[Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions

2021-01-18 Thread Steve Beattie
Oh, I was expecting that it would also be desirable to SRU this back to
focal, as I expected CONFIG_SECURITY_DMESG_RESTRICT to come back with
the HWE kernels, but looking at the config for linux-hwe-5.8, it appears
that the old behavior was kept.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1912122

Title:
  /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT
  restrictions

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884887] Re: rsyslogd dmesg unit leaves /var/log/dmesg* world readable

2021-01-18 Thread Steve Beattie
*** This bug is a duplicate of bug 1912122 ***
https://bugs.launchpad.net/bugs/1912122

** This bug has been marked a duplicate of bug 1912122
   /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT 
restrictions

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884887

Title:
  rsyslogd dmesg unit leaves /var/log/dmesg* world readable

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions

2021-01-18 Thread Steve Beattie
The Ubuntu Security team would like to see this fixed, though it
probably would be worth adding the following change to the service file
so that on log rotation the permissions are corrected as well:

-ExecStartPre=-/usr/bin/savelog -q -p -n -c 5 /var/log/dmesg
+ExecStartPre=-/usr/bin/savelog -m640 -q -p -n -c 5 /var/log/dmesg

Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1912122

Title:
  /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT
  restrictions

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1910608] Re: openvswitch embedded code copy of lldpd is vulnerable to CVE-2015-8011

2021-01-15 Thread Steve Beattie
** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1910608

Title:
  openvswitch embedded code copy of lldpd is vulnerable to CVE-2015-8011

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvswitch/+bug/1910608/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1909698] Re: new upstream release 2020f

2021-01-11 Thread Steve Beattie
Hi Brian,

Thanks for the trusty and precise debdiffs. I have gone ahead and
published the updates to trusty-esm and precise-esm, after verifying the
fixes.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1909698

Title:
  new upstream release 2020f

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tzdata/+bug/1909698/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1889248] Re: [MIR] mdevctl, jq, libonig

2021-01-04 Thread Steve Beattie
I reviewed jq 1.6-2.1 as checked into hirsute.  This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

jq is a flexible command-line JSON processor. It ends up implementing
its own language for querying and manipulating JSON structures. As such,
there are times where it is used to parse and process untrusted input.

- The jq package has had a couple of CVEs, one for a one-byte heap
  overflow, and one for unbounded stack usage in some situations.
  Upstream has been reasonably responsive in addressing the issues in a
  timely matter.
- No build depends of concern. It does use bison/flex for its
  manipulation language parser and ruby for generating docs.
- No pre/post inst/rm scripts.
- No init scripts.
- No systemd units.
- No dbus services.
- No setuid binaries.
- The only binary provided is jq.
- No sudo fragments.
- No polkit files.
- No udev rules.
- No autopkgtests. jq provides a bunch of functional tests that are run
  during the build, while wrapped by valgrind to find memory errors.
- No cron jobs.
- Lintian clean. The build produces some warnings, mostly around
  the casting performed for the builtin language functions, as well
  as some implicit case/switch fall-through that look to be "clever"
  programming. (The generated lexer also had one signedness comparison
  warning)

- Does not spawn processes.
- Memory management is okay. In most cases, allocation wrappers are used
  that check for failures directly, and reference counting is used for
  higher level JSON objects.
- As a general purpose command line tool, files are either read from
  stdin or passed on the command line. It tries to be defensive in
  its handling of JSON input. It also supports module loading, but this
  is again specified via command line arguments.
- Error logging is handled through wrapper functions and avoids format
  string issues.
- jq uses environment variables for module loading paths and for
  specifying colorized output.
- No use of privileged functions.
- Does not appear to Use of cryptography / random number sources etc.
- Does not appear to use temp files.
- Does not use networking.
- No use of WebKit.
- No use of PolicyKit.

- Most issues coverity and cppcheck highlighted are either false
  positives or non-issues that come about from "clever" programming.
- Only shellcheck issues are in build scripts and tests.

Generally, jq is implemented with thought and care. It attempts to 
be cautious in its handling of input. The only concern that I have
about supporting jq is that it is dense and complex code, and for
future issues, backporting fixes may be difficult where significant
code changes have occurred. The extensive test suite helps mitigate 
this somewhat.

