fe501ea39b35911337eab1740888fae7a

** Affects: util-linux (Ubuntu)
 Importance: High
 Assignee: Joy Latten (j-latten)
 Status: New

** Changed in: util-linux (Ubuntu)
   Importance: Undecided => Medium

** Changed in: util-linux (Ubuntu)
   Importance: Medium => High

** Changed in: util-linux (Ubuntu)
 Assignee: (unassigned) => Joy Latten (j-latten)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1853506] Re: [MIR] ndctl

2020-01-23 Thread Joy Latten

I reviewed ndctl as checked into focal.  This shouldn't be considered a
full audit but rather a quick gauge of maintainability.

ndctl is comprised of utilities and libraries for managing the libnvdimm
(non-volatile memory device) sub-system in the Linux kernel

- No CVEs readily found.
  Gleaned the git repository, https://github.com/pmem/ndctl. Appears to be 
actively maintained.
  Security-wise, noted fixes for a memory leak and non-null terminated strings.
- Build-Depends: debhelper-compat (= 12), pkg-config, libkmod-dev, libudev-dev, 
uuid-dev, 
  libjson-c-dev, bash-completion, systemd, libkeyutils-dev, asciidoctor
- No pre/post inst/rm scripts.
- There is an init script, debian/ndctl.init that is is installed as 
/etc/init.d/ndctl-monitor.
  All actions are circumvented to systemctl.
- There is a systemd unit file, ndctl-monitor.service, for the ndctl monitor 
daemon. The daemon
  catches smart events notify from firmware and outputs the notifications (in 
json format) to a
  logfile.
- No dbus services.
- No setuid binaries.
- 2 binaries, ndctl and daxctl in /usr/bin
- No sudo fragments.
- No udev rules.
- There are unit-tests and autopkgtests. The unit tests were skipped. There has 
been considerable
  discussion in this bugreport about providing regression testing.
- No cron jobs.
- Build reported following...
  - configure: WARNING: unrecognized options: --disable-maintainer-mode
  - quite a few alignment warnings for "address-of-packed-member",
i.e.,
nfit.c: In function ‘ndctl_bus_cmd_new_translate_spa’:
nfit.c:65:25: warning: taking address of packed member of ‘struct 
nd_cmd_translate_spa’ may result in an unaligned pointer value 
[-Waddress-of-packed-member]
   65 |  cmd->firmware_status = _spa->status;
  | ^~

  - following lintian warnings,
- malformed-deb-archive newer compressed control.tar.xz
- init.d-script-uses-usr-interpreter etc/init.d/ndctl-monitor /usr/bin/env
E: ndctl: init.d-script-does-not-implement-required-option 
etc/init.d/ndctl-monitor start
E: ndctl: init.d-script-does-not-implement-required-option 
etc/init.d/ndctl-monitor stop
E: ndctl: init.d-script-does-not-implement-required-option 
etc/init.d/ndctl-monitor restart
E: ndctl: init.d-script-does-not-implement-required-option 
etc/init.d/ndctl-monitor force-reload
W: ndctl: unusual-interpreter etc/init.d/ndctl-monitor #!/lib/init/init-d-script
W: ndctl: init.d-script-does-not-source-init-functions etc/init.d/ndctl-monitor

   - following dpkg warnings
dpkg-shlibdeps: warning: package could avoid a useless dependency if 
debian/daxctl/usr/bin/daxctl was not linked against libndctl.so.6 (it uses none 
of the library's symbols)
dpkg-shlibdeps: warning: package could avoid a useless dependency if 
debian/daxctl/usr/bin/daxctl was not linked against libuuid.so.1 (it uses none 
of the library's symbols)

