[Bug 1927409] Re: Race between two functions

2021-05-11 Thread Steve Beattie
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1927409 Title: Race between two functions To manage notifications about this bug

[Bug 1879339] Re: test_310_config_security_perf_events_restrict / test_400_refcount_config in ubuntu_qrt_kernel_security failed on F-OEM-5.6

2021-05-10 Thread Steve Beattie
Sorry for the lag on this issue. Timo, while the added hooks are useful, they don't for the time being obviate the need for the larger hammer of the sysctl, so we'd still like to keep the referred to patch available, until we are forced to make a choice if and when upstream drops the sysctl

[Bug 1879341] Re: test_350_retpolined_modules from ubuntu_qrt_kernel_security failed on F-OEM-5.6

2021-05-10 Thread Steve Beattie
Hi, this looks like a legit issue with the linux-oem-5.6 da903x- regulator module, which appears to have been addressed in f16861b12fa0 ("regulator: rename da903x to da903x-regulator") (v5.8-rc6), which points out that kmod gets confused before that commit. You can verify this with e.g.: $

[Bug 1927078] Re: Don't allow useradd to use fully numeric names

2021-05-10 Thread Steve Beattie
The Ubuntu Security team is +1 on disallowing purely numeric usernames, as they are too easily confused with UIDs. I think our preference would be to disallow leading numeric digits entirely so that for example, 0x0 and 0o0 would be blocked as well, to try to prevent both user and programmatic

[Bug 1755310] Re: MIR libzstd

2021-04-22 Thread Steve Beattie
Ack from the Ubuntu Security team for moving libztsd into main in xenial. (There is a third CVE believed to be affecting libzstd/xenial as well, CVE-2019-11922) ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-11922 -- You received this bug notification because you are a

[Bug 1925411] [NEW] apparmor adt test failure blocking tcpdump migration

2021-04-21 Thread Steve Beattie
Public bug reported: tcpdump has a sync from debian 4.99.0-2 that is currently blocked in hirsute-proposed due to a regression in the apparmor adt tests. The reason for this failure is that 'compile-policy' testcase is failing; this test ensures that various apparmor policies included in packages

[Bug 1909937] Re: Physical Ethernet interfaces leak MAC addresses on link up

2021-04-20 Thread Steve Beattie
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1909937 Title: Physical Ethernet interfaces leak MAC addresses on link up To

[Bug 1913976] Re: light-locker fails to lock screen

2021-04-20 Thread Steve Beattie
Hi, looking at your package dependencies, there are a bunch of "oibaf" originating packages in the display stack. Can you confirm that you see the same behavior on a system with packages solely originating from the Ubuntu archive? Thanks. ** Changed in: light-locker (Ubuntu) Status: New

[Bug 1919419] Re: Phishing vulnerability: Template generation allows external parameters to override placeholders

2021-04-20 Thread Steve Beattie
** Changed in: shibboleth-sp (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1919419 Title: Phishing vulnerability: Template generation allows external

[Bug 1921585] Re: Screen contents visible when switching between logged in users using CTrl + Alt + Fx

2021-04-20 Thread Steve Beattie
** Changed in: gdm3 (Ubuntu) Status: New => Incomplete ** Changed in: gnome-shell (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921585 Title:

[Bug 1923320] Re: lot's of teminal command run every time i turn on the system

2021-04-20 Thread Steve Beattie
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1923320 Title: lot's of teminal command run every time i turn on the system To manage

[Bug 1923538] Re: jhead heap-buffer-overflow of exif.c in function Get16u

2021-04-20 Thread Steve Beattie
** Changed in: jhead (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1923538 Title: jhead heap-buffer-overflow of exif.c in function Get16u To manage

[Bug 1895839] Re: CVE-2020-24977

2021-04-12 Thread Steve Beattie
Please note that upstream has indicated that this issue only affects the xmllint binary, and not the shared library. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895839 Title: CVE-2020-24977 To

Re: [Bug 1923432] Re: apparmor-utils: missing CAP_CHECKPOINT_RESTORE in /etc/apparmor/severity.db

2021-04-12 Thread Steve Beattie
es can be dropped that much easier. Thanks. -- Steve Beattie -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1923432 Title: apparmor-utils: missing CAP_CHECKPOINT_RESTORE in /etc/apparmor/severity.db To

Re: [Bug 1923432] [NEW] apparmor-utils: missing CAP_CHECKPOINT_RESTORE in /etc/apparmor/severity.db