Security team ACK for promoting jq to main.

** Changed in: jq (Ubuntu)
   Status: New => In Progress

** Changed in: jq (Ubuntu)
 Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889248

Title:
  [MIR] mdevctl, jq, libonig

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jq/+bug/1889248/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1895298] Re: After tnstall the Ubuntu, I must disable the "Secure Boot " & " Fast Boot " in my sys motherboard. Why ?

2020-12-21 Thread Steve Beattie
** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1895298

Title:
  After tnstall the Ubuntu, I must disable the "Secure Boot " & " Fast
  Boot " in my sys motherboard. Why ?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub-installer/+bug/1895298/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1872036] Re: grub-customizer assert failure: grub-customizer: ../../src/xcb_io.c:260: poll_for_event: Předpoklad „!xcb_xlib_threads_sequence_lost“ nesplněn.

2020-11-24 Thread Steve Beattie
** Information type changed from Private to Public

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1872036

Title:
  grub-customizer assert failure: grub-customizer:
  ../../src/xcb_io.c:260: poll_for_event: Předpoklad
  „!xcb_xlib_threads_sequence_lost“ nesplněn.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub-customizer/+bug/1872036/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1872831] Re: grub-customizer crashed with SIGSEGV in SettingsController::updateTimeoutSettingAction()

2020-11-24 Thread Steve Beattie
** Information type changed from Private to Public

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1872831

Title:
  grub-customizer crashed with SIGSEGV in
  SettingsController::updateTimeoutSettingAction()

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub-customizer/+bug/1872831/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1905401] Re: package grub-pc 2.04-1ubuntu26.7 failed to install/upgrade: installed grub-pc package post-installation script subprocess returned error exit status 127

2020-11-24 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1905401

Title:
  package grub-pc 2.04-1ubuntu26.7 failed to install/upgrade: installed
  grub-pc package post-installation script subprocess returned error
  exit status 127

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1905401/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1894980] Re: CVE-2020-16120: unprivileged overlayfs permission checking

2020-11-17 Thread Steve Beattie
** Changed in: linux (Ubuntu)
   Status: Confirmed => Fix Released

** Information type changed from Private Security to Public Security

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-16120

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1894980

Title:
  CVE-2020-16120: unprivileged overlayfs permission checking

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1894980/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1901020] Re: new upstream release 2020d

2020-10-29 Thread Steve Beattie
After confirming the behavior around SystemV timezones and changed
timezones, tzdata 2020d-0ubuntu0.12.04 and tzdata 2020d-
0ubuntu0.14.04+esm1 are now published in their respective ESM releases.

Thanks for preparing the updates, Brian!

** Changed in: tzdata (Ubuntu Precise)
   Status: In Progress => Fix Released

** Changed in: tzdata (Ubuntu Trusty)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1901020

Title:
  new upstream release 2020d

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tzdata/+bug/1901020/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1881447] Re: package ca-certificates 20180409 failed to install/upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 1

2020-10-28 Thread Steve Beattie
Hey Vern,

Sorry you were having difficulties. 'sudo apt install -f' should cause
apt to attempt to finish installing packages that had problems during
the post install phase, where the error that is tripped over (like the
dangling symlink in /etc/ssl/certs) has been resolved.

** Changed in: ca-certificates (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1881447

Title:
  package ca-certificates 20180409 failed to install/upgrade: installed
  ca-certificates package post-installation script subprocess returned
  error exit status 1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1881447/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1901020] Re: new upstream release 2020d

2020-10-27 Thread Steve Beattie
Thanks Brian, these look good, will take these into Trusty and Precise
ESM.

(For the record, I noticed that the 2020d dropped the US/Pacific-New
timezone, which was a symlink to the US/Pacific timezone. Testing
demonstrated that a system with a configured Pacific-New timezone
functioned correctly post package upgrade. See debian bug 815200 for
details on why it was dropped.)

