[Bug 1908375] Re: ceph-volume lvm list calls blkid numerous times for differrent devices

2021-04-16 Thread Dariusz Gadomski
** Description changed:

  [Impact]
  
   * Every ceph-volume list lvm  call invokes blkid for numerous 
PARTUUIDs. For some setups with many slower IO devices this can make this call 
to run for minutes without any actual justification for that.
  In fact, the upstream ceph approach changed in this matter and post-bionic 
releases already have ceph-volume that does not invoke blkid at all in this 
context making the call much faster.
  
  Please examine the attached ceph-volume.log fragment for a ceph-volume
  call, the accumulated blkid calls take around 1 min 7 s.
  
  [Test Case]
  
   * Setup a ceph-osd with numerous block devices with long access time for 
blkid. Preferably use automation tools like juju (with ceph charm) or ansible 
to make sure ceph-volume calls work well when automated.
   * Run
  time ceph-volume --log-path ceph-volume.log --log-level debug lvm list 

- on one of them and check the log to see that most of the execution time is 
consumed by blkid calls.
+ on one of them and check the log to see if the execution time is not wasted 
on numerous blkid calls.
  
  [Where problems could occur]
  
   * Although a potential fix does not introduce any changes to how ceph-
  volume is used any automation depending on ceph-volume log parsing may
  notice a change.
  
  [Other Info]
  
   * The fix to this is available for Focal and beyond.
   * Xenial is not affected due to lack of ceph-volume in its ceph release.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1908375

Title:
  ceph-volume lvm list  calls blkid numerous times for
  differrent devices

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1908375/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1908375] Re: ceph-volume lvm list calls blkid numerous times for differrent devices

2021-04-15 Thread Dariusz Gadomski
** Description changed:

  [Impact]
  
-  * Every ceph-volume list lvm  call invokes blkid for numerous 
PARTUUIDs. For some setups with many slower IO devices this can make this call 
to run for minutes without any actual justification for that.
+  * Every ceph-volume list lvm  call invokes blkid for numerous 
PARTUUIDs. For some setups with many slower IO devices this can make this call 
to run for minutes without any actual justification for that.
  In fact, the upstream ceph approach changed in this matter and post-bionic 
releases already have ceph-volume that does not invoke blkid at all in this 
context making the call much faster.
  
  Please examine the attached ceph-volume.log fragment for a ceph-volume
  call, the accumulated blkid calls take around 1 min 7 s.
  
- 
  [Test Case]
  
-  * Setup a ceph-osd with numerous block devices with long access time for 
blkid.
-  * Run
+  * Setup a ceph-osd with numerous block devices with long access time for 
blkid. Preferably use automation tools like juju (with ceph charm) or ansible 
to make sure ceph-volume calls work well when automated.
+  * Run
  time ceph-volume --log-path ceph-volume.log --log-level debug lvm list 

  on one of them and check the log to see that most of the execution time is 
consumed by blkid calls.
  
  [Where problems could occur]
  
-  * Although a potential fix does not introduce any changes to how ceph-
+  * Although a potential fix does not introduce any changes to how ceph-
  volume is used any automation depending on ceph-volume log parsing may
  notice a change.
  
  [Other Info]
-  
-  * The fix to this is available for Focal and beyond.
-  * Xenial is not affected due to lack of ceph-volume in its ceph release.
+ 
+  * The fix to this is available for Focal and beyond.
+  * Xenial is not affected due to lack of ceph-volume in its ceph release.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1908375

Title:
  ceph-volume lvm list  calls blkid numerous times for
  differrent devices

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1908375/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1923115] Re: Networkd vs udev nic renaming race condition

2021-04-09 Thread Dariusz Gadomski
** Description changed:

  [Impact]
  
  systemd-networkd renames nic just after udev renamed it
  
  e.g
  
  kernel: [ 2.827368] vmxnet3 :0b:00.0 ens192: renamed from eth0
  kernel: [ 7.562729] vmxnet3 :0b:00.0 eth0: renamed from ens192
  systemd-networkd[511]: ens192: Interface name change detected, ens192 has 
been renamed to eth0.
  
  This cause netplan or the other network management pkg can't find proper
  nic sometimes.
  
  This happens on Bionic
  
  Below commit seems to solve this issue.
  
https://github.com/systemd/systemd/pull/11881/commits/30de2b89d125a8692c22579ef805b03f2054b30b
  
  There are bunch of related commits but above one the customer tested it
  worked.
  
  [Test Plan]
  
  The customer has issue and they could help us to test this.
  Internally they already test this and it worked.
  
  Please refer to github issue's reproduction step as well.
  https://github.com/systemd/systemd/issues/7293#issue-272917058
- 
+ where the test plan is described as:
+ "Reboot a couple of times. Sometimes the interface is renamed correctly. 
Sometimes it is not."
  
  [Where problems could occur]
  
  systemd-networkd should be restarted for this patch. systemd-networkd
  nic renaming could have issue. renaming may not be happening
  unexpectedly. e.g doesn't rename it properly or rename it when it should
  do.
  
  [Others]

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1923115

Title:
  Networkd vs udev nic renaming race condition

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1923115/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1908375] Re: ceph-volume lvm list calls blkid numerous times for differrent devices

2021-04-02 Thread Dariusz Gadomski
ceph-volume.log from a node with 20 volumes.

** Attachment added: "charms-20-volumes-ceph-volume.log"
   
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1908375/+attachment/5483569/+files/charms-20-volumes-ceph-volume.log

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1908375

Title:
  ceph-volume lvm list  calls blkid numerous times for
  differrent devices

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1908375/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1908375] Re: ceph-volume lvm list calls blkid numerous times for differrent devices

2021-04-02 Thread Dariusz Gadomski
I have successfully tested the patched version with a 3 ceph-osd nodes
setup, each with 10 or 20 OSDs. This setup has been deployed with juju
charms.

No problems were observed nor differences compared to a vanilla version.

Attaching ceph-volume.logs from an example node with 10 and 20 volumes.

** Attachment added: "charms-10-volumes-ceph-volume.log"
   
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1908375/+attachment/5483568/+files/charms-10-volumes-ceph-volume.log

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1908375

Title:
  ceph-volume lvm list  calls blkid numerous times for
  differrent devices

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1908375/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1915828] Re: pacemaker fails to release clustered filesystem dlm locks on failover

2021-03-17 Thread Dariusz Gadomski
# verification groovy

$ apt-cache policy libcrmcommon34 | grep Installed
  Installed: 2.0.4-2ubuntu3.1

# dlm_stonith -t 5 -n 1089
dlm_stonith: utils.c:48: common: Assertion `"implicit callsite section is 
observable, otherwise target's and/or libqb's build is at fault, preventing 
reliable logging" && work_s1 != NULL && work_s2 != NULL' failed.
Aborted (core dumped)


$ apt-cache policy libcrmcommon34 | grep Installed
  Installed: 2.0.4-2ubuntu3.2

# dlm_stonith -t 5 -n 1089
kick_helper error -107 nodeid 1089

** Tags removed: verification-needed-groovy
** Tags added: verification-done-groovy

** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1915828

Title:
  pacemaker fails to release clustered filesystem dlm locks on failover

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1915828/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1915828] Re: pacemaker fails to release clustered filesystem dlm locks on failover

2021-03-17 Thread Dariusz Gadomski
# verification focal

$ apt-cache policy libcrmcommon34 | grep Installed
  Installed: 2.0.3-3ubuntu4.1

# dlm_stonith -t 5 -n 1
dlm_stonith: utils.c:57: common: Assertion `"implicit callsite section is 
observable, otherwise target's and/or libqb's build is at fault, preventing 
reliable logging" && work_s1 != NULL && work_s2 != NULL' failed.
Aborted (core dumped)

$ apt-cache policy libcrmcommon34 | grep Installed
  Installed: 2.0.3-3ubuntu4.2

# dlm_stonith -t 5 -n 1
kick_helper error -79 nodeid 1

** Tags removed: verification-needed-focal
** Tags added: verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1915828

Title:
  pacemaker fails to release clustered filesystem dlm locks on failover

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1915828/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1908375] Re: ceph-volume lvm list calls blkid numerous times for differrent devices

2021-03-16 Thread Dariusz Gadomski
I have also made an attempt to run tasks.ceph_deploy test suite with
vstart as this seems to be the only one that makes use of `ceph-volume`,
but I have failed due to Python2/Python3 syntax issues.

I have set up venv with Python2 (since qa/tasks/vstart_runner.py is not
Python3 compatible) with teuthology (pip install
git+https://github.com/ceph/teuthology@luminous#egg=teuthology[test]).

Test run result:
Traceback (most recent call last):
  File "../qa/tasks/vstart_runner.py", line 1086, in 
exec_test()
  File "../qa/tasks/vstart_runner.py", line 893, in exec_test
args=["ps", "-u"+str(os.getuid())]
  File "../qa/tasks/vstart_runner.py", line 296, in run
proc.wait()
  File "../qa/tasks/vstart_runner.py", line 164, in wait
self.stdout.write(out)
TypeError: unicode argument expected, got 'str'

I'm not sure how to successfully run the suite, but I'll keep trying.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1908375

Title:
  ceph-volume lvm list  calls blkid numerous times for
  differrent devices

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1908375/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1908375] Re: ceph-volume lvm list calls blkid numerous times for differrent devices

2021-03-16 Thread Dariusz Gadomski
tox log for patched ceph-volume

** Attachment added: "ceph-volume-patched.tox.log"
   
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1908375/+attachment/5477101/+files/ceph-volume-patched.tox.log

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1908375

Title:
  ceph-volume lvm list  calls blkid numerous times for
  differrent devices

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1908375/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1908375] Re: ceph-volume lvm list calls blkid numerous times for differrent devices

2021-03-16 Thread Dariusz Gadomski
I have performed a basic set of sanity testing on the patched ceph-
volume - no issues noticed nor difference in the output format.