- execlp() called without an absolute path to bring up help pages. A call to 
"kfmclient" and 
  once to call "man".
- Inspecting a random sampling of memory mgmt routines, the memory allocation 
looked good;
  memcpy() ok; none of the sprintf() nor asprintf() checked return value.
- File IO looked ok.
- Logging looked ok. We do not --enable-debug so limited debugging available.
  -daxctl_set_log_fn allows user to write custom function to override default!
-There are several environment vars. Could not readily find documentation on 
any of them.
   - log_env overrides log priority set in config file but uses secure_logenv 
so probably ok.
   - code does getenv("MANPATH"); then calls setenv("MANPATH") with gotten 
value. Seems bad idea.
- ioctls looked ok.
- Cryptography: looks ok.
  ndctl-setup|update|remove-passphrase uses the kernel keyring to enable
  a security passphrase for NVDIMM(s).
  binary blobs of the encrypted masterkey and NVDIMM passphrase(s) are
  stored in /etc/ndctl/keys directory and loaded into memory and
  compared (in a way validated) with kernel keyring with ndctl command.
- a single testcase uses hard-coded tmp file but this testcase is skipped.
- No WebKit.
- No PolicyKit.
- There were some cppcheck results, upon closer examination they seem ok.
[ndctl/check.c:1150]: (error) Signed integer overflow for expression 
'(549755813888)-4096'.
[ndctl/dimm.c:1216]: (error) Memory leak: actx.f_out
[util/json.c:871]: (error) Uninitialized variable: raw_uuid
[ndctl/lib/libndctl.c:5577]: (error) Uninitialized variable: uuid
[ndctl/lib/libndctl.c:5578]: (error) Uninitialized variable: uuid

- Quite a few scripts in test directory reported following warning,
"Double quote to prevent globbing and word splitting"

GENERAL COMMENTS

- There are other licenses besides GPL licences.

- Note: opened an issue upstream about the unaligned pointer warning
from compiler, https://github.com/pmem/ndctl/issues/131

Security team ACK only on condition that regression tests are available.


** Bug watch added: github.com/pmem/ndctl/issues #131

[Bug 1853506] Re: [MIR] ndctl

2020-01-23 Thread Joy Latten

** Changed in: ndctl (Ubuntu)
 Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1853506

Title:
  [MIR] ndctl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ndctl/+bug/1853506/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1802533] Re: [MIR] pipewire

2019-11-01 Thread Joy Latten

I reviewed pipewire 0.2.5-1 as checked into eoan.  This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

pipewire is a multimedia sharing and processing engine. It is comprised of a 
server and userspace API to handle multimedia pipelines. The pipewire package 
contains a library, utilities, a daemon and
several plugins.

pipewire seems to be relatively new and indications are that while
usable, it is still being developed
(https://github.com/PipeWire/pipewire/wiki/FAQ).

It is meant to overhaul audit/video processing by doing what pulseaudio
and Jack do and leveraging Wayland remote screen capabilities.

- No CVEs. Also examined git repository in github, 
https://github.com/PipeWire/pipewire. Seems to be a lot of active development 
and bugfixing.
- Build-Depends: debhelper (>= 11), libasound2-dev, libavcodec-dev, 
libavfilter-dev, libavformat-dev, libdbus-1-dev, libglib2.0-dev, 
libgstreamer1.0-dev, libgstreamer-plugins-base1.0-dev, libsbc-dev,
libsdl2-dev, libudev-dev, libva-dev, libv4l-dev, libx11-dev,  meson (>= 0.47), 
pkg-config (>= 0.22), systemd, xmltoman,  doxygen, graphviz
**Note: Uses meson build system
- There are no pre/post inst/rm scripts.
- No init scripts
- There are systemd unit files
  - There is pipewire.socket, a systemd socket unit for automatic socket 
activation. Appears to be a
AF_Unix socket
  - There is pipewire.service, a system unit file for the daemon. It requires 
the pipewire.socket to
be active first.
- dbus services are used
  - the rtkit (realtimekit) module uses dbus to talk to RealtimeKit to be 
allowed permission to take
on realtime property.
  - the flatpak module uses dbus in similar manner to acquire permission to 
record screen or audio.
  - the Simple plugin API provides dbus services via D-Bus low-level public API 
to plugins.
- No setuid binaries
- Several binaries installed in /usr/bin/ and /usr/lib/x86_64-linux-gnu/ dirs.
- No sudo fragments.
- No udev rules. However, the ALSA (advanced linux sound architecture) and V4l2 
(video) plugins
  do make udev calls to acquire device info.
- No autopkgtests. There are a few tests in spa/test dir but they do not seem 
to have run.
- No cron jobs.
- Build logs indicated a successful build. However there was a compile error 
and many compile  warnings pertaining to -Wdepracated-declarations and 
-Wunused-result. There also appeared to be many failures while generating docs.
- No processes spawned.
- Quite a bit of memory mgmt. Inspecting a random sampling of memory mgmt 
routines, the memcpy()  seem ok, the return value not checked for any of the 
asprintf() and a number of calloc()|realloc() did not check the return value 
for failure.
- No File IO issues readily found. Noticed v4l2 plugin open() the 
playback(video capture) device.  The default is /dev/video0.  The alsa plugin 
opens an audio device using snd_pcm_open. The default device is hw:0.
- Logging: both pipewire and spa (simple plugin api) define their own logging 
facilities. Use of vsnprintf seems ok. Noted that except for pw_log_trace, 
logging appears to go to stderr...  pw_log_trace writes to a lockfree 
ringbuffer which seems to be written out from main thread.
- There are environment variables. They appear to be ok.
- No File IO issues. The v4l2 plugin uses ioctl cnd xioctl calls on VIDIOC_*, 
the videocapture device. Look ok.
- pipewire uses a random number to generate a random cookie that identifies the 
instance of pipewire
- No temp file issues.
- Networking: pipewire seem to use "nodes" which are physical playback and 
recording points for audio. Nodes can be separate processes that use sockets 
and filedescriptors to communicate and pass around multimedia data. pipewire 
opens local sockets and pass around file descriptors to do this.
- Does not use WebKit.
- Does not use PolicyKit.
- cppcheck results:
  [spa/tests/test-props4.c:147]: (error) va_list 'args' was opened but not 
closed by va_end().
  [spa/tests/test-props4.c:427]: (error) va_list 'args' was opened but not 
closed by va_end().
- Coverity not run.