Also, Ubuntu Security Team ack on publishing the xenial, bionic, focal,
and groovy versions to the respective -security pockets for those
releases, despite building in -proposed; there are no binaries or
dependencies that should cause an issue.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1901020

Title:
  new upstream release 2020d

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tzdata/+bug/1901020/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1901020] Re: new upstream release 2020d

2020-10-27 Thread Steve Beattie
** Changed in: tzdata (Ubuntu Precise)
   Status: New => In Progress

** Changed in: tzdata (Ubuntu Trusty)
   Status: New => In Progress

** Changed in: tzdata (Ubuntu Precise)
 Assignee: (unassigned) => Steve Beattie (sbeattie)

** Changed in: tzdata (Ubuntu Trusty)
 Assignee: (unassigned) => Steve Beattie (sbeattie)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1901020

Title:
  new upstream release 2020d

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tzdata/+bug/1901020/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 856489] Re: Improper verification of updated key via apt-key net-update

2020-10-24 Thread Steve Beattie
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-3374

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/856489

Title:
  Improper verification of updated key via apt-key net-update

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/856489/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1864666] Re: [MIR] python-octavia-lib, ovn-octavia-provider

2020-10-20 Thread Steve Beattie
I reviewed python-octavia-lib 2.2.0-0ubuntu1 as checked into groovy.  This 
shouldn't be
considered a full audit but rather a quick gauge of maintainability.

python-octavia-lib is a python3 library for developers writing Octavia
load balancer provider drivers.

- No CVE history.
- No concerning build or runtime depends.
- Only autogenerated maintainer scripts for removing python compiled
  bytecode.
- No init scripts.
- No systemd units.
- No dbus services.
- No setuid binaries.
- No binaries in PATH.
- No sudo fragments.
- No polkit files.
- No udev rules.
- Some unit tests, run at build time. No autopkgtests.
- No cron jobs.
- Build log is okay, no lintian warnings or errors.:

- No apparent processes spawned.
- Limited file IO. Uses AF_UNIX sockets to communicate with driver
  agents.
- No apparent logging.
- No apparent environment variable usage.
- No use of privileged functions.
- Cryptography: allows use of SSLv3 for pools and listeners.
- No apparent use of temp files.
- No use of WebKit.
- No use of PolicyKit.

- No Coverity findings.
- No significant bandit results.

Security team ACK for promoting python-octavia-lib to main.


** Tags added: security-review-done

** Changed in: python-octavia-lib (Ubuntu)
 Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1864666

Title:
  [MIR] python-octavia-lib, ovn-octavia-provider

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ovn-octavia-provider/+bug/1864666/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1889688] Re: [MIR] nvme-cli

2020-10-19 Thread Steve Beattie
I reviewed nvme-cli 1.12-1ubuntu1 as checked into groovy.  This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

nvme-cli is a set of command line tools for managing NVMe devices.

- No history of CVEs.
- No init scripts
- Four systemd units, that are used to trigger nvme discovery
- No dbus services.
- No setuid binaries.
- Only binary is /usr/sbin/nvme
- No sudo fragments.
- No polkit files.
- Two udev files, for supporting nvme over fiber channel.
- Unit tests are not run at buld time, due to needing an nvme
  device. No autopkgtests.
- No cron jobs.
- No build errors or warnings.

- Processes spawned?
  The micron and wdc plugins unfortunately both use system(), when
  collecting log information, but are likely okay as the nvme tool is
  not setuid.
- Memory management in the core looks reasonable, with lots of uses of
  asprint(); the plugins tend to do more strcpy() and sprintf()
  operations.
- For file I/O, most of the file operations are performed on the nvme
  devices, and some abstraction is provided for that.
- Most logging is done through stderr, via perror or using strerror()m
  and loks okay.
- Only one use of environment variabbles, ok.
- Only privileged function used is ioctl(), and given the purpose of the
  software, expected.
- No apparent use of cryptography.
- No apparent use of tmpfiles.
- Use of networking is for fabric discovery, looks ok.
- No use of WebKit
- No use of PolicyKit

Coverity did find several issues, including some resource leaks
(file descriptors and unfreed memory in some situations); however,
a number of issues that Coverity raised were false positives due to
it's lack of understanding of asprintf(3) semantics, and really, seeing
widespread use of asprint() I consider a positive indicator of quality.

Security team ACK for promoting nvme-cli to main.