I have also run ceph-volume tests with tox (logs attached: ceph-volume-
vanilla.tox.log - the unpatched version, ceph-volume-patched.tox.log -
patched version). In both cases status is identical:

grep -w passed *.tox.log
ceph-volume-patched.tox.log:= 1829 passed in 3.91 
seconds ==
ceph-volume-patched.tox.log:=== 1828 passed, 1 skipped in 
2.99s 
ceph-volume-vanilla.tox.log:= 1829 passed in 4.04 
seconds ==
ceph-volume-vanilla.tox.log:=== 1828 passed, 1 skipped in 
2.97s 

** Attachment added: "ceph-volume-vanilla.tox.log"
   
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1908375/+attachment/5477100/+files/ceph-volume-vanilla.tox.log

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1908375

Title:
  ceph-volume lvm list  calls blkid numerous times for
  differrent devices

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1908375/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1917288] Re: Missing to package ceph-kvstore-tool, ceph-monstore-tool, ceph-osdomap-tool in bionic-train UCA release

2021-03-11 Thread Dariusz Gadomski
** Changed in: ceph (Ubuntu)
   Importance: Undecided => Medium

** Changed in: ceph (Ubuntu)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1917288

Title:
  Missing to package ceph-kvstore-tool, ceph-monstore-tool, ceph-
  osdomap-tool  in bionic-train UCA release

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1917288/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1915828] Re: pacemaker fails to release clustered filesystem dlm locks on failover

2021-03-08 Thread Dariusz Gadomski
** Description changed:

  [impact]
  
  programs using libqb logging exit due to failed assertion on qb log init
  
  [test case]
  
  test program:
  
  #include 
  
  QB_LOG_INIT_DATA(test);
  
  int main(int argc, char* argv[])
  {
    return 0;
  }
  
  compile and run:
  
  $ gcc -flto -D_GNU_SOURCE -o test test.c -lqb -ldl
  /usr/bin/ld: warning: 
/usr/lib/gcc/x86_64-linux-gnu/9/../../../x86_64-linux-gnu/libqb.so contains 
output sections; did you forget -T?
  
  $ ./test
  test: test.c:4: test: Assertion `"implicit callsite section is observable, 
otherwise target's and/or libqb's build is at fault, preventing reliable 
logging" && work_s1 != NULL && work_s2 != NULL' failed.
  Aborted (core dumped)
  
  Note the error is slightly different when compiling without lto:
  
  $ gcc -D_GNU_SOURCE -o test test.c -lqb -ldl
  /usr/bin/ld: warning: 
/usr/lib/gcc/x86_64-linux-gnu/9/../../../x86_64-linux-gnu/libqb.so contains 
output sections; did you forget -T?
  
  $ ./test
  test: test.c:4: test: Assertion `"implicit callsite section is populated, 
otherwise target's build is at fault, preventing reliable logging" && 
QB_ATTR_SECTION_START != QB_ATTR_SECTION_STOP' failed.
  Aborted (core dumped)
  
  [regression potential]
  
  any regression would likely involve problems during logging using the
  libqb logging functions, which could include failure to log or even
  program exit and/or crash.
+ 
+ additionally, altering of build flags (namely
+ -DQB_KILL_ATTRIBUTE_SECTION) removes some symbols from pacemaker
+ libraries (please see the debdiffs for the full list of them). Those
+ seem to be previously defined by macros (resolved in the end to
+ QB_LOG_INIT_DATA) and used internally by libqb for logging purposes. If
+ there was anything using those symbols build time or runtime missing
+ symbols may be reported.
  
  [scope]
  
  this appears to be needed only for focal; the issue seems to be an
  interaction between the focal version of binutils and some linker
  "magic" that libqb used in the focal version.
  
  The upstream libqb removed/replaced that linker "magic" after the version in 
focal, so this should not affect groovy or later. However, the fix changes the 
ABI and thus isn't appropriate for SRUing.
  https://github.com/ClusterLabs/libqb/pull/322
  
  The libqb code in bionic does not include the linker "magic" and so does
  not have this problem.
  
  [other info]
  
  related debian binutils bug report:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923246
  
  related gcc bug report:
  https://sourceware.org/bugzilla/show_bug.cgi?id=24276
  
  however, those appear to only have changed binutils to ignore the issue
  to allow the build to stop failing.
  
  The libqb docs do contain two suggestions to possibly work around this
  bug, specifically using either -l:libqb.so.0 or
  -DQB_KILL_ATTRIBUTE_SECTION, or both. Either or both approaches do help
  with the simple test case, but more testing is needed that actually
  exercises the log functionality to make sure nothing else breaks.
  
  $ gcc -flto -D_GNU_SOURCE -o test test.c -lqb -ldl
  /usr/bin/ld: warning: 
/usr/lib/gcc/x86_64-linux-gnu/9/../../../x86_64-linux-gnu/libqb.so contains 
output sections; did you forget -T?
  $ ./test
  test: test.c:4: test: Assertion `"implicit callsite section is observable, 
otherwise target's and/or libqb's build is at fault, preventing reliable 
logging" && work_s1 != NULL && work_s2 != NULL' failed.
  Aborted (core dumped)
  
  $ gcc -flto -D_GNU_SOURCE -o test test.c -l:libqb.so.0 -ldl
  $ ./test
  
  $ gcc -flto -DQB_KILL_ATTRIBUTE_SECTION -D_GNU_SOURCE -o test test.c -lqb -ldl
  /usr/bin/ld: warning: 
/usr/lib/gcc/x86_64-linux-gnu/9/../../../x86_64-linux-gnu/libqb.so contains 
output sections; did you forget -T?
  $ ./test
  
  [original description]
  
  When a clustered node is detected as failed the remaining node tries to
  fence the resources. When using pacemaker with gfs2 on an lvm2 logical
  volume dlm_controld calls out to dlm_stonith to release any locks held.
  
  Due to a build issue with the version of libqb that pacemaker is
  compiled against, the call to QB_LOG_INIT_DATA which is #defined to
  CRM_TRACE_INIT_DATA, fails with an assertion. This prevents the lock
  manager from releasing any held locks on the failed node.
  
  At this point the gfs2 filesystem cannot be accessed and after any
  resource timeouts are met, the resource is marked as failed.
  
  Calling dlm_stonith by hand with the data that is passed to it by
  dlm_controld shows the assertion.
  
  root@u2004-1:~# /usr/sbin/dlm_stonith -n 2 -t 1612361398
  dlm_stonith: utils.c:57: common: Assertion `"implicit callsite section is 
observable, otherwise target's and/or libqb's build is at fault, preventing 
reliable logging" && work_s1 != NULL && work_s2 != NULL' failed.
  
  It would appear that the code in libqb is over aggressive on the sanity
  checking, or assumes that QB_LOG_INIT_DATA will only be called by the

[Bug 1915828] Re: pacemaker fails to release clustered filesystem dlm locks on failover

2021-03-08 Thread Dariusz Gadomski
SRU proposal for groovy

** Patch added: "groovy.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1915828/+attachment/5474408/+files/groovy.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1915828

Title:
  pacemaker fails to release clustered filesystem dlm locks on failover

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1915828/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1915828] Re: pacemaker fails to release clustered filesystem dlm locks on failover

2021-03-08 Thread Dariusz Gadomski
SRU proposal for focal

** Patch removed: "focal.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1915828/+attachment/5473371/+files/focal.debdiff

** Patch added: "focal.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1915828/+attachment/5474407/+files/focal.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1915828

Title:
  pacemaker fails to release clustered filesystem dlm locks on failover

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1915828/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1915828] Re: pacemaker fails to release clustered filesystem dlm locks on failover

2021-03-05 Thread Dariusz Gadomski
** Changed in: pacemaker (Ubuntu Groovy)
 Assignee: (unassigned) => Dariusz Gadomski (dgadomski)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1915828

Title:
  pacemaker fails to release clustered filesystem dlm locks on failover

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1915828/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1915828] Re: pacemaker fails to release clustered filesystem dlm locks on failover

2021-03-05 Thread Dariusz Gadomski
** Patch added: "focal.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1915828/+attachment/5473371/+files/focal.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1915828

Title:
  pacemaker fails to release clustered filesystem dlm locks on failover

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1915828/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1915828] Re: pacemaker fails to release clustered filesystem dlm locks on failover

2021-03-05 Thread Dariusz Gadomski
Initial Focal SRU proposal.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1915828

Title:
  pacemaker fails to release clustered filesystem dlm locks on failover

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1915828/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1915828] Re: pacemaker fails to release clustered filesystem dlm locks on failover

2021-03-04 Thread Dariusz Gadomski
The symbols defined with CRM_TRACE_INIT_DATA doesn't seem to be used
anywhere inside pacemaker and it's less than likely those are used
anywhere outside of it.