2021-04-12 Thread Steve Beattie
://gitlab.com/apparmor/apparmor/-/commit/80efc15e18a6bb0d0abd2821cb03bf6be51cc517 This should be safe to cherrypick for hirsute. (Similar cherrypicks occurred for prior AppArmor branches.) -- Steve Beattie -- You received this bug notification because you are a member of Ubuntu Bugs, which

[Bug 1918482] Re: Update for CVE-2021-21381

2021-04-07 Thread Steve Beattie
** Summary changed: - Update for GHSA-xgh4-387p-hqpp + Update for CVE-2021-21381 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for CVE-2021-21381 To manage notifications

[Bug 1912060] Re: [SRU] caribou: Segfault (as regression of xorg CVE-2020-25712 fix) cause security issue for cinnamon

2021-04-07 Thread Steve Beattie
Hi Fabio and Joshua, thanks for preparing these updates. I have reviewed them, adjusted the changelogs slightly, and have uploaded packages to the ubuntu-security-proposed ppa https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages to make them available for testing. Any

[Bug 1918482] Re: Update for GHSA-xgh4-387p-hqpp

2021-04-07 Thread Steve Beattie
. Any feedback on them would be greatly appreciated. Thanks ** Changed in: flatpak (Ubuntu Bionic) Assignee: Andrew Hayzen (ahayzen) => Steve Beattie (sbeattie) ** Changed in: flatpak (Ubuntu Focal) Assignee: Andrew Hayzen (ahayzen) => Steve Beattie (sbeattie) ** Changed in: f

[Bug 1912060] Re: [SRU] caribou: Segfault (as regression of xorg CVE-2020-25712 fix) cause security issue for cinnamon

2021-04-07 Thread Steve Beattie
Thanks, I'm taking a look at these. I've adjusted the versions to imclude per-release versions, since focal and groovy had the same version of caribou. ** Changed in: caribou (Ubuntu Focal) Assignee: Joshua Peisach (itzswirlz) => Steve Beattie (sbeattie) ** Changed in: caribou (Ubu

[Bug 1922596] Re: linux ADT test failure with linux/4.4.0-208.240

2021-04-06 Thread Steve Beattie
This was merged into q-r-t in https://git.launchpad.net/qa-regression- testing/commit/?id=c1af010b49291e5526ccac85cd1fd334fa3bd0c5 . Until this actually makes into a kernel in updates/security, the test will fail for those kernels. Worth keeping in mind if we have to do any respins. Thanks! **

[Bug 1921134] Re: SBAT shim 15.4 release

2021-04-02 Thread Steve Beattie
** Changed in: shim (Ubuntu) Status: New => Confirmed ** Changed in: shim-signed (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT

[Bug 1918312] Re: group changes don't show up in kerberizedd mounts

2021-04-02 Thread Steve Beattie
(Bah, didn't realize the original link contained the full thread as well.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918312 Title: group changes don't show up in kerberizedd mounts To manage

[Bug 1918312] Re: group changes don't show up in kerberizedd mounts

2021-04-02 Thread Steve Beattie
Hey Charles, Apologies for the lack of response earlier. I see that you have gone ahead and reported this issue to upstream at https://lore.kernel.org/linux-nfs/cc0f1034-8572-4556-8351-284999032...@rutgers.edu/ This response explains why things take a long time or don't show up at all:

[Bug 1922160] Re: installstion

2021-04-02 Thread Steve Beattie
It seems like the EFI partition does not have enough free space? Apr 1 01:40:20 ubuntu grub-installer: info: Identified partition label for /dev/sdb2: msdos Apr 1 01:40:20 ubuntu grub-installer: info: Installing grub on '/dev/sdb' Apr 1 01:40:20 ubuntu grub-installer: info: grub-install does

[Bug 1922160] Re: installstion

2021-04-02 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1922223] Re: package kerneloops 0.12+git20140509-6ubuntu2 failed to install/upgrade: installed kerneloops package post-installation script subprocess returned error exit status 1

2021-04-02 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1922225] Re: error

2021-04-02 Thread Steve Beattie
It seems like the EFI partition might have run out of space? Apr 1 10:45:21 ubuntu grub-installer: info: Identified partition label for /dev/sda6: msdos Apr 1 10:45:21 ubuntu grub-installer: info: Installing grub on '/dev/sda5' Apr 1 10:45:21 ubuntu grub-installer: info: grub-install does not

[Bug 1922225] Re: error

2021-04-02 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1918892] Re: near the end of installation the installer displayed the message "Executing 'grub-install/dev/sda' failed. This is a fatal error."