** Tags added: security-review-done

** Changed in: nvme-cli (Ubuntu)
 Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889688

Title:
  [MIR] nvme-cli

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nvme-cli/+bug/1889688/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1899046] Re: /usr/bin/aa-notify:ModuleNotFoundError:/usr/bin/aa-notify@39

2020-10-08 Thread Steve Beattie
That is correct (apparmor-notify package needs an added dependency on
python3-psutil). We have an upload in progress to address it.

Thanks!

** Changed in: apparmor (Ubuntu)
   Status: New => In Progress

** Changed in: apparmor (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1899046

Title:
  /usr/bin/aa-notify:ModuleNotFoundError:/usr/bin/aa-notify@39

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1899046/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1898742] Re: Linux Kernel "ppp_cp_parse_cr()" Denial of Service Vulnerability

2020-10-06 Thread Steve Beattie
** Changed in: linux (Ubuntu)
   Status: Incomplete => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1898742

Title:
  Linux Kernel "ppp_cp_parse_cr()" Denial of Service Vulnerability

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1898742/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1896246] Re: Vendor golang-* build dependencies

2020-10-01 Thread Steve Beattie
For the record, the Ubuntu Security team signs off on the plan to vendor
the golang dependencies for the google-guest-agent and google-oslogin-
agent packages as they go through the MIR process, for the reasons given
above.

Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1896246

Title:
  Vendor golang-* build dependencies

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/google-guest-agent/+bug/1896246/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1887577] Re: DEP8: Invalid capability setuid

2020-09-21 Thread Steve Beattie
The fix for this is included in the apparmor 3.0.0~beta1-0ubuntu5 upload
into groovy-proposed, which is waiting to migrate to groovy.

** Changed in: apparmor (Ubuntu)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1887577

Title:
  DEP8: Invalid capability setuid

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1887577/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1385013] Re: proper fix for apparmor mediation of lower (encrypted) filesystem

2020-08-25 Thread Steve Beattie
** Changed in: apparmor (Ubuntu)
   Status: Fix Released => Confirmed

** Changed in: ecryptfs-utils (Ubuntu)
   Status: Fix Released => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1385013

Title:
  proper fix for apparmor mediation of lower (encrypted) filesystem

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1385013/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1882093] Re: CVE-2020-{5963|5967} NVIDIA

2020-08-18 Thread Steve Beattie
Publication to focal-updates for nvidia-driver-440-server
440.95.01-0ubuntu0.20.04.1 and for groovy happened as well, closing
tasks.

** Changed in: nvidia-graphics-drivers-440-server (Ubuntu Focal)
   Status: Fix Committed => Fix Released

** Changed in: nvidia-graphics-drivers-440-server (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1882093

Title:
  CVE-2020-{5963|5967} NVIDIA

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-390/+bug/1882093/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1883793] Re: systemd-resolved leaks mDNS queries to DNS

2020-08-18 Thread Steve Beattie
** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1883793

Title:
  systemd-resolved leaks mDNS queries to DNS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1883793/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library.

2020-08-18 Thread Steve Beattie
Closing ntp task for groovy.

** Changed in: ntp (Ubuntu)
   Status: New => Invalid

** Changed in: openssl (Ubuntu Bionic)
   Status: In Progress => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl
  library.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1891361] Re: sshfs crashes entire Ubuntu 20.04.1 LTS system

2020-08-18 Thread Steve Beattie
** Information type changed from Public Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1891361

Title:
  sshfs crashes entire Ubuntu 20.04.1 LTS system

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sshfs-fuse/+bug/1891361/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1889672] Re: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.

2020-08-17 Thread Steve Beattie
This was addressed in bionic in
https://launchpad.net/ubuntu/+source/ark/4:17.12.3-0ubuntu1.1 and focal
in https://launchpad.net/ubuntu/+source/ark/4:19.12.3-0ubuntu1.1, and
covered in USN 4461-1.

Thanks for preparing the updates and helping to protect users,
vishnunaini!

** Changed in: ark (Ubuntu Bionic)
   Status: New => Fix Released

** Changed in: ark (Ubuntu Focal)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889672

Title:
  KDE Project Security Advisory: Ark: maliciously crafted archive can
  install files outside the extraction directory.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1889672/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1889672] Re: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.