The definitions seem to be strictly logging related without any other
functionality declared.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1915828

Title:
  pacemaker fails to release clustered filesystem dlm locks on failover

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1915828/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1915828] Re: pacemaker fails to release clustered filesystem dlm locks on failover

2021-03-04 Thread Dariusz Gadomski
The list of symbols missing seem to be consistent with the onces defined with 
the CRM_TRACE_INIT_DATA macro:
lib/lrmd/lrmd_client.c
46:CRM_TRACE_INIT_DATA(lrmd);

lib/pacemaker/pcmk_trans_unpack.c
20:CRM_TRACE_INIT_DATA(transitioner);

lib/fencing/st_client.c
37:CRM_TRACE_INIT_DATA(stonith);

lib/pacemaker/pcmk_sched_allocate.c
24:CRM_TRACE_INIT_DATA(pe_allocate);

lib/cluster/cluster.c
25:CRM_TRACE_INIT_DATA(cluster);

lib/common/utils.c
57:CRM_TRACE_INIT_DATA(common);

lib/pengine/unpack.c
28:CRM_TRACE_INIT_DATA(pe_status);

lib/pengine/rules.c
25:CRM_TRACE_INIT_DATA(pe_rules);

The macro itself is defined in the following way:
include/crm/common/logging.h
112: #define CRM_TRACE_INIT_DATA(name) QB_LOG_INIT_DATA(name)

On the other hand QB_LOG_INIT_DATA is defined in libqb as follows:
#if defined(QB_KILL_ATTRIBUTE_SECTION) || defined(S_SPLINT_S)
#undef QB_HAVE_ATTRIBUTE_SECTION
#endif  /* defined(QB_KILL_ATTRIBUTE_SECTION) || defined(S_SPLINT_S) */

#ifdef QB_HAVE_ATTRIBUTE_SECTION
// ...
#else
#define QB_LOG_INIT_DATA(name)
#endif  /* QB_HAVE_ATTRIBUTE_SECTION */

So in the end with the QB_KILL_ATTRIBUTE_SECTION defined the macro
QB_LOG_INIT_DATA is being left empty. Hence the missing symbols.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1915828

Title:
  pacemaker fails to release clustered filesystem dlm locks on failover

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1915828/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1915828] Re: pacemaker fails to release clustered filesystem dlm locks on failover

2021-03-04 Thread Dariusz Gadomski
Adding -DQB_KILL_ATTRIBUTE_SECTION to CFLAGS seems to result in some symbols 
disappearing during the build:
https://paste.ubuntu.com/p/hmBpMXGjqy/

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1915828

Title:
  pacemaker fails to release clustered filesystem dlm locks on failover

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1915828/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1915828] Re: pacemaker fails to release clustered filesystem dlm locks on failover

2021-03-04 Thread Dariusz Gadomski
I have checked it again on Groovy and looks like change from
https://github.com/ClusterLabs/libqb/pull/322 did not make it to Groovy
version of libqb. Also in a test the behavior was identical to Focal, so
I have targetted the bug to the series.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1915828

Title:
  pacemaker fails to release clustered filesystem dlm locks on failover

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1915828/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1915828] Re: pacemaker fails to release clustered filesystem dlm locks on failover

2021-03-04 Thread Dariusz Gadomski
** Also affects: pacemaker (Ubuntu Groovy)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1915828

Title:
  pacemaker fails to release clustered filesystem dlm locks on failover

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1915828/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1914372] Re: Ubuntu packages affected by CVE-2020-24553

2021-03-03 Thread Dariusz Gadomski
I have just repeated the testing procedure for golang-1.14 on Focal, Groovy and 
Hirsute.
The test results look correct and consistent with what is expected according to 
the test case.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1914372

Title:
  Ubuntu packages affected by CVE-2020-24553

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-1.14/+bug/1914372/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1914372] Re: Ubuntu packages affected by CVE-2020-24553

2021-03-03 Thread Dariusz Gadomski
Thank you Avital.

I have just tested golang-1.10 for Xenial and Bionic and the behavior is
exactly as expected for a fixed version.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1914372

Title:
  Ubuntu packages affected by CVE-2020-24553

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-1.14/+bug/1914372/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1917288] Re: Missing to package ceph-kvstore-tool, ceph-monstore-tool, ceph-osdomap-tool in bionic-train UCA release

2021-03-03 Thread Dariusz Gadomski
I have prepared and tested a build targetting this (available in
ppa:dgadomski/ceph-lp1917288).

During the tests I was mainly focusing on the following upgrade paths to make 
sure everything works as expected:
1. stein -> train - no issues, but old ceph-test was left installed leaving 
garbage under /usr/lib/ceph/bin
2. train -> ussuri
3. stein -> ussuri
4. stein -> ppa (train)
5. ppa (train) -> ussuri

When using the ppa version upon installing of ceph-base, ceph-osd or
ceph-mon a removal of ceph-test was offered (despite no actual conflict
due to path differences, but we don't want to leave unnecessary
artifacts behind).

** Patch added: "bionic_train_ceph_14.2.11-0ubuntu0.19.10.1~cloud5.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1917288/+attachment/5472174/+files/bionic_train_ceph_14.2.11-0ubuntu0.19.10.1~cloud5.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1917288

Title:
  Missing to package ceph-kvstore-tool, ceph-monstore-tool, ceph-
  osdomap-tool  in bionic-train UCA release

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1917288/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1917288] Re: Missing to package ceph-kvstore-tool, ceph-monstore-tool, ceph-osdomap-tool in bionic-train UCA release

2021-03-03 Thread Dariusz Gadomski
** Changed in: ceph (Ubuntu)
 Assignee: (unassigned) => Dariusz Gadomski (dgadomski)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1917288

Title:
  Missing to package ceph-kvstore-tool, ceph-monstore-tool, ceph-
  osdomap-tool  in bionic-train UCA release

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1917288/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1915828] Re: pacemaker fails to release clustered filesystem dlm locks on failover

2021-02-23 Thread Dariusz Gadomski
** Changed in: pacemaker (Ubuntu)
 Assignee: (unassigned) => Dariusz Gadomski (dgadomski)

** Changed in: pacemaker (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1915828

Title:
  pacemaker fails to release clustered filesystem dlm locks on failover

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1915828/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1914372] Re: Ubuntu packages affected by CVE-2020-24553

2021-02-17 Thread Dariusz Gadomski
Bionic patch with corrected versioning (and matryoshka_test.go fixed)

** Patch added: "bionic_golang-1.10.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/golang-1.14/+bug/1914372/+attachment/5464431/+files/bionic_golang-1.10.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1914372

Title:
  Ubuntu packages affected by CVE-2020-24553

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-1.14/+bug/1914372/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1914372] Re: Ubuntu packages affected by CVE-2020-24553

2021-02-17 Thread Dariusz Gadomski
Xenial patch (with matryoshka_test.go fixed).

** Patch added: "xenial_golang-1.10.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/golang-1.14/+bug/1914372/+attachment/5464430/+files/xenial_golang-1.10.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1914372

Title:
  Ubuntu packages affected by CVE-2020-24553

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-1.14/+bug/1914372/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1914372] Re: Ubuntu packages affected by CVE-2020-24553

2021-02-17 Thread Dariusz Gadomski
Thanks for looking at it. I've checked matryoshka_test.go and looks like
it was expecting the old default Content-Type: text/html, while after
applying the patch the new default is text/plain.

I've updated the debdiffs and will upload them shortly (for x and b).

** Patch removed: "xenial_golang-1.10.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/golang-1.14/+bug/1914372/+attachment/5459328/+files/xenial_golang-1.10.debdiff

** Patch removed: "bionic_golang-1.10.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/golang-1.14/+bug/1914372/+attachment/5459326/+files/bionic_golang-1.10.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1914372

Title:
  Ubuntu packages affected by CVE-2020-24553

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-1.14/+bug/1914372/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1914372] Re: Ubuntu packages affected by CVE-2020-24553

2021-02-03 Thread Dariusz Gadomski
** Description changed:

  [Impact]
  
-  Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html
+  Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html
  is the default for CGI/FCGI handlers that lack a Content-Type header.
  
  [Test Case]
  
-  Described as POC at https://www.redteam-pentesting.de/en/advisories/rt-
+  Described as POC at https://www.redteam-pentesting.de/en/advisories/rt-
  sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-transport-may-
  lead-to-cross-site-scripting:
  
-  1. Use the snippet of CGI go code provided and run it: go run poc.go
-  2. Run nginx with the config provided to forward the FastCGI calls to the go 
program.
-  3. curl -i -o - http://localhost:8000
-  4. Observe the output.
+  1. Use the snippet of CGI go code provided and run it: go run poc.go
+  2. Run nginx with the config provided to forward the FastCGI calls to the go 
program.
+  3. curl -i -o - http://localhost:8000
+  4. Observe the output.
  
- In a affected go build the output will say:
+ In an affected golang build the output will say:
  Content-Type: text/html (...)
  while in the fixed version it should recognize the content type correctly as:
  Content-Type: image/png
  
  [Where problems could occur]
  
-  * It may affect deployments where go apps are used as CGI scripts - if
+  * It may affect deployments where go apps are used as CGI scripts - if
  the setup was incorrectly relying on hard-coded content type it may
  require fixing it.
  
  [Other Info]
-  
-  * The fix is present in golang-1.15 for hirsute and groovy.
+ 
+  * The fix is present in golang-1.15 for hirsute and groovy.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1914372

Title:
  Ubuntu packages affected by CVE-2020-24553

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1914372] Re: Ubuntu packages affected by CVE-2020-24553

2021-02-03 Thread Dariusz Gadomski
Patch proposal for golang-1.10 on Xenial.

** Patch added: "xenial_golang-1.10.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+attachment/5459328/+files/xenial_golang-1.10.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1914372

Title:
  Ubuntu packages affected by CVE-2020-24553

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1914372] Re: Ubuntu packages affected by CVE-2020-24553

2021-02-03 Thread Dariusz Gadomski
Patch proposal for golang-1.10 on Bionic.

** Patch added: "bionic_golang-1.10.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+attachment/5459326/+files/bionic_golang-1.10.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1914372

Title:
  Ubuntu packages affected by CVE-2020-24553

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1914372] Re: Ubuntu packages affected by CVE-2020-24553

2021-02-03 Thread Dariusz Gadomski
Patch proposal for golang-1.14 on Focal.