2021-03-31 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1918960] Re: kernel does not honor mokx revocations, allowing kexec lockdown bypass

2021-03-31 Thread Steve Beattie
** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918960 Title: kernel does not honor mokx revocations, allowing kexec lockdown

[Bug 1918639] Re: blueman-manager crashed with blueman.bluez.errors.DBusNotReadyError in callback(): Resource Not Ready

2021-03-31 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1915118] Re: "No bluetooth found"

2021-03-31 Thread Steve Beattie
** Package changed: linux-signed-hwe-5.8 (Ubuntu) => linux-hwe-5.8 (Ubuntu) ** Information type changed from Public Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1915118 Title:

[Bug 1918960] Re: kernel does not honor mokx revocations, allowing kexec lockdown bypass

2021-03-31 Thread Steve Beattie
https://lore.kernel.org/lkml/1884195.1615482...@warthog.procyon.org.uk/ is still not upstream. https://lore.kernel.org/lkml/20210312171232.2681989-1-...@digikod.net/ may also be worth watching. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to

[Bug 1918960] Re: kernel does not honor mokx revocations, allowing kexec lockdown bypass

2021-03-31 Thread Steve Beattie
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-26541 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918960

[Bug 1919419] Re: Phishing vulnerability: Template generation allows external parameters to override placeholders

2021-03-31 Thread Steve Beattie
I have pushed the focal update to the security-proposed ppa at https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages ; any testing that anyone could give once it is done building would be appreciated. Thanks! -- You received this bug notification because you are a

[Bug 1919419] Re: Phishing vulnerability: Template generation allows external parameters to override placeholders

2021-03-30 Thread Steve Beattie
Hey Etienne, Thanks for submitting the debdiff. I'm taking a look in more detail, but on first glance it looks good to me. If all goes well, I'll push it up to our security-proposed in a bit. ** Changed in: shibboleth-sp (Ubuntu) Assignee: (unassigned) => Steve Beattie (sbeattie) --

[Bug 1920643] Re: Notification popup before login -> app started w/o login

2021-03-30 Thread Steve Beattie
Thanks for the report. Making this public to get the Desktop team to take a look at this. ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1920685] Re: Shity ubujntu 20.04 upgrade

2021-03-30 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1921545] Re: While installing Lubuntu 18.04.5-desktop-amd64 , the grub failed to install therefore causing installation to crash.

2021-03-30 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1921485] Re: Bosch CERT Advisory: OpenSSL Multiple Vulnerabilities

2021-03-30 Thread Steve Beattie
This was addressed in https://ubuntu.com/security/notices/USN-4891-1 . ** Information type changed from Private Security to Public Security ** Changed in: openssl (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is

[Bug 1921578] Re: package phpmyadmin 4:4.9.5+dfsg1-2 failed to install/upgrade: el subproceso instalado paquete phpmyadmin script post-installation devolvió el código de salida de error 1

2021-03-30 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1921585] Re: Screen contents visible when switching between logged in users using CTrl + Alt + Fx

2021-03-30 Thread Steve Beattie
Hey Milfred, sorry you are hitting this issue. What Ubuntu release is this? And can you confirm that the desktop envirnment you're using is the Ubuntu desktop, and not something else? Thanks. ** Package changed: ubuntu => gdm3 (Ubuntu) ** Information type changed from Private Security to

[Bug 1799386] Re: Screen not locked when coming out of suspend/hibernate

2021-03-30 Thread Steve Beattie
*** This bug is a duplicate of bug 1532508 *** https://bugs.launchpad.net/bugs/1532508 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1921617] Re: installation crashed in the middle

2021-03-30 Thread Steve Beattie
Relevat bits from UbiquitySyslog Mar 28 10:33:20 ubuntu grub-installer: info: Installing grub on '/dev/sdb' Mar 28 10:33:20 ubuntu grub-installer: info: grub-install does not support --no-floppy Mar 28 10:33:20 ubuntu grub-installer: info: Running chroot /target grub-install --force

[Bug 1921617] Re: installation crashed in the middle

2021-03-30 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1921690] Re: I dont know