2020-08-17 Thread Steve Beattie
** Also affects: ark (Ubuntu Bionic)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889672

Title:
  KDE Project Security Advisory: Ark: maliciously crafted archive can
  install files outside the extraction directory.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1889672/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1890066] Re: package grub-pc-bin 2.04-1ubuntu26.2 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configuration

2020-08-11 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1890066

Title:
  package grub-pc-bin 2.04-1ubuntu26.2 failed to install/upgrade:
  package is in a very bad inconsistent state; you should  reinstall it
  before attempting configuration

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1890066/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1889672] Re: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.

2020-08-06 Thread Steve Beattie
vishnunaini, thanks for testing and the pointer to the reproducer.

I also went ahead and carried back the patch to bionic's ark as well,
and have uploaded it to the same ppa.

For xenial, the patch fails to apply because the passed archive entry
type is different, and it was not clear to me whether the older version
of the type contained an equivalent way to get access to the result of
the fullPath() method call.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889672

Title:
  KDE Project Security Advisory: Ark: maliciously crafted archive can
  install files outside the extraction directory.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1889672/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1889672] Re: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.

2020-08-06 Thread Steve Beattie
Thanks for preparing the debdiff and adding the ubuntu-security-sponsors
account; I'll be taking a look at this.

I've pushed the focal version to the ubuntu security proposed ppa
(https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa)
after adjusting the version to match the versioning scheme described at
https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging
and tweaking the changelog message.

I don't suppose upstream added any tests to verify correct behavior?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1889672

Title:
  KDE Project Security Advisory: Ark: maliciously crafted archive can
  install files outside the extraction directory.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1889672/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1889672] Re: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.

2020-08-06 Thread Steve Beattie
** Changed in: ark (Ubuntu Focal)
 Assignee: (unassigned) => Steve Beattie (sbeattie)

-- 
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to ark in Ubuntu.
https://bugs.launchpad.net/bugs/1889672

Title:
  KDE Project Security Advisory: Ark: maliciously crafted archive can
  install files outside the extraction directory.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1889672/+subscriptions

-- 
kubuntu-bugs mailing list
kubuntu-b...@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs


[Bug 1887577] Re: DEP8: Invalid capability setuid

2020-07-27 Thread Steve Beattie
This is due to a change in behavior in make 4.3. It was addressed in the
upstream merge request
https://gitlab.com/apparmor/apparmor/-/merge_requests/461 and was
cherrypicked into the apparmor 2.13 branch via merge request
https://gitlab.com/apparmor/apparmor/-/merge_requests/465.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1887577

Title:
  DEP8: Invalid capability setuid

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1887577/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1888890] [NEW] openscap: xenial version is lower than version published in trusty/esm

2020-07-24 Thread Steve Beattie
Public bug reported:

openscap 1.2.8 was backported to the trusty ESM product to support some
of the improvements we are making to our generated OVAL data and
consumption on that platform.

Unfortunately, the version used in the trusty esm update is
1.2.8-1ubuntu02+esm1 which is greater than the 1.2.8-1ubuntu0.2 version
in xenial-security. This means that users upgrading from trusty ESM to
xenial will not get the version of openscap in xenial, built with the
xenial toolchain, which can lead to problems.

The only way to resolve this is for an update to the xenial package to a
version greater than the version in trusty ESM.

** Affects: openscap (Ubuntu)
 Importance: Undecided
 Status: Invalid

** Affects: openscap (Ubuntu Xenial)
 Importance: Undecided
 Status: Confirmed

** Also affects: openscap (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: openscap (Ubuntu)
   Status: New => Invalid

** Changed in: openscap (Ubuntu Xenial)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/190

Title:
  openscap: xenial version is lower than version published in trusty/esm

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/190/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1871538] Re: dbus timeout-ed during an upgrade, taking services down including gdm

2020-07-19 Thread Steve Beattie
I also hit this again in focal on 2020-06-25, with an update to systemd
245.4-4ubuntu3.1; I had previously updated dbus to 1.12.16-2ubuntu2.1 on
2020-06-17 without event. It's still an issue at least with updates to
systemd in focal.