** Patch added: "focal_golang-1.14.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+attachment/5459325/+files/focal_golang-1.14.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1914372

Title:
  Ubuntu packages affected by CVE-2020-24553

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1914372] Re: Ubuntu packages affected by CVE-2020-24553

2021-02-03 Thread Dariusz Gadomski
Patch proposal for golang-1.14 on Groovy.

** Patch added: "groovy_golang-1.14.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+attachment/5459324/+files/groovy_golang-1.14.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1914372

Title:
  Ubuntu packages affected by CVE-2020-24553

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1914372] Re: Ubuntu packages affected by CVE-2020-24553

2021-02-03 Thread Dariusz Gadomski
Patch proposal for golang-1.14 on Groovy.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1914372

Title:
  Ubuntu packages affected by CVE-2020-24553

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1914372] Re: Ubuntu packages affected by CVE-2020-24553

2021-02-03 Thread Dariusz Gadomski
Patch proposal for golang-1.14 for Hirsute

** Patch added: "hirsute_golang-1.14.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+attachment/5459322/+files/hirsute_golang-1.14.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1914372

Title:
  Ubuntu packages affected by CVE-2020-24553

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1914372] [NEW] Ubuntu packages affected by CVE-2020-24553

2021-02-03 Thread Dariusz Gadomski
*** This bug is a security vulnerability ***

Public security bug reported:

[Impact]

 Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html
is the default for CGI/FCGI handlers that lack a Content-Type header.

[Test Case]

 Described as POC at https://www.redteam-pentesting.de/en/advisories/rt-
sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-transport-may-
lead-to-cross-site-scripting:

 1. Use the snippet of CGI go code provided and run it: go run poc.go
 2. Run nginx with the config provided to forward the FastCGI calls to the go 
program.
 3. curl -i -o - http://localhost:8000
 4. Observe the output.

In a affected go build the output will say:
Content-Type: text/html (...)
while in the fixed version it should recognize the content type correctly as:
Content-Type: image/png

[Where problems could occur]

 * It may affect deployments where go apps are used as CGI scripts - if
the setup was incorrectly relying on hard-coded content type it may
require fixing it.

[Other Info]
 
 * The fix is present in golang-1.15 for hirsute and groovy.

** Affects: golang-1.10 (Ubuntu)
 Importance: High
 Status: New

** Affects: golang-1.14 (Ubuntu)
 Importance: High
 Status: New

** Affects: golang-1.10 (Ubuntu Xenial)
 Importance: High
 Status: New

** Affects: golang-1.14 (Ubuntu Xenial)
 Importance: Undecided
 Status: Invalid

** Affects: golang-1.10 (Ubuntu Bionic)
 Importance: High
 Status: New

** Affects: golang-1.14 (Ubuntu Bionic)
 Importance: Undecided
 Status: Invalid

** Affects: golang-1.14 (Ubuntu Focal)
 Importance: High
 Status: New

** Affects: golang-1.14 (Ubuntu Groovy)
 Importance: High
 Status: New

** Affects: golang-1.14 (Ubuntu Hirsute)
 Importance: High
 Status: New


** Tags: sts

** Also affects: golang-1.14 (Ubuntu Groovy)
   Importance: Undecided
   Status: New

** Also affects: golang-1.14 (Ubuntu Focal)
   Importance: Undecided
   Status: New

** Also affects: golang-1.14 (Ubuntu Hirsute)
   Importance: High
   Status: New

** Also affects: golang-1.10 (Ubuntu)
   Importance: Undecided
   Status: New

** No longer affects: golang-1.10 (Ubuntu Hirsute)

** No longer affects: golang-1.10 (Ubuntu Groovy)

** No longer affects: golang-1.10 (Ubuntu Focal)

** Also affects: golang-1.10 (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: golang-1.14 (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: golang-1.10 (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: golang-1.14 (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: golang-1.14 (Ubuntu Xenial)
   Status: New => Invalid

** Changed in: golang-1.14 (Ubuntu Bionic)
   Status: New => Invalid

** Changed in: golang-1.10 (Ubuntu)
   Importance: Undecided => High

** Changed in: golang-1.10 (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: golang-1.10 (Ubuntu Bionic)
   Importance: Undecided => High

** Changed in: golang-1.14 (Ubuntu Focal)
   Importance: Undecided => High

** Changed in: golang-1.14 (Ubuntu Groovy)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1914372

Title:
  Ubuntu packages affected by CVE-2020-24553

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1908375] Re: ceph-volume lvm list calls blkid numerous times for differrent devices

2021-01-13 Thread Dariusz Gadomski
SRU proposal available as this branch:
https://code.launchpad.net/~dgadomski/ubuntu/+source/ceph/+git/ceph/+ref/lp1908375

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1908375

Title:
  ceph-volume lvm list  calls blkid numerous times for
  differrent devices

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1908375/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1908219] Re: [drm:qxl_enc_commit [qxl]] *ERROR* head number too large or missing monitors config:

2021-01-13 Thread Dariusz Gadomski
I have tested this in a VM with kernel 4.15.0-131.135 installed and I
can confirm the issue is gone.

** Tags removed: verification-needed-bionic
** Tags added: verification-done-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1908219

Title:
  [drm:qxl_enc_commit [qxl]] *ERROR* head number too large or missing
  monitors config:

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1908219/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1908219] Re: [drm:qxl_enc_commit [qxl]] *ERROR* head number too large or missing monitors config:

2020-12-16 Thread Dariusz Gadomski
Patches posted to the kernel-team list:
https://lists.ubuntu.com/archives/kernel-team/2020-December/115620.html

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1908219

Title:
  [drm:qxl_enc_commit [qxl]] *ERROR* head number too large or missing
  monitors config:

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1908219/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1908375] Re: ceph-volume lvm list calls blkid numerous times for differrent devices

2020-12-16 Thread Dariusz Gadomski
** Attachment added: "ceph-volume.log snippet"
   
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1908375/+attachment/5444141/+files/ceph-volume.log

** Also affects: ceph (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Changed in: ceph (Ubuntu)
   Status: New => Fix Released

** Changed in: ceph (Ubuntu Bionic)
   Status: New => In Progress

** Changed in: ceph (Ubuntu Bionic)
   Importance: Undecided => Medium

** Changed in: ceph (Ubuntu Bionic)
 Assignee: (unassigned) => Dariusz Gadomski (dgadomski)

** Changed in: ceph (Ubuntu)
 Assignee: Dariusz Gadomski (dgadomski) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1908375

Title:
  ceph-volume lvm list  calls blkid numerous times for
  differrent devices

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1908375/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1908375] [NEW] ceph-volume lvm list calls blkid numerous times for differrent devices

2020-12-16 Thread Dariusz Gadomski
Public bug reported:

[Impact]

 * Every ceph-volume list lvm  call invokes blkid for numerous 
PARTUUIDs. For some setups with many slower IO devices this can make this call 
to run for minutes without any actual justification for that.
In fact, the upstream ceph approach changed in this matter and post-bionic 
releases already have ceph-volume that does not invoke blkid at all in this 
context making the call much faster.

Please examine the attached ceph-volume.log fragment for a ceph-volume
call, the accumulated blkid calls take around 1 min 7 s.


[Test Case]

 * Setup a ceph-osd with numerous block devices with long access time for blkid.
 * Run
time ceph-volume --log-path ceph-volume.log --log-level debug lvm list 
on one of them and check the log to see that most of the execution time is 
consumed by blkid calls.

[Where problems could occur]

 * Although a potential fix does not introduce any changes to how ceph-
volume is used any automation depending on ceph-volume log parsing may
notice a change.

[Other Info]
 
 * The fix to this is available for Focal and beyond.
 * Xenial is not affected due to lack of ceph-volume in its ceph release.

** Affects: ceph (Ubuntu)
 Importance: Undecided
 Status: Fix Released

** Affects: ceph (Ubuntu Bionic)
 Importance: Medium
 Assignee: Dariusz Gadomski (dgadomski)
 Status: In Progress


** Tags: sts

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1908375

Title:
  ceph-volume lvm list  calls blkid numerous times for
  differrent devices

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1908375/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1908219] Re: [drm:qxl_enc_commit [qxl]] *ERROR* head number too large or missing monitors config:

2020-12-15 Thread Dariusz Gadomski
** Changed in: linux (Ubuntu Bionic)
 Assignee: (unassigned) => Dariusz Gadomski (dgadomski)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1908219

Title:
  [drm:qxl_enc_commit [qxl]] *ERROR* head number too large or missing
  monitors config:

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1908219/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1908219] [NEW] [drm:qxl_enc_commit [qxl]] *ERROR* head number too large or missing monitors config:

2020-12-15 Thread Dariusz Gadomski
Public bug reported:

[Impact]

* Ubuntu 18.04 used as a guest in KVM with Spice/QXL in use may lead to a DRM 
error displayed during xorg launch:
[drm:qxl_enc_commit [qxl]] *ERROR* head number too large or missing monitors 
config: (ptrval), 0

[Fix]

* 00e5d217fa19bcbec13135898e1b9ca2c1c3e89b qxl: hook monitors_config
updates into crtc, not encoder.

[Test Case]

* Ubuntu 18.04 desktop guest with 4.15-series kernel with Spice/QXL.
* I used Ubuntu 20.04 as the host, but I was reported that the issue is similar 
also on Centos 7.8 used as a host.

[Regression Potential]

* Fix is limited to the QXL driver, so any regressions will be related
to graphics (either potential drm errors or graphical artifacts).