2021-03-30 Thread Steve Beattie
Thank you for using Ubuntu and taking the time to report a bug. Your report should contain, at a minimum, the following information so we can better find the source of the bug and work to resolve it. Submitting the bug about the proper source package is essential. For help see

[Bug 1921941] Re: samba install flushes iptables and sets all chains to policy accept

2021-03-30 Thread Steve Beattie
Hello, sorry you are having this issue. Unfortunately I am unable to reporduce this, with samba 2:4.11.6+dfsg- 0ubuntu1.6 from focal, either by applying iptables rules manually or enabling firewall rules with ufw: $ sudo iptables -D INPUT -i lo -j LOG $ sudo iptables -L INPUT -n Chain

[Bug 1921941] Re: samba install flushes iptables and sets all chains to policy accept

2021-03-30 Thread Steve Beattie
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921941 Title: samba install flushes iptables and sets all chains to policy accept

[Bug 388605] Re: [MIR] rsyslog

2021-03-30 Thread Steve Beattie
Ack by the Ubuntu Security team to move rsyslog-gnutls to main, both for hirsute, and for bionic, focal, and groovy. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/388605 Title: [MIR]

[Bug 1919285] Re: Nvidia

2021-03-16 Thread Steve Beattie
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1919285 Title: Nvidia To manage notifications about this bug go to:

[Bug 1912708] Re: CONFIG_RANDOMIZE_BASE on ppc64el

2021-03-11 Thread Steve Beattie
Thanks for pointing that out, Krzysztof. Seth, the reason that I limited the bug report to ppc64 is that Ubuntu 16.04 LTS with its 4.4 based kernel was the last release we supported 32bit powerpc platforms. -- You received this bug notification because you are a member of Ubuntu Bugs, which is

[Bug 1915009] Re: [MIR] libmd (dependency of libbsd)

2021-03-09 Thread Steve Beattie
I reviewed libmd 1.0.3-3build1 as checked into hirsute. This shouldn't be considered a full audit but rather a quick gauge of maintainability. libmd is a small library of message digest aka hash functions. - No CVE history. - No non-essential build-depends. - No pre/post inst/rm scripts, only a

[Bug 1867198] Re: MIR: bin:libnginx-mod-http-geoip2 from src:nginx

2021-03-06 Thread Steve Beattie
I reviewed libnginx-mod-http-geoip2/nginx 1.18.0-6ubuntu4 (aka http-geoip2 3.3 upstream) as checked into hirsute. This shouldn't be considered a full audit but rather a quick gauge of maintainability. libnginx-mod-http-geoip2 is an nginx module registers variables on the connection based on the

[Bug 1917509] Re: Call for testing: grub2 security updates

2021-03-06 Thread Steve Beattie
I have successfully tested these grub2 updates on groovy, focal, bionic, and xenial bare metal machines with efi + secure boot, as well as a bionic efi system with secure boot disabled. All worked and things like grub menus continued to work. On trusty/esm with the grub packages from

[Bug 1917529] Re: grub2-efi-amd64-signed 1.164+2.04-1ubuntu42 fails to display boot menu on 14.04 ESM

2021-03-02 Thread Steve Beattie
Attaching the generated /boot/grub/grub.cfg ** Attachment added: "trusty-ESM-grub.cfg" https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1917529/+attachment/5472023/+files/trusty-ESM-grub.cfg -- You received this bug notification because you are a member of Ubuntu Bugs, which is

[Bug 1917529] Re: grub2-efi-amd64-signed 1.164+2.04-1ubuntu42 fails to display boot menu on 14.04 ESM

2021-03-02 Thread Steve Beattie
(same grub.cfg is generated with either sets of grub packages installed) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1917529 Title: grub2-efi-amd64-signed 1.164+2.04-1ubuntu42 fails to display

[Bug 1917529] [NEW] grub2-efi-amd64-signed 1.164+2.04-1ubuntu42 fails to display boot menu on 14.04 ESM

2021-03-02 Thread Steve Beattie
Public bug reported: Attempting to boot under secure boot/uefi on trusty ESM with the following packages installed: $ dpkg -l 'grub*' | grep ^ii ii grub-common2.02~beta2-9ubuntu1.22 amd64GRand Unified Bootloader (common files) ii grub-efi-amd64 2.04-1ubuntu42

[Bug 1917509] [NEW] Call for testing: grub2 security updates

2021-03-02 Thread Steve Beattie
Public bug reported: Several security issues were announced on 2021-03-02, see https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass2021 for details. As part of this update, a large number of changes were incorporated, both in grub2 and how it is packaged. Updates will