Misc Notes:
Entry from https://github.com/PipeWire/pipewire/wiki/FAQ,
"Is PipeWire ready yet?

No, it is under heavy development

It is currently reasonably safe to use the remote API to connect to a
PipeWire daemon and the stream API (stream.h) to send and retrieve data.
I do not expect this API to change in incompatible ways.

The protocol is not fixed yet; it is not safe to assume I will make
backward compatible changes in the future. This means that it is not
safe to assume that older versions of the library will be able to
communicate with newer versions of the daemon (or vice versa). This is
usually not a problem because both client and server share the same
version of the library. It can be a problem when dealing with sandboxes
that have their own (old) copy of PipeWire."

The security team will NAK this for now. The above FAQ entry indicates
pipewire is still under heavy development

[Bug 1802533] Re: [MIR] pipewire

2019-11-01 Thread Joy Latten

** Changed in: pipewire (Ubuntu)
 Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1802533

Title:
  [MIR] pipewire

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1802533/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib

2019-07-11 Thread Joy Latten

The 2.7 and 3.5 python packages in the security proposed PPA have been
successfully tested in a fips and non-fips xenial environment.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835135

Title:
  FIPS OpenSSL crashes Python2 hashlib

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1802614] Re: [MIR] gnome-remote-desktop

2019-07-09 Thread Joy Latten

** Changed in: gnome-remote-desktop (Ubuntu)
 Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1802614

Title:
  [MIR] gnome-remote-desktop

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-remote-desktop/+bug/1802614/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1802614] Re: [MIR] gnome-remote-desktop

2019-07-09 Thread Joy Latten

I would like to add an additional condition to the security team ACK.
The pipewire MIR must also be ACK'd.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1802614

Title:
  [MIR] gnome-remote-desktop

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-remote-desktop/+bug/1802614/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1802614] Re: [MIR] gnome-remote-desktop

2019-07-09 Thread Joy Latten

I reviewed gnome-remote-desktop 0.1.7-1 as checked into eoan. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability.

gnome-remote-desktop is a remote desktop daemon for GNOME using VNC with
pipewire. It is suppose to work with both X and Wayland.