[Other]

* This has been fixed in HWE kernels and in later Ubuntu releases. Only Bionic 
is affected.
* According to the description in drivers/gpu/drm/qxl/qxl_dev.h:
struct qxl_monitors_config {
(...)
uint16_t max_allowed; /* If it is 0 no fixed limit is given by the
 driver */
(...)
};

In the message this value is 0 which should be a completely correct situation 
in that context. However, it is incorrectly compared against current qxl_output.
This has been fixed soon after Bionic release and in Bionic is marked with:
/* TODO: ugly, do better */

** Affects: linux (Ubuntu)
 Importance: Undecided
 Status: Fix Released

** Affects: linux (Ubuntu Bionic)
 Importance: Medium
 Status: New

** Also affects: linux (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Changed in: linux (Ubuntu)
   Status: New => Fix Released

** Changed in: linux (Ubuntu Bionic)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1908219

Title:
  [drm:qxl_enc_commit [qxl]] *ERROR* head number too large or missing
  monitors config:

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1908219/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1881976] Re: apport-gtk and apport-kde install xiterm+thai as dependency (x-terminal-emulator)

2020-08-12 Thread Dariusz Gadomski
I can verify that version 2.20.11-0ubuntu27.8 for focal fixes the issue.

Running on server install:
sudo apt install apport-gtk
apt offers gnome-terminal as dependency.

sudo apt install apport-kde
pulls in konsole as dependency.



** Tags removed: verification-needed verification-needed-focal
** Tags added: verification-done verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1881976

Title:
  apport-gtk and apport-kde install xiterm+thai as dependency (x
  -terminal-emulator)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1881976/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1881976] Re: apport-gtk and apport-kde install xiterm+thai as dependency (x-terminal-emulator)

2020-08-11 Thread Dariusz Gadomski
** Changed in: apport (Ubuntu Focal)
   Status: Fix Committed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1881976

Title:
  apport-gtk and apport-kde install xiterm+thai as dependency (x
  -terminal-emulator)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1881976/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1881976] Re: apport-gtk and apport-kde install xiterm+thai as dependency (x-terminal-emulator)

2020-08-10 Thread Dariusz Gadomski
The fix has been superseded by a security update. In the meantime a
concurrent update of pycodestyle broke the apport build. I have
backported fixes to the build issue from Groovy and uploaded the patch
yesterday. Once the update is reviewed it should be available via the
-proposed pocket.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1881976

Title:
  apport-gtk and apport-kde install xiterm+thai as dependency (x
  -terminal-emulator)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1881976/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1889556] Re: grub-install failure does not fail package upgrade (and does not roll back to matching modules)

2020-07-31 Thread Dariusz Gadomski
I have run some additional tests on bionic and focal desktop VMs with
lvm (and lvm+luks) - no boot  issues were observed with the -proposed
builds.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889556

Title:
  grub-install failure does not fail package upgrade (and does not roll
  back to matching modules)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1889556/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1889556] Re: grub-install failure does not fail package upgrade (and does not roll back to matching modules)

2020-07-31 Thread Dariusz Gadomski
xenial verification:
Tested with 1.66.27+2.02_beta2-36ubuntu3.27 from -proposed.

Boots successfully in BIOS mode.
Timestamps updated in EFI mode.

** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial

** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889556

Title:
  grub-install failure does not fail package upgrade (and does not roll
  back to matching modules)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1889556/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1889556] Re: grub-install failure does not fail package upgrade (and does not roll back to matching modules)

2020-07-31 Thread Dariusz Gadomski
I have also attempted to verify xenial (using version
1.66.27+2.02_beta2-36ubuntu3.27), however grub-efi-
amd64-signed_1.66.27+2.02_beta2-36ubuntu3.27 still seems to be
unavailable in -proposed (http://archive.ubuntu.com).

I have manually downloaded it and tested from here [1], however I'll
postpone the verification until it's available.

[1] https://launchpad.net/ubuntu/+archive/primary/+files/grub-efi-
amd64-signed_1.66.27+2.02~beta2-36ubuntu3.27_amd64.deb

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889556

Title:
  grub-install failure does not fail package upgrade (and does not roll
  back to matching modules)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1889556/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1889556] Re: grub-install failure does not fail package upgrade (and does not roll back to matching modules)

2020-07-31 Thread Dariusz Gadomski
focal verification:
Tested with version 1.142.4+2.04-1ubuntu26.2 from -proposed using the above 
test case.

Boots successfully in BIOS mode.
Timestamps updated in EFI mode.

** Tags removed: verification-needed-focal
** Tags added: verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889556

Title:
  grub-install failure does not fail package upgrade (and does not roll
  back to matching modules)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1889556/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1889556] Re: grub-install failure does not fail package upgrade (and does not roll back to matching modules)

2020-07-31 Thread Dariusz Gadomski
bionic-verification:
Tested with version 1.93.19+2.02-2ubuntu8.17 from -proposed using the test case 
in the description.

Boots successfully in BIOS mode.
Timestamps were updated in EFI mode.

** Tags removed: sts verification-needed-bionic
** Tags added: verification-done-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889556

Title:
  grub-install failure does not fail package upgrade (and does not roll
  back to matching modules)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1889556/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library.

2020-07-29 Thread Dariusz Gadomski
I have verified it for Bionic using ntp 1:4.2.8p10+dfsg-5ubuntu7.2.

No segfault observed:
sudo ntpq -p
 remote refid st t when poll reach delay offset jitter
==
 0.ubuntu.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.000
 1.ubuntu.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.000
 2.ubuntu.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.000
 3.ubuntu.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.000
 ntp.ubuntu.com .POOL. 16 p - 64 0 0.000 0.000 0.000
+tel50.oa.uj.edu 149.156.70.75 2 u 6 64 1 14.404 0.782 0.386
*SunSITE.icm.edu 210.100.177.101 2 u 5 64 1 12.239 0.138 0.645
(...)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl
  library.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library.

2020-07-29 Thread Dariusz Gadomski
I have verified it for Bionic using ntp 1:4.2.8p10+dfsg-5ubuntu7.2.

No segfault observed:
sudo ntpq -p
 remote   refid  st t when poll reach   delay   offset  jitter
==
 0.ubuntu.pool.n .POOL.  16 p-   6400.0000.000   0.000
 1.ubuntu.pool.n .POOL.  16 p-   6400.0000.000   0.000
 2.ubuntu.pool.n .POOL.  16 p-   6400.0000.000   0.000
 3.ubuntu.pool.n .POOL.  16 p-   6400.0000.000   0.000
 ntp.ubuntu.com  .POOL.  16 p-   6400.0000.000   0.000
+tel50.oa.uj.edu 149.156.70.752 u6   641   14.4040.782   0.386
*SunSITE.icm.edu 210.100.177.101  2 u5   641   12.2390.138   0.645
+46.175.224.7.ma 178.252.19.225   3 u5   641   35.6070.018   0.661
+news-archive.ic 229.30.220.210   2 u3   6419.9420.135   0.761
-afrodyta.comple 210.100.177.101  2 u1   641   14.6961.299   0.648
 ntp11.kashra-se 192.168.100.15   2 u1   641   35.386   -3.146   0.297
-time.taken.pl   80.50.231.2262 u1   6419.1331.390   0.282
-ntp.tktelekom.p 80.50.231.2262 u1   6418.8390.079   0.569
-ntp.wide-net.pl 194.146.251.101  2 u4   641   16.7390.559   0.324
-icemen.pl   17.253.52.2532 u4   641   34.257   -0.985   0.550
 96-7.cpe.smnt.p 5.226.98.186 2 u-   641   14.709   -0.850   0.860
-ntp.ifj.edu.pl  213.222.200.99   2 u2   641   30.4639.168   0.457
 pugot.canonical 17.253.34.1252 u   13   641   41.787   -3.423   0.000
 ntp2.tktelekom. 212.160.106.226  2 u-   6419.2110.220   0.907
 alphyn.canonica 132.163.97.1 2 u   12   641  113.404   -3.408   0.000
 time.cloudflare 10.71.10.44  3 u-   641   23.523   -1.134   0.748
 golem.canonical 140.203.204.77   2 u   11   641   41.912   -2.097   0.00

** Tags removed: verification-needed verification-needed-bionic
** Tags added: verification-done verification-done-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl
  library.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-07-27 Thread Dariusz Gadomski
** Tags added: sts-sponsor-dgadomski

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1881976] Re: apport-gtk and apport-kde install xiterm+thai as dependency (x-terminal-emulator)

2020-07-27 Thread Dariusz Gadomski
** Tags added: sts-sponsor-dgadomski

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1881976

Title:
  apport-gtk and apport-kde install xiterm+thai as dependency (x
  -terminal-emulator)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1881976/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1861177] Re: seccomp_rule_add is very slow

2020-07-27 Thread Dariusz Gadomski
Marking Eoan as Won't fix due to EOL.

** Changed in: libseccomp (Ubuntu Eoan)
   Status: Fix Committed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1861177

Title:
  seccomp_rule_add is very slow

To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/1861177/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1881976] Re: apport-gtk and apport-kde install xiterm+thai as dependency (x-terminal-emulator)

2020-07-23 Thread Dariusz Gadomski
SRU proposal for focal.