[Bug 1916893] Re: Regression - upate python2.7 for cover CVE-2021-3177 modifying unicode parts cause serious regressions

2021-02-25 Thread Steve Beattie
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1916893 Title: Regression - upate python2.7 for cover CVE-2021-3177 modifying

[Bug 1899573] Re: CVE-2020-4788: Speculation on incompletely validated data on IBM Power9

2021-02-22 Thread Steve Beattie
Oh, this was fixed in https://usn.ubuntu.com/usn/usn-4657-1, https://usn.ubuntu.com/usn/usn-4658-1, https://usn.ubuntu.com/usn/usn-4659-1, and https://usn.ubuntu.com/usn/usn-4660-1 . Marking fix released. Thanks. ** Information type changed from Private Security to Public Security ** Changed

[Bug 1908502] Re: [MIR] libdeflate

2021-02-22 Thread Steve Beattie
I reviewed libdeflate 1.7-1 as checked into hirsute. This shouldn't be considered a full audit but rather a quick gauge of maintainability. libdeflate is a compression/decompression library for the Deflate compression algorithm, along with associated command line tools. It is written in C and

[Bug 1226911] Re: [feature] update microcode to 20130906 version

2021-02-11 Thread Steve Beattie
Precise has intel-microcode 0.20140624-p-1ubuntu1, closing that task. ** Changed in: intel-microcode (Ubuntu Precise) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1901240] Re: Ubuntu GNOME Path Traversal

2021-02-09 Thread Steve Beattie
Upstream issue: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7 and associated fix https://gitlab.gnome.org/GNOME/gnome- autoar/-/commit/adb067e645732fdbe7103516e506d09eb6a54429 Given that this is public upstream, I'm going to open this issue ap as well. ** Bug watch added:

[Bug 1904615] Re: cpio symlink traversal

2021-02-09 Thread Steve Beattie
Hello Yiğit, Sorry for the delay in responding to this issue. This issue was originally identified as CVE-2015-1197 and fixed around the same time frame. It was addressed in upstream cpio commit https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca in a

[Bug 1910518] Re: Mozilla Firefox / Firefox ESR Arbitrary Code Execution Vulnerability; ThreatCon 5

2021-02-09 Thread Steve Beattie
** Changed in: firefox (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910518 Title: Mozilla Firefox / Firefox ESR Arbitrary Code Execution Vulnerability;

[Bug 1863299] Re: linux-aws fails to late load microcode, works with generic

2021-02-09 Thread Steve Beattie
Hello Dimitri, The source of this is that the linux-aws (and some other cloud-specific) kernels do not have CONFIG_MICROCODE_OLD_INTERFACE enabled, while they are enabled in the generic kernel configs. For consideration, this is the kernel config documentation for this option: config

[Bug 1915205] Re: CVE-2020-9366

2021-02-09 Thread Steve Beattie
Hello Steve, Thanks for reporting this issue. In this case, it is believed that the vulnerability was introduced in screen 4.7.0 (via https://git.savannah.gnu.org/cgit/screen.git/commit/?id=c5db181b6e017cfccb8d7842ce140e59294d9f62 ), and then fixed in 4.8.0. Ubuntu 18.04 and older versions of

[Bug 1915205] Re: CVE-2020-9366

2021-02-09 Thread Steve Beattie
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-9366 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1915205 Title: CVE-2020-9366 To manage notifications about this bug go to:

[Bug 1904471] Re: Ubuntu-5.4.0-48.52 introduces a regression by cherry picking partial fixes from set of commits

2021-02-09 Thread Steve Beattie
Hi Shoily, Coming back around to this issue, it looks like b431ef837e3374da0db8ff6683170359aaa0859c landed in focal in 5.4.0-49.53 and bionic in 4.15.0-119.120. I'm making this public as well as marking it as fix released. Thanks again for the report! ** Information type changed from Private

[Bug 1909608] Re: networkmanager sets DNS server configuration without proper dns-search/dns-priority causing DNS requests leak to ISP (openconnect+split-tunnel+non-split DNS)

2021-02-09 Thread Steve Beattie
Hi Adam, Marking public given the public bug reports elsewhere. It looks like upstream addressed this in network-manager 1.28, which has not made it into Ubuntu yet. ** Information type changed from Private Security to Public Security ** Changed in: network-manager (Ubuntu) Status: New