- No CVEs.
Also Examined the git histories at both
* https://gitlab.gnome.org/jadahl/gnome-remote-desktop
* https://salsa.debian.org/gnome-team/gnome-remote-desktop
- Build-Depends: debhelper (>= 11), gnome-pkg-tools, libglib2.0-dev,
libnotify-dev, libpipewire-0.2-dev, libsecret-1-dev, libvncserver-dev, meson
(>= 0.36.0)
**Note: Uses meson build system
- No Debian pre/post inst/rm scripts. However, there is a meson_post_install.py
script that appears to compile gsettings schemas.
- No init scripts.
- There is a systemd service unit file installed in /usr/lib/systemd/user
directory. It is used to start the daemon.
- Appears to use glib bindings for dbus. Uses introspection data format and is
used for both screen casting and remote desktop. The remote desktop uses dbus
to, create, start, and stop remote desktop sessions. Notifications for pointer
button motions and whether pressed. Notification if a key identified by a
keysym was pressed.
- Remote desktop driven screen casts are started and stopped by the remote
desktop session using
dbus. Also uses dbus to record a monitor during the screen cast.
- No setuid/setgid binaries nor in the code.
- Nothing added to PATH.
- No sudo fragments.
- No udev rules.
- No testcases. However, when I looked upstream, a few have been added.
https://gitlab.gnome.org/jadahl/gnome-remote-desktop/tree/master/tests
- No cron jobs.
- Build logs showed a successful build, but there were following warnings:
Binary packages built successfully but there was the following warning(s):
dpkg-gencontrol: warning: package gnome-remote-desktop: substitution
variable ${gnome:NextVersion} unused, but is defined
dpkg-gencontrol: warning: package gnome-remote-desktop: substitution
variable ${gnome:Version} unused, but is defined
dpkg-gencontrol: warning: package gnome-remote-desktop: substitution
variable ${gnome:NextVersion} unused, but is defined
dpkg-gencontrol: warning: package gnome-remote-desktop: substitution
variable ${gnome:Version} unused, but is defined

-Error during source build:
dh clean --with gnome --buildsystem=meson
dh: Sorry, but 10 is the highest compatibility level supported by this
debhelper.
debian/rules:7: recipe for target 'clean' failed
make: *** [clean] Error 25
dpkg-buildpackage: error: fakeroot debian/rules clean gave error exit status 2
debuild: fatal error at line 1376:
dpkg-buildpackage -rfakeroot -d -us -uc -S failed
FAIL

- No spawned processes.
- Memory management uses quite a bit of glib memory mgmt calls. They all seen
to be used ok.
- No File IO issues.
- Logging uses glib logging and looks ok.
- Environment variable usage looks ok and only one is used to enable debugging.
- No privileged functions.
- This app uses libsecret for password storage and lookup.
Calls into libsecret to get and store encrypted passwords.
Uses libvncserver to encrypt keys for storage. Uses 3DES encryption algo.
encrypts user password and then compares it with the stored one to validate.
- No temp files.
- For networking, uses libpipewire for data transfer when doing screen casting.
Using glib calls, vnc server listens on a socket|port for all interfaces.
It seems to handle only one session an on the listening socket. Could not get
it to work to test that out. The socket handling seems ok.
- Does not use WebKit
- Does not seem to use PolicyKit
- Clean cppcheck

MISC NOTES
Authentication seems to be permitted in 1 of 2 ways:
1. password authentication
2. prompting - that is user is alerted that someone wants to connect and
whether they will give permission or not.

The hardening-check tool reported,
Fortify Source functions: no, only unprotected functions found!

The old Free Software Foundation address is used in many of the source
files.

A lintian warning about debian/control
W: gnome-remote-desktop source: newer-standards-version 4.3.0 (current is 3.9.7)
(but googling reported latest version is 4.3.0.3)

The debian/control has following sentence in it,
"This feature will not work on Ubuntu until mutter is recompiled
with the remote desktop option enabled."

Security team ACK only on condition that it works, and help preparing updates
and testing.

--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1802614

Title:
[MIR] gnome-remote-desktop

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-remote-desktop/+bug/1802614/+subscriptions

--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib

2019-07-08 Thread Joy Latten

Upon looking at the source for both python2.7 and python3.5 in xenial,
neither checks the return value from EVP_DigestInit in
Modules/_hashopenssl.c file.

However, python3.6 (in bionic, cosmic and disco) does have the check.

So the check will need to be backported to python 2.7 and python 3.5 in
xenial.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835135

Title:
  FIPS OpenSSL crashes Python2 hashlib

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib

2019-07-03 Thread Joy Latten

Like python3, python2 should check the return value of EVP_DigestInit.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835135

Title:
  FIPS OpenSSL crashes Python2 hashlib

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib

2019-07-03 Thread Joy Latten

The assessment is accurate.

FIPS 140-2 does not allow MD5 except for use in PRF.