** Patch added: "focal.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1881976/+attachment/5395298/+files/focal.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1881976

Title:
  apport-gtk and apport-kde install xiterm+thai as dependency (x
  -terminal-emulator)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1881976/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1881976] Re: apport-gtk and apport-kde install xiterm+thai as dependency (x-terminal-emulator)

2020-07-23 Thread Dariusz Gadomski
SRU proposal for groovy

** Patch removed: "groovy.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1881976/+attachment/5395109/+files/groovy.debdiff

** Patch removed: "focal.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1881976/+attachment/5395110/+files/focal.debdiff

** Patch added: "groovy.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1881976/+attachment/5395297/+files/groovy.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1881976

Title:
  apport-gtk and apport-kde install xiterm+thai as dependency (x
  -terminal-emulator)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1881976/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1881976] Re: xiterm+thai installed by default in Ubuntu 20.04 (Australian Locale)

2020-07-23 Thread Dariusz Gadomski
** Also affects: apport (Ubuntu)
   Importance: Undecided
   Status: New

** No longer affects: xiterm+thai (Ubuntu)

** No longer affects: xiterm+thai (Ubuntu Focal)

** Changed in: apport (Ubuntu)
   Status: New => In Progress

** Changed in: apport (Ubuntu Focal)
   Status: New => In Progress

** Changed in: apport (Ubuntu)
   Importance: Undecided => Medium

** Changed in: apport (Ubuntu Focal)
   Importance: Undecided => Medium

** Changed in: apport (Ubuntu)
 Assignee: (unassigned) => Dariusz Gadomski (dgadomski)

** Changed in: apport (Ubuntu Focal)
 Assignee: (unassigned) => Dariusz Gadomski (dgadomski)

** Summary changed:

- xiterm+thai installed by default in Ubuntu 20.04 (Australian Locale)
+ apport-gtk and apport-kde install xiterm+thai as dependency 
(x-terminal-emulator)

** Description changed:

  [Impact]
  
   * When installing apport-gtk (or apport-kde) on a non-GUI installation 
(cloud image, server image) as a dependency providing x-terminal-emulator 
xiterm+thai package is pulled in, which is not appropriate for most locales.
  My understanding is it was selected due to lowest number of unsatisfied 
dependencies.
  
  [Test Case]
  
   * lxc launch ubuntu:20.04 test
   * lxc shell test
   * apt update
   * apt install apport-gtk
-  * Examine the packages listed to be installed: xiterm+thai should be among 
them.
+  * Examine the packages listed to be installed: xiterm+thai is one of them.
  
  [Regression Potential]
  
   * In dedicated archive mirrors with limited number of packages changing
  that may cause errors due to packages missing in the archive. However,
  that's unlikely.
  
  [Other Info]
  
-  * It is not affecting bionic, since x-terminal-emulator is listed as 
'Suggests' not 'Depends' there.
+  * It is not affecting bionic, since x-terminal-emulator is listed as 
'Suggests' not 'Depends' there.
   * Original bug description:
  
  Vanilla install of Ubuntu 20.04 set to an Australian locale includes the 
"Thai X Terminal" package.
  This package should not be included.
  
  I noticed that it is also reported against Xubuntu and Lubuntu:
  https://bugs.launchpad.net/lubuntu-next/+bug/1747341

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1881976

Title:
  apport-gtk and apport-kde install xiterm+thai as dependency (x
  -terminal-emulator)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1881976/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1881976] Re: xiterm+thai installed by default in Ubuntu 20.04 (Australian Locale)

2020-07-23 Thread Dariusz Gadomski
** Changed in: xiterm+thai (Ubuntu Focal)
   Importance: Undecided => Medium

** Changed in: xiterm+thai (Ubuntu)
   Importance: Undecided => Medium

** Changed in: xiterm+thai (Ubuntu)
 Assignee: (unassigned) => Dariusz Gadomski (dgadomski)

** Changed in: xiterm+thai (Ubuntu Focal)
 Assignee: (unassigned) => Dariusz Gadomski (dgadomski)

** Changed in: xiterm+thai (Ubuntu)
   Status: New => In Progress

** Changed in: xiterm+thai (Ubuntu Focal)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1881976

Title:
  xiterm+thai installed by default in Ubuntu 20.04 (Australian Locale)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xiterm+thai/+bug/1881976/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-07-23 Thread Dariusz Gadomski
I tested libnss3 2:3.49.1-1ubuntu1.3 on focal, however this was not done
in FIPS-mode (as there are no FIPS packages for focal available).

I did not find a way to trigger the signature verification outside FIPS
mode, but in normal usecase (FIPS disabled) everything works as
expected, no regressions noted.

** Tags removed: verification-needed verification-needed-focal
** Tags added: verification-done verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-07-23 Thread Dariusz Gadomski
Tested with 2:3.35-2ubuntu2.10 on 18.04:

sudo chronyd -d
2020-07-23T08:40:19Z chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC 
+PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 -DEBUG)
2020-07-23T08:40:19Z Frequency -1.068 +/- 0.045 ppm read from 
/var/lib/chrony/chrony.drift

(no failed assertions, no crashes)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-07-23 Thread Dariusz Gadomski
** Tags removed: verification-needed-bionic
** Tags added: verification-done-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1881976] Re: xiterm+thai installed by default in Ubuntu 20.04 (Australian Locale)

2020-07-23 Thread Dariusz Gadomski
SRU proposal for groovy.

** Description changed:

+ [Impact]
+ 
+  * When installing apport-gtk (or apport-kde) on a non-GUI installation 
(cloud image, server image) as a dependency providing x-terminal-emulator 
xiterm+thai package is pulled in, which is not appropriate for most locales.
+ My understanding is it was selected due to lowest number of unsatisfied 
dependencies.
+ 
+ [Test Case]
+ 
+  * lxc launch ubuntu:20.04 test
+  * lxc shell test
+  * apt update
+  * apt install apport-gtk
+  * Examine the packages listed to be installed: xiterm+thai should be among 
them.
+ 
+ [Regression Potential]
+ 
+  * In dedicated archive mirrors with limited number of packages changing
+ that may cause errors due to packages missing in the archive. However,
+ that's unlikely.
+ 
+ [Other Info]
+  
+  * Original bug description:
+ 
  Vanilla install of Ubuntu 20.04 set to an Australian locale includes the 
"Thai X Terminal" package.
  This package should not be included.
  
  I noticed that it is also reported against Xubuntu and Lubuntu:
  https://bugs.launchpad.net/lubuntu-next/+bug/1747341

** Tags added: sts

** Also affects: xiterm+thai (Ubuntu Eoan)
   Importance: Undecided
   Status: New

** Also affects: xiterm+thai (Ubuntu Focal)
   Importance: Undecided
   Status: New

** No longer affects: xiterm+thai (Ubuntu Eoan)

** Patch added: "groovy.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/xiterm+thai/+bug/1881976/+attachment/5395109/+files/groovy.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1881976

Title:
  xiterm+thai installed by default in Ubuntu 20.04 (Australian Locale)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xiterm+thai/+bug/1881976/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1881976] Re: xiterm+thai installed by default in Ubuntu 20.04 (Australian Locale)

2020-07-23 Thread Dariusz Gadomski
SRU proposal for focal

** Patch added: "focal.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/xiterm+thai/+bug/1881976/+attachment/5395110/+files/focal.debdiff

** Description changed:

  [Impact]
  
-  * When installing apport-gtk (or apport-kde) on a non-GUI installation 
(cloud image, server image) as a dependency providing x-terminal-emulator 
xiterm+thai package is pulled in, which is not appropriate for most locales.
+  * When installing apport-gtk (or apport-kde) on a non-GUI installation 
(cloud image, server image) as a dependency providing x-terminal-emulator 
xiterm+thai package is pulled in, which is not appropriate for most locales.
  My understanding is it was selected due to lowest number of unsatisfied 
dependencies.
  
  [Test Case]
  
-  * lxc launch ubuntu:20.04 test
-  * lxc shell test
-  * apt update
-  * apt install apport-gtk
-  * Examine the packages listed to be installed: xiterm+thai should be among 
them.
+  * lxc launch ubuntu:20.04 test
+  * lxc shell test
+  * apt update
+  * apt install apport-gtk
+  * Examine the packages listed to be installed: xiterm+thai should be among 
them.
  
  [Regression Potential]
  
-  * In dedicated archive mirrors with limited number of packages changing
+  * In dedicated archive mirrors with limited number of packages changing
  that may cause errors due to packages missing in the archive. However,
  that's unlikely.
  
  [Other Info]
-  
-  * Original bug description:
+ 
+  * It is not affecting bionic, since x-terminal-emulator is listed as 
'Suggests' not 'Depends' there.
+  * Original bug description:
  
  Vanilla install of Ubuntu 20.04 set to an Australian locale includes the 
"Thai X Terminal" package.
  This package should not be included.
  
  I noticed that it is also reported against Xubuntu and Lubuntu:
  https://bugs.launchpad.net/lubuntu-next/+bug/1747341

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1881976

Title:
  xiterm+thai installed by default in Ubuntu 20.04 (Australian Locale)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xiterm+thai/+bug/1881976/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library.

2020-07-22 Thread Dariusz Gadomski
** Also affects: ntp (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl
  library.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-07-17 Thread Dariusz Gadomski
** Description changed:

+ [Impact]
+ 
+  * Prevents using some parts of nss in FIPS mode - e.g.
+ libfreeblpriv3.so (failed asserts). The library during initialization
+ tries to verify it's own binaries against signatures in chk files
+ shipped along with it (created at build time). They are installed at
+ /usr/lib/$(DEB_HOST_MULTIARCH)/nss while it tries to look for them at
+ /usr/lib/$(DEB_HOST_MULTIARCH).
+ 
+ [Test Case]
+ 
+  * Setup Ubuntu 18.04 in FIPS mode.
+  * sudo apt install chrony
+  * sudo chronyd -d
+  * chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
+ 
+ [Regression Potential]
+ 
+  * Fix introduces 2 new artifacts to the filesystem (symlinks to the chk
+ files). It may cause alerts in e.g. CI systems.
+ 
+ [Other Info]
+ Original bug description:
+ 
  In FIPS mode there are some additional checks performed.
  