[Bug 1909596] Re: Error on trying to change password

2021-02-09 Thread Steve Beattie
Hi, it seems that for some reason cracklib has failed to generate /var/cache/cracklib/cracklib_dict.pwd (or /var/cache/cracklib/cracklib_dict.pwd.gz). There is a daily cronjob that is supposed to regenerate /var/cache/cracklib/cracklib_dict.pwd if the dictionaries it used as input are newer. I'm

[Bug 1910220] Re: Characters from dead keys shown in plan view in password field on login screen

2021-02-09 Thread Steve Beattie
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910220 Title: Characters from dead keys shown in plan view in password field on

[Bug 1910518] Re: Mozilla Firefox / Firefox ESR Arbitrary Code Execution Vulnerability; ThreatCon 5

2021-02-09 Thread Steve Beattie
Hello, Thanks for the report. This issue was addressed in https://ubuntu.com/security/notices/USN-4687-1 . ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-16044 ** Information type changed from Private Security to Public Security -- You received this bug notification because

[Bug 1910608] Re: openvswitch embedded code copy of lldpd is vulnerable to CVE-2015-8011

2021-02-09 Thread Steve Beattie
This issue was addressed in https://ubuntu.com/security/notices/USN-4691-1 . ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-27827 ** Changed in: openvswitch (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu

[Bug 1910878] Re: Ubuntu 21.04 QA Testing Install entire disk with lvm & encryption

2021-02-09 Thread Steve Beattie
** Package changed: ubuntu => subiquity (Ubuntu) ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910878 Title: Ubuntu 21.04 QA Testing

[Bug 1912091] Re: Memory Leak GNU Tar 1.33

2021-02-09 Thread Steve Beattie
** Changed in: tar (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912091 Title: Memory Leak GNU Tar 1.33 To manage notifications about this bug go to:

[Bug 1912371] Re: [MIR] flashrom

2021-02-09 Thread Steve Beattie
** Information type changed from Public Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912371 Title: [MIR] flashrom To manage notifications about this bug go to:

[Bug 1913976] Re: light-locker fails to lock screen

2021-02-09 Thread Steve Beattie
** Summary changed: - so broken is practically useless + light-locker fails to lock screen -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1913976 Title: light-locker fails to lock screen

[Bug 1914228] Re: the indicator light of the shift key works correctly but the change from upper case to lower case is not done correctly so I have to display my password to see if it is upper case or

2021-02-09 Thread Steve Beattie
** Information type changed from Public Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1914228 Title: the indicator light of the shift key works correctly but the change

[Bug 1914279] Re: linux from security may force reboots without complete dkms modules

2021-02-09 Thread Steve Beattie
Hi Dimitri, I don't know that all dkms SRUs need to go to the security pockets, but ones that fix build issues surely do, given the problems that a dkms build failure causes in package installs. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to

[Bug 1914839] Re: package upgrade should replace /etc/ssl/certs/ca-certificates.crt atomically

2021-02-09 Thread Steve Beattie
Ah yes, /usr/sbin/update-ca-certificates is deleting the ca- certificates.crt shortly before atomically moving the new version into place. It looks like a fic was committed in debian for this a couple of weeks ago:

[Bug 1914863] Re: package linux-headers-4.4.0-145-generic 4.4.0-145.171 failed to install/upgrade: package linux-headers-4.4.0-145-generic is not ready for configuration cannot configure (current stat

2021-02-09 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1915079] Re: stava copiando i dati

2021-02-09 Thread Steve Beattie
Hi, possibly you are facing a corrupted image or a hardware problem, given: Feb 8 21:46:53 ubuntu kernel: [ 687.895337] SQUASHFS error: zlib decompression failed, data probably corrupt Feb 8 21:46:53 ubuntu kernel: [ 687.895345] SQUASHFS error: squashfs_read_data failed to read block

[Bug 1915127] Re: package linux-modules-extra-5.8.0-43-generic 5.8.0-43.49~20.04.1 failed to install/upgrade: unable to create new file '/var/lib/dpkg/info/linux-modules-extra-5.8.0-43-generic.list-ne

2021-02-09 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1915129] Re: Mozilla Firefox / Firefox ESR Buffer Overflow Vulnerability