Thus the  OpenSSL_add_all_digests in fips openssl does not include MD5. 
However, SSL_library_init() does include MD5 but only for use in calculating 
the PRF. Notice in tls1_P_hash() in ssl/t1_enc.c
the flag, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW, is set in the context to permit this 
use of MD5.
Apps wishing to calculate their own PRF can do the same.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835135

Title:
  FIPS OpenSSL crashes Python2 hashlib

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib

2019-07-03 Thread Joy Latten

Investigating

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835135

Title:
  FIPS OpenSSL crashes Python2 hashlib

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1807439] Re: openvpn crashes when run with fips openssl

verification done on following:
xenial: openvpn-2.3.10-1ubuntu2.2
bionic: openvpn-2.4.4-2ubuntu1.2
cosmic: openvpn-2.4.6-1ubuntu2.1

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439

Title:
  openvpn crashes when run with fips openssl

To manage notifications about this bug go to:
https://bugs.launchpad.net/openvpn/+bug/1807439/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1807439] Re: openvpn crashes when run with fips openssl

Verified using same test data allowing for interoperability testing
between the various releases and with fips for xenial and bionic.

** Tags removed: verification-needed-bionic verification-needed-cosmic 
verification-needed-xenial
** Tags added: verification-done-bionic verification-done-cosmic 
verification-done-xenial

** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439

Title:
  openvpn crashes when run with fips openssl

To manage notifications about this bug go to:
https://bugs.launchpad.net/openvpn/+bug/1807439/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1807439] Re: openvpn crashes when run with fips openssl

Successfully verified xenial, bionic, and cosmic.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439

Title:
  openvpn crashes when run with fips openssl

To manage notifications about this bug go to:
https://bugs.launchpad.net/openvpn/+bug/1807439/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1807439] Re: openvpn crashes when run with fips openssl

Testing in progress...

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439

Title:
  openvpn crashes when run with fips openssl

To manage notifications about this bug go to:
https://bugs.launchpad.net/openvpn/+bug/1807439/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1807439] Re: openvpn crashes when run with fips openssl

2019-01-10 Thread Joy Latten

This bug has been reported:
1.Upstream Bug: https://community.openvpn.net/openvpn/ticket/725
2.Suse Bug report:
https://build.opensuse.org/package/view_file/network:vpn/openvpn/openvpn-fips140-2.3.2.patch

** Description changed:

[IMPACT]
+ openvpn segfaults when using fips-mode openssl because of MD5.
+
+ xenial has version 2.3.x and subsequent releases have 2.4.x.
+ MD5 is used in 2 places in 2.3.x and one place in 2.4.x.
+
+ First place:
openvpn when estabishing a tls connection will segfault when used with
Ubuntu's FIPS 140-2 libcrypto.so (openssl).

openvpn tls connection does TLS PRF(pseudorandom function) to produce
securely generated pseudo random output that is used to generate keys.
MD5 is used as the hash in this computation.

FIPS 140-2 does not permit MD5 use except when used for pseudorandom
function (PRF). When openvpn requests MD5 operation to FIPS-mode
libcrypto.so, since it is not allowed in general, FIPS-mode libcrypto.so
goes into an error state.

- openvpn needs to set and pass a flag that FIPS-mode libcrypto.so
- recognizes and that indicates it is using MD5 for PRF, thereby FIPS-mode
- libcrypto.so will grant the request instead of entering an error state.
- In non-FIPS libcrypto.so the flag has no meaning.
+ The context flag value, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW, is defined in
+ both FIPS and non-FIPS libcrypto.so. However, the MD5 check for it is
+ only in FIPS-mode libcrypto.so to permit MD5. In non-FIPS libcrypto.so
+ this check does not exist since it always permits MD5. openvpn should
+ use this flag when it makes its MD5 request.

- **NOTE: The openvpn 2.3 version in xenial has the above issue and an
- additional one. It also use MD5 internally for configuration status
- verification. It is not communicated externally. However, this
- particular use of MD5 is not allowed by FIPS and thus when openvpn tries
- to use FIPS-mode libcrypto.so to compute MD5, it results in openvpn
- segfaulting. This 2nd issue was fixed by upstream openvpn community in
- subsequent versions(2.4) to not use MD5 and use SHA(256) instead and
- thus why bionic and disco do not require any change for this 2nd issue.
+ Second place (only in 2.3.x):
+ **NOTE: The openvpn 2.3 version in xenial has the above issue and an
additional one. It also use MD5 internally for configuration status
verification. It is not communicated externally. However, this particular use
of MD5 is not allowed by FIPS and thus when openvpn tries to use FIPS-mode
libcrypto.so to compute MD5, it results in openvpn segfaulting. This 2nd issue
was fixed by upstream openvpn community in subsequent versions(2.4) to not use
MD5 and use SHA(256) instead and thus why bionic, cosmic, and disco do not
require any change for this 2nd issue.