  They lead to verifying binaries signatures. Those signatures are shipped
  in the libnss3 package as *.chk files installed in
  /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the
  libraries themselves (libfreebl3.so  libfreeblpriv3.so  libnssckbi.so
  libnssdbm3.so  libsoftokn3.so).
  
  Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH):
  ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
  lrwxrwxrwx 1 root root 21 Jun 10 18:54 
/usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so
  
  The client binaries are linked against the symlinks, so when the verification 
happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the 
symlink to the shlib and replaces the .so extension with .chk.
  Then it tries to open that file. Obviosly it fails, because the actual file 
is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss.
  
  [Test case]
  sudo apt install chrony
  sudo chronyd -d
  chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
  
  Potential solutions:
  Solution A:
  Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures 
and libs in /usr/lib/$(DEB_HOST_MULTIARCH).
  
  Solution B:
  Create symlinks to *.chk files in /usr/lib/$(DEB_HOST_MULTIARCH) (like it is 
done for *.so).
  
  Solution C:
  Implement and upstream NSS feature of resolving symlinks and looking for 
*.chk where the symlinks lead to.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-07-15 Thread Dariusz Gadomski
As discussed with Richard outside LP: we agreed that adding symlinks is
an acceptable solution to this problem.

Debdiffs linked.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-07-15 Thread Dariusz Gadomski
** Changed in: nss (Ubuntu)
 Assignee: Richard Maciel Costa (richardmaciel) => Dariusz Gadomski 
(dgadomski)

** Changed in: nss (Ubuntu Bionic)
 Assignee: Richard Maciel Costa (richardmaciel) => Dariusz Gadomski 
(dgadomski)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

2020-07-10 Thread Dariusz Gadomski
Oh, I have found it: ppa:j-latten/joydevppa

Works perfectly. Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

2020-07-10 Thread Dariusz Gadomski
Sure. Sounds good. Do you have it available in a ppa anywhere to give it
a try?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-07-08 Thread Dariusz Gadomski
@richardmaciel please let me know if I can help you with anything with
regard to this bug.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

2020-07-08 Thread Dariusz Gadomski
@j-latten: please let me know if I can provide any help with this.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-07-01 Thread Dariusz Gadomski
The patches I've uploaded implement the Solution B from the description.

It actually applies only to Bionic, but I believe it's worth having it
in Focal if it gets FIPS certification and for Groovy - to keep it for
the future releases.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-07-01 Thread Dariusz Gadomski
Bionic debdiff reupload

** Patch added: "bionic.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388756/+files/bionic.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-07-01 Thread Dariusz Gadomski
groovy fix

** Patch added: "groovy.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388751/+files/groovy.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-07-01 Thread Dariusz Gadomski
SRU proposal for Focal

May be useful if it gets FIPS-certified.

** Patch added: "focal.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388752/+files/focal.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-07-01 Thread Dariusz Gadomski
Focal debdiff reupload

** Patch added: "focal.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388755/+files/focal.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-07-01 Thread Dariusz Gadomski
Groovy debdiff re-upload

** Patch added: "groovy.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388754/+files/groovy.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-07-01 Thread Dariusz Gadomski
SRU proposal for bionic

** Patch removed: "focal.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388752/+files/focal.debdiff

** Patch removed: "groovy.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388751/+files/groovy.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-07-01 Thread Dariusz Gadomski
** Description changed:

  In FIPS mode there are some additional checks performed.
  
  They lead to verifying binaries signatures. Those signatures are shipped
  in the libnss3 package as *.chk files installed in
  /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the
  libraries themselves (libfreebl3.so  libfreeblpriv3.so  libnssckbi.so
  libnssdbm3.so  libsoftokn3.so).
  
  Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH):
  ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
  lrwxrwxrwx 1 root root 21 Jun 10 18:54 
/usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so
  
  The client binaries are linked against the symlinks, so when the verification 
happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the 
symlink to the shlib and replaces the .so extension with .chk.
  Then it tries to open that file. Obviosly it fails, because the actual file 
is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss.
  
  [Test case]
  sudo apt install chrony
  sudo chronyd -d
  chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
  
  Potential solutions:
  Solution A:
  Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures 
and libs in /usr/lib/$(DEB_HOST_MULTIARCH).
  
  Solution B:
+ Create symlinks to *.chk files in /usr/lib/$(DEB_HOST_MULTIARCH) (like it is 
done for *.so).
+ 
+ Solution C:
  Implement and upstream NSS feature of resolving symlinks and looking for 
*.chk where the symlinks lead to.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-06-30 Thread Dariusz Gadomski
I have briefly analyzed nss code - it uses the nspr library for, inter
alia, file access abstraction. From what I saw in the docs it does not
offer any form of symlink resolution, so it may be nontrivial to safely
implement it in nss code.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-06-29 Thread Dariusz Gadomski
** Description changed:

- When in FIPS mode there some additional checks performed.
+ In FIPS mode there are some additional checks performed.
  
  They lead to verifying binaries signatures. Those signatures are shipped
  in the libnss3 package as *.chk files installed in
  /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the
  libraries themselves (libfreebl3.so  libfreeblpriv3.so  libnssckbi.so
  libnssdbm3.so  libsoftokn3.so).
  
  Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH):
  ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
  lrwxrwxrwx 1 root root 21 Jun 10 18:54 
/usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so
  
  The client binaries are linked against the symlinks, so when the verification 
happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the 
symlink to the shlib and replaces the .so extension with .chk.
  Then it tries to open that file. Obviosly it fails, because the actual file 
is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss.
  
  [Test case]
  sudo apt install chrony
  sudo chronyd -d
  chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
  
  Potential solutions:
  Solution A:
  Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures 
and libs in /usr/lib/$(DEB_HOST_MULTIARCH).
  
  Solution B:
  Implement and upstream NSS feature of resolving symlinks and looking for 
*.chk where the symlinks lead to.

** Changed in: nss (Ubuntu Bionic)
   Importance: Undecided => Medium

** Changed in: nss (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-06-29 Thread Dariusz Gadomski
** Summary changed:

- freebl_fipsSoftwareIntegrityTest fails in FIPS mode
+ [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

** Tags added: sts

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] [NEW] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-06-29 Thread Dariusz Gadomski
*** This bug is a security vulnerability ***

Public security bug reported:

When in FIPS mode there some additional checks performed.

They lead to verifying binaries signatures. Those signatures are shipped
in the libnss3 package as *.chk files installed in
/usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the
libraries themselves (libfreebl3.so  libfreeblpriv3.so  libnssckbi.so
libnssdbm3.so  libsoftokn3.so).

Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH):
ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
lrwxrwxrwx 1 root root 21 Jun 10 18:54 
/usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so

The client binaries are linked against the symlinks, so when the verification 
happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the 
symlink to the shlib and replaces the .so extension with .chk.
Then it tries to open that file. Obviosly it fails, because the actual file is 
in /usr/lib/$(DEB_HOST_MULTIARCH)/nss.

[Test case]
sudo apt install chrony
sudo chronyd -d
chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.

Potential solutions:
Solution A:
Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures 
and libs in /usr/lib/$(DEB_HOST_MULTIARCH).

Solution B:
Implement and upstream NSS feature of resolving symlinks and looking for *.chk 
where the symlinks lead to.

** Affects: nss (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: nss (Ubuntu Bionic)
 Importance: Undecided
 Status: New

** Also affects: nss (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: nss (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** No longer affects: nss (Ubuntu Xenial)

** Description changed:

  When in FIPS mode there some additional checks performed.
  
  They lead to verifying binaries signatures. Those signatures are shipped
  in the libnss3 package as *.chk files installed in
  /usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the
  libraries themselves (libfreebl3.so  libfreeblpriv3.so  libnssckbi.so
  libnssdbm3.so  libsoftokn3.so).
  
  Those libraries are symlinked to be present in /usr/lib/$(DEB_HOST_MULTIARCH):
  ls -l /usr/lib/x86_64-linux-gnu/libfreeblpriv3.so
  lrwxrwxrwx 1 root root 21 Jun 10 18:54 
/usr/lib/x86_64-linux-gnu/libfreeblpriv3.so -> nss/libfreeblpriv3.so
  
- The binaries are linked against the symlinks, so when the verification 
happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the 
symlink to the shlib and replaces the .so extension with .chk.
+ The client binaries are linked against the symlinks, so when the verification 
happens (lib/freebl/shvfy.c) the mkCheckFileName function takes path to the 
symlink to the shlib and replaces the .so extension with .chk.
  Then it tries to open that file. Obviosly it fails, because the actual file 
is in /usr/lib/$(DEB_HOST_MULTIARCH)/nss.
  
  [Test case]
  sudo apt install chrony
  sudo chronyd -d
  chronyd: util.c:373 UTI_IPToRefid: Assertion `MD5_hash >= 0' failed.
  
  Potential solutions:
  Solution A:
  Drop the /usr/lib/$(DEB_HOST_MULTIARCH)/nss directory and put all signatures 
and libs in /usr/lib/$(DEB_HOST_MULTIARCH).
  
  Solution B:
  Implement and upstream NSS feature of resolving symlinks and looking for 
*.chk where the symlinks lead to.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

2020-06-24 Thread Dariusz Gadomski
** Description changed:

  In FIPS mode on Bionic MD5 is semi-disabled causing some applications to
  segfault.
  
  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)
  
  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.
  
  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());
  
  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);
  
- First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point:
+ First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex):
  #ifdef OPENSSL_FIPS
- if (FIPS_mode()) {
- if (!(type->flags & EVP_MD_FLAG_FIPS)
- && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
- EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
- return 0;
- }
- }
+ if (FIPS_mode()) {
+ if (!(type->flags & EVP_MD_FLAG_FIPS)
+ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
+ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
+ return 0;
+ }
+ }
  #endif
  
  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence
  
  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).
  