2021-02-09 Thread Steve Beattie
Thanks for the report. From the advisory, this particular issue only affected Firefox on Windows, so this should be a non-issue on Ubuntu: "Note: This issue only affected Windows operating systems. Other operating systems are unaffected." ** Information type changed from Private Security to

[Bug 1914481] Re: use the size of the data when determing the server response

2021-02-04 Thread Steve Beattie
For fixing this via an SRU for focal and groovy, the Ubuntu Security team is okay with the result of this going to the security pocket, assuming the update is built in a ppa where only security updates are enabled. Thanks! -- You received this bug notification because you are a member of Ubuntu

[Bug 1913482] Re: Update tzdata to version 2021a

2021-01-31 Thread Steve Beattie
Hi Brian, thanks for preparing the debdiffs. I built, tested, and published the updated tzdata packages to the trusty/esm and precise/esm archives. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1913188] Re: linux-hwe 4.15.0-133.137~16.04.1 ADT test failure with linux-hwe ubuntu_qrt_kernel_panic

2021-01-28 Thread Steve Beattie
Hi, The particular test that is timing out actually is supposed to emit periodic output to stdout; it basically is running the test program from kernel commit b4a1b4f5047e4f54e194681125c74c0aa64d637d 10 times and attempts to emit a count every 1000 iterations, writing to and flushing stdout.

[Bug 1913392] Re: Security Repository Doesn't Contain USN-4689-4 Fixed Kernel Version

2021-01-28 Thread Steve Beattie
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913392 Title: Security Repository Doesn't Contain USN-4689-4 Fixed Kernel Version

[Bug 1912708] Re: CONFIG_RANDOMIZE_BASE on powerpc / ppc64el

2021-01-21 Thread Steve Beattie
** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed ** Summary changed: - CONFIG_RANDOMIZE_BASE on powerpc / ppc64el + CONFIG_RANDOMIZE_BASE on ppc64el -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1904082] Re: apport's log collecting leaks MAC addresses maybe helping WiFi attacks?

2021-01-21 Thread Steve Beattie
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904082 Title: apport's log collecting leaks MAC addresses maybe helping WiFi

[Bug 1909486] Re: tiocspgrp()" Privilege Escalation Vulnerability

2021-01-20 Thread Steve Beattie
** Information type changed from Private Security to Public Security ** Changed in: linux (Ubuntu) Status: New => Confirmed ** Changed in: linux (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed

[Bug 1911211] Re: Please upgrade to openssl 1.1.1g or later for 20.04

2021-01-20 Thread Steve Beattie
** Changed in: openssl (Ubuntu) Status: New => Invalid ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911211 Title:

[Bug 1912230] Re: package mariadb-client-10.3 (not installed) failed to install/upgrade: trying to overwrite '/usr/bin/mysqldump', which is also in package mysql-community-client-core 8.0.22-1ubuntu20

2021-01-20 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1911869] Re: package virtualbox 6.1.10-dfsg-1~ubuntu1.20.04.1 failed to install/upgrade: проблемы зависимостей — оставляем не настроенным

2021-01-20 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1912252] Re: Kubuntu 21.04 QA TEST Overwrite empty disk space missing

2021-01-20 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions

2021-01-18 Thread Steve Beattie
Oh, I was expecting that it would also be desirable to SRU this back to focal, as I expected CONFIG_SECURITY_DMESG_RESTRICT to come back with the HWE kernels, but looking at the config for linux-hwe-5.8, it appears that the old behavior was kept. -- You received this bug notification because you

[Bug 1884887] Re: rsyslogd dmesg unit leaves /var/log/dmesg* world readable

2021-01-18 Thread Steve Beattie
*** This bug is a duplicate of bug 1912122 *** https://bugs.launchpad.net/bugs/1912122 ** This bug has been marked a duplicate of bug 1912122 /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions -- You received this bug notification because you are a member of

[Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions

2021-01-18 Thread Steve Beattie
The Ubuntu Security team would like to see this fixed, though it probably would be worth adding the following change to the service file so that on log rotation the permissions are corrected as well: -ExecStartPre=-/usr/bin/savelog -q -p -n -c 5 /var/log/dmesg +ExecStartPre=-/usr/bin/savelog

[Bug 1910608] Re: openvswitch embedded code copy of lldpd is vulnerable to CVE-2015-8011

2021-01-15 Thread Steve Beattie
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910608 Title: openvswitch embedded code copy of lldpd is vulnerable to

  1   2   3   4   5   6   7   8   9   10   >