[TEST]
Test data including commands and parameters are included below.

Testing comprised establishing a tls connection between an openvpn
client and server. Once the connection was successfully established, a
ping thru the established vpn tunnel was done from the client for
assurance.

Interoperability testing was done to ensure no regression. Test data
reflects testing was done between openvpn server and client with and
without the patch and between various releases (xenial, bionic, and
disco).

Test was also done with FIPS-enabled libcrypto.so to ensure everything
worked in FIPS mode.

[REGRESSION]
- The FIPS-mode libcrypto.so flag passed by openvpn has no meaning in non-FIPS
libcrypto.so. Thus nothing changes for openvpn behaviour in non-FIPS mode in
regards to this.
+ The context flag value, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW, is defined in both
FIPS-mode openssl and non-FIPS openssl. However, the MD5-permit check against
this flag-value does not occur in non-FIPS libcrypto.so, so there should be no
change in behaviour. non-FIPS libcrypto.so should continue to service all MD5
requests.

- xenial has additional change of using SHA instead of MD5 for
- configuration status verification. This is an internal hash that is not
- communicated externally. Thus it should not regress interoperability or
- ability to establish connections.
+ xenial with version 2.3.x, has additional change of using SHA instead of
+ MD5 for configuration status verification. This is an internal hash that
+ is not communicated externally. Thus it should not regress
+ interoperability or ability to establish connections.

** Bug watch added: community.openvpn.net/openvpn/ #725
https://community.openvpn.net/openvpn/ticket/725

--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439

Title:
openvpn crashes when run with fips openssl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions

--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com

[Bug 1807439] Re: openvpn crashes when run with fips openssl

2019-01-10 Thread Joy Latten

Applied fixes for above comments. After some team discussion, decided to
use sha256 for internal hash rather than sha1 in xenial as well.
Internal hash is never communicated externally. Performed additional
interoperability testing successfully using same test parameters as
previously.

cosmic(with patch) <--> xenial (with patch)
cosmic(with patch) <--> xenial (with patch and in fips mode)
xenial(without patch) <--> xenial(with patch)
xenial(without patch) <--> xenial (with patch and fips mode)
xenial(with patch)  <--> xenial (with patch)
xenial (with patch) <--> xenial (with patch and fips mode)
xenial (with patch and fips mode) <--> xenial(with patch and fips mode)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439

Title:
  openvpn crashes when run with fips openssl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1807439] Re: openvpn crashes when run with fips openssl

** Changed in: openvpn (Ubuntu Bionic)
   Status: Incomplete => New

** Changed in: openvpn (Ubuntu Xenial)
   Status: Incomplete => New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439

Title:
  openvpn crashes when run with fips openssl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1807439] Re: openvpn crashes when run with fips openssl

** Description changed:

  [IMPACT]
  openvpn when estabishing a tls connection will segfault when used with 
Ubuntu's FIPS 140-2 libcrypto.so (openssl).
  
- openvpn tls connection does TLS PRF(pseudorandom function) to produce 
securely generated pseudo random output that is used to generate keys. 
- MD5 is used as the hash in this computation.   
+ openvpn tls connection does TLS PRF(pseudorandom function) to produce 
securely generated pseudo random output that is used to generate keys.
+ MD5 is used as the hash in this computation.
  
  FIPS 140-2 does not permit MD5 use except when used for pseudorandom
  function (PRF). When openvpn requests MD5 operation to FIPS-mode
  libcrypto.so, since it is not allowed in general, FIPS-mode libcrypto.so
  goes into an error state.
  
  openvpn needs to set and pass a flag that FIPS-mode libcrypto.so
  recognizes and that indicates it is using MD5 for PRF, thereby FIPS-mode
  libcrypto.so will grant the request instead of entering an error state.
  In non-FIPS libcrypto.so the flag has no meaning.
  