  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

2020-06-19 Thread Dariusz Gadomski
Changelog in bug #1553309 mentions "- debian/patches/openssl-1.0.2g-
fips-md5-allow.patch: [PATCH 3/6] Allow md5 in fips mode."

I am however unaware of the context of this change (e.g. MD5 is not
included here: [1])

[1]
https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402annexa.pdf

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

2020-06-19 Thread Dariusz Gadomski
** Changed in: openssl (Ubuntu Bionic)
   Importance: Undecided => Medium

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] [NEW] [fips] Not fully initialized digest segfaulting some client applications

2020-06-19 Thread Dariusz Gadomski
*** This bug is a security vulnerability ***

Public security bug reported:

In FIPS mode on Bionic MD5 is semi-disabled causing some applications to
segfault.

Test case:
sudo apt install ntp
ntpq -p
Segmentation fault (core dumped)

What happens there is ntpq wants to iterate all available digests
(list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
task.

EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
For FIPS mode it adds:
EVP_add_digest(EVP_md5());

What happens later in ntpq is (list_md_fn function inside ntpq.c):
ctx = EVP_MD_CTX_new();
EVP_DigestInit(ctx, EVP_get_digestbyname(name));
EVP_DigestFinal(ctx, digest, _len);

First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point:
#ifdef OPENSSL_FIPS
if (FIPS_mode()) {
if (!(type->flags & EVP_MD_FLAG_FIPS)
&& !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
return 0;
}
}
#endif

Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
After getting back to ntpq.c:
ctx->engine and ctx->digest are not set (due to the mentioned error), hence

inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
causes a segfault (ctx->digest is NULL).

So either MD5 shouldn't be added in FIPS mode or it should have the
EVP_MD_FLAG_FIPS to be properly initialized.

** Affects: openssl (Ubuntu)
 Importance: Medium
 Status: New

** Affects: openssl (Ubuntu Bionic)
 Importance: Medium
 Status: New


** Tags: sts

** Also affects: openssl (Ubuntu Bionic)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

2020-06-19 Thread Dariusz Gadomski
FTR: EVP_add_digest(EVP_md5()); is not present in the Xenial build,
hence there's no crash there.

** Tags added: sts

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1878155] Re: Thunderbird fails to connect to server in FIPS mode

2020-05-15 Thread Dariusz Gadomski
With latest builds from ppa:ubuntu-mozilla-security/ppa:

Xenial - 1:68.8.0+build2-0ubuntu0.16.04.2
Bionic - 1:68.8.0+build2-0ubuntu0.18.04.2

this issue is gone.

Thank you!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878155

Title:
  Thunderbird fails to connect to server in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1878155/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1871214] Re: [SRU] nfsd doesn't start if exports depend on mount

2020-05-14 Thread Dariusz Gadomski
Debian merge request of the fix: https://salsa.debian.org/kernel-team
/nfs-utils/-/merge_requests/2

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1871214

Title:
  [SRU] nfsd doesn't start if exports depend on mount

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1871214/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1871214] Re: [SRU] nfsd doesn't start if exports depend on mount

2020-05-13 Thread Dariusz Gadomski
Rodrigo, I have tried to make it work using --with-systemd flag passed
in d/rules, but every time I make a fix something else backfires. I
doubt it has ever been used before.

As a sidenote: we are lagging a lot behind upstream (they're at 2.4.4
already, we're at 1.3.4 and so is Debian). But we can't fix this for f
anymore.

I discussed this with ddstreet and we need to get Debian opinion on this. What 
could be tried is one of the following (for example):
1) debian/nfs-kernel-server.install should install from 
debian/tmp/lib/system/systemd-generators, and systemd/Makefile.am should pull 
genexec_PROGRAM Sout of INSTALL_SYSTEMD and also change 
/usr/lib/systemd/systemd-generators to /lib/...
or
2) use the build location to install from in nfs-kernel-server.install, and 
update systemd/Makefile.am to only build (not install) the generator, like:

 if INSTALL_SYSTEMD
+genexec_PROGRAMS = nfs-server-generator
 install-data-hook: $(unit_files)
mkdir -p $(DESTDIR)/$(unitdir)
cp $(unit_files) $(DESTDIR)/$(unitdir)
+else
+noinst_PROGRAMS = nfs-server-generator
 endif

I'm going to offer a MR to Debian and see what they say about it.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1871214

Title:
  [SRU] nfsd doesn't start if exports depend on mount

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1871214/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1878155] Re: Thunderbird fails to connect to server in FIPS mode

2020-05-12 Thread Dariusz Gadomski
Sure, thanks Olivier. Can you give me an estimate on when this can be
fixed for Xenial and Bionic? For users using FIPS mode currently
Thunderbird is currently unusable.

** Changed in: thunderbird (Ubuntu Xenial)
 Assignee: Dariusz Gadomski (dgadomski) => (unassigned)

** Changed in: thunderbird (Ubuntu Bionic)
 Assignee: Dariusz Gadomski (dgadomski) => (unassigned)

** Changed in: thunderbird (Ubuntu Eoan)
 Assignee: Dariusz Gadomski (dgadomski) => (unassigned)

** Changed in: thunderbird (Ubuntu Groovy)
 Assignee: Dariusz Gadomski (dgadomski) => (unassigned)

** Changed in: thunderbird (Ubuntu Focal)
     Assignee: Dariusz Gadomski (dgadomski) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878155

Title:
  Thunderbird fails to connect to server in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1878155/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1878155] Re: Thunderbird fails to connect to server in FIPS mode

2020-05-12 Thread Dariusz Gadomski
Groovy fix.

** Patch added: "groovy.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1878155/+attachment/5370320/+files/groovy.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878155

Title:
  Thunderbird fails to connect to server in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1878155/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1878155] Re: Thunderbird fails to connect to server in FIPS mode

2020-05-12 Thread Dariusz Gadomski
importance for Xenial and Bionic marked as high as this prevents
Thunderbird from being used in FIPS mode on those releases.

** Changed in: thunderbird (Ubuntu Groovy)
 Assignee: (unassigned) => Dariusz Gadomski (dgadomski)

** Changed in: thunderbird (Ubuntu Focal)
 Assignee: (unassigned) => Dariusz Gadomski (dgadomski)

** Changed in: thunderbird (Ubuntu Eoan)
 Assignee: (unassigned) => Dariusz Gadomski (dgadomski)

** Changed in: thunderbird (Ubuntu Bionic)
 Assignee: (unassigned) => Dariusz Gadomski (dgadomski)

** Changed in: thunderbird (Ubuntu Xenial)
 Assignee: (unassigned) => Dariusz Gadomski (dgadomski)

** Changed in: thunderbird (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: thunderbird (Ubuntu Bionic)
   Importance: Undecided => Medium

** Changed in: thunderbird (Ubuntu Eoan)
   Importance: Undecided => Medium

** Changed in: thunderbird (Ubuntu Focal)
   Importance: Undecided => Medium

** Changed in: thunderbird (Ubuntu Groovy)
   Importance: Undecided => Medium

** Changed in: thunderbird (Ubuntu Xenial)
   Importance: Medium => High

** Changed in: thunderbird (Ubuntu Bionic)
   Importance: Medium => High

** Tags added: sts

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878155

Title:
  Thunderbird fails to connect to server in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1878155/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1878155] Re: Thunderbird fails to connect to server in FIPS mode

2020-05-12 Thread Dariusz Gadomski
It is already included upstream starting from release 75.0b1.

** Also affects: thunderbird (Ubuntu Groovy)
   Importance: Undecided
   Status: New

** Also affects: thunderbird (Ubuntu Eoan)
   Importance: Undecided
   Status: New

** Also affects: thunderbird (Ubuntu Focal)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878155

Title:
  Thunderbird fails to connect to server in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1878155/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1878155] [NEW] Thunderbird fails to connect to server in FIPS mode

2020-05-12 Thread Dariusz Gadomski
Public bug reported:

[Impact]

 * Thunderbird may become useless after booting into FIPS mode - it
refuses to connect to server displaying the following message:

Unexpected response from the server

This document cannot be displayed unless you install the Personal
Security Manager (PSM). Download and install PSM and try again, or
contact your system administrator.

This seems to be a result of the fact that despite Thunderbird for
Ubuntu being with FIPS support disabled there's a piece of code that
ignores the build flag and checks for `/proc/sys/crypto/fips_enabled`
status anyway.

Looks like upstream fix [1] needs to be applied to Thunderbird source
under security/nss.

[Test Case]

 * Configure an email account in Thunderbird. I was able to reproduce it with a 
gmail account.
 * Install FIPS modules as described in [2].
 * Boot into FIPS mode.
 * Open Thunderbird.

[Regression Potential]

 * I can't identify regression potential - this is clearly a bug fixed
upstream by a simple fix.

[Other Info]
 
 * Related Firefox bug: https://bugs.launchpad.net/bugs/1843044
 * I was able to backport this fix and test it - the problem was gone. Xenial 
build is available in ppa:dgadomski/thunderbird.


[1] 
https://hg.mozilla.org/projects/nss/raw-rev/55ba54adfcaea2f984a999a511eec5047462eb57
[2] https://docs.ubuntu.com/security-certs/en/fips

** Affects: thunderbird (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: thunderbird (Ubuntu Xenial)
 Importance: Undecided
 Status: New

** Affects: thunderbird (Ubuntu Bionic)
 Importance: Undecided
 Status: New

** Also affects: thunderbird (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: thunderbird (Ubuntu Bionic)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878155

Title:
  Thunderbird fails to connect to server in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1878155/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

  1   2   3   4   5   6   7   8   >