+ **NOTE: The openvpn 2.3 version in xenial has the above issue and an
+ additional one. It also use MD5 internally for configuration status
+ verification. It is not communicated externally. However, this
+ particular use of MD5 is not allowed by FIPS and thus when openvpn tries
+ to use FIPS-mode libcrypto.so to compute MD5, it results in openvpn
+ segfaulting. This 2nd issue was fixed by upstream openvpn community in
+ subsequent versions(2.4) to not use MD5 and use SHA(256) instead and
+ thus why bionic and disco do not require any change for this 2nd issue.
+ 
  [TEST]
- Testing comprised establishing a tls connection between an openvpn client and 
server. Once the connection was successfully established, a ping thru the 
established vpn tunnel was done from the client for assurance.
-  
- Because this flag has no meaning in non-FIPS libcrypto.so, nothing changes 
for openvpn behaviour in disco. Interoperability testing was done to ensure no 
regression. Test data reflects testing was done between openvpn server and 
client with and without the patch and between various releases (xenial, bionic, 
and disco).  
+ Test data including commands and parameters are included below.
  
- Test Data will be attached below.
+ Testing comprised establishing a tls connection between an openvpn
+ client and server. Once the connection was successfully established, a
+ ping thru the established vpn tunnel was done from the client for
+ assurance.
  
- Note: a test was also done with a FIPS-enabled system to ensure
- everything worked and no regression.
+ Interoperability testing was done to ensure no regression. Test data
+ reflects testing was done between openvpn server and client with and
+ without the patch and between various releases (xenial, bionic, and
+ disco).
+ 
+ Test was also done with FIPS-enabled libcrypto.so to ensure everything
+ worked in FIPS mode.
+ 
+ [REGRESSION]
+ The FIPS-mode libcrypto.so flag passed by openvpn has no meaning in non-FIPS 
libcrypto.so. Thus nothing changes for openvpn behaviour in non-FIPS mode in 
regards to this.
+ 
+ xenial has additional change of using SHA instead of MD5 for
+ configuration status verification. This is an internal hash that is not
+ communicated externally. Thus it should not regress interoperability or
+ ability to establish connections.

** Changed in: openvpn (Ubuntu Disco)
   Status: Incomplete => New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439

Title:
  openvpn crashes when run with fips openssl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1807439] Re: openvpn crashes when run with fips openssl

2 testcases using same parameters for prior testcases, except that
installed FIPS-mode libcrypto.so to test and ensure FIPS-mode
libcrypto.so honors the flag to allow MD5 in PRF and does not cause
openvpn to segfault because MD5 is missing.

** Attachment added: "testcase-data-fips"
   
https://bugs.launchpad.net/ubuntu/xenial/+source/openvpn/+bug/1807439/+attachment/5222137/+files/testcase-data-fips

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439

Title:
  openvpn crashes when run with fips openssl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1807439] Re: openvpn crashes when run with fips openssl

The xenial patch has additional code. In version 2.3.10, openvpn uses
MD5 for PRF and internally for configuration status verification. FIPS
140-2 permits MD5 for PRF, but not as a hash for internal verification.
Subsequent versions of openvpn (2.4) was changed upstream to not use
MD5, instead uses SHA256. The attached patch provided by atsec uses SHA1
instead of MD5.

** Attachment added: "debdiff.xenial"
   
https://bugs.launchpad.net/ubuntu/xenial/+source/openvpn/+bug/1807439/+attachment/5222055/+files/debdiff.xenial

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439

Title:
  openvpn crashes when run with fips openssl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1807439] Re: openvpn crashes when run with fips openssl

** Attachment added: "debdiff.bionic"
   
https://bugs.launchpad.net/ubuntu/xenial/+source/openvpn/+bug/1807439/+attachment/5222054/+files/debdiff.bionic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439

Title:
  openvpn crashes when run with fips openssl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1807439] Re: openvpn crashes when run with fips openssl

build log for xenial:
https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/15743720

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439

Title:
  openvpn crashes when run with fips openssl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1807439] Re: openvpn crashes when run with fips openssl

build log for bionic:
https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/15743676

** Also affects: openvpn (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: openvpn (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: openvpn (Ubuntu Xenial)
   Status: New => Incomplete

** Changed in: openvpn (Ubuntu Bionic)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1807439

Title:
  openvpn crashes when run with fips openssl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1807439] Re: openvpn crashes when run with fips openssl