Similar messages end up in the journal:

Jun 25 13:04:55 kryten dbus-daemon[1541]: Unknown group "power" in message bus 
configuration file
Jun 25 13:04:55 kryten dbus-daemon[1541]: [system] Reloaded configuration
Jun 25 13:04:55 kryten dbus-daemon[1541]: Unknown group "power" in message bus 
configuration file
Jun 25 13:04:55 kryten dbus-daemon[1541]: [system] Reloaded configuration
Jun 25 13:05:09 kryten dbus-daemon[1541]: Unknown group "power" in message bus 
configuration file
Jun 25 13:05:09 kryten dbus-daemon[1541]: [system] Reloaded configuration
Jun 25 13:05:09 kryten dbus-daemon[1541]: Unknown group "power" in message bus 
configuration file
Jun 25 13:05:09 kryten dbus-daemon[1541]: [system] Reloaded configuration
Jun 25 13:05:09 kryten dbus-daemon[1541]: Unknown group "power" in message bus 
configuration file
Jun 25 13:05:09 kryten dbus-daemon[1541]: [system] Reloaded configuration
Jun 25 13:05:09 kryten dbus-daemon[1541]: Unknown group "power" in message bus 
configuration file
Jun 25 13:05:09 kryten dbus-daemon[1541]: [system] Reloaded configuration
Jun 25 13:05:09 kryten dbus-daemon[1541]: Unknown group "power" in message bus 
configuration file
Jun 25 13:05:09 kryten dbus-daemon[1541]: [system] Reloaded configuration
Jun 25 13:05:10 kryten dbus-daemon[1541]: Unknown group "power" in message bus 
configuration file
Jun 25 13:05:10 kryten dbus-daemon[1541]: [system] Reloaded configuration
Jun 25 13:05:10 kryten dbus-daemon[1541]: Unknown group "power" in message bus 
configuration file
Jun 25 13:05:10 kryten dbus-daemon[1541]: [system] Reloaded configuration
Jun 25 13:05:10 kryten dbus-daemon[1541]: Unknown group "power" in message bus 
configuration file
Jun 25 13:05:10 kryten systemd[1]: Reloading.
Jun 25 13:05:11 kryten systemd[1]: /lib/systemd/system/dbus.socket:5: 
ListenStream= references a path below legacy directory /var/run/, updating 
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update 
the unit file accordingly.
Jun 25 13:05:11 kryten systemd[1]: /lib/systemd/system/fancontrol.service:11: 
PIDFile= references a path below legacy directory /var/run/, updating 
/var/run/fancontrol.pid → /run/fancontrol.pid; please update the unit file 
accordingly.
Jun 25 13:05:36 kryten systemd[1]: We couldn't coldplug 
machine-qemu\x2d1\x2dkeybase\x2dbionic\x2damd64.scope, proceeding anyway: 
Connection timed out
Jun 25 13:05:36 kryten dbus-daemon[1541]: [system] Reloaded configuration
Jun 25 13:05:36 kryten audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 
ses=4294967295 msg='unit=rtkit-daemon comm="systemd" exe="/lib/systemd/systemd" 
hostname=? addr=? terminal=? res=success'
Jun 25 13:05:36 kryten audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 
ses=4294967295 msg='unit=switcheroo-control comm="systemd" 
exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jun 25 13:05:36 kryten audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 
ses=4294967295 msg='unit=polkit comm="systemd" exe="/lib/systemd/systemd" 
hostname=? addr=? terminal=? res=success'
Jun 25 13:05:36 kryten audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 
ses=4294967295 msg='unit=colord comm="systemd" exe="/lib/systemd/systemd" 
hostname=? addr=? terminal=? res=success'
Jun 25 13:05:36 kryten systemd[1]: NetworkManager.service: Unexpected error 
response from GetNameOwner(): Connection terminated
Jun 25 13:05:36 kryten ModemManager[1689]:   Caught signal, shutting 
down...
Jun 25 13:05:36 kryten thermald[1605]: [WARN]Terminating ...
Jun 25 13:05:36 kryten audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 
ses=4294967295 msg='unit=upower comm="systemd" exe="/lib/systemd/systemd" 
hostname=? addr=? terminal=? res=success'
Jun 25 13:05:36 kryten audit[1541]: USER_AVC pid=1541 uid=105 auid=4294967295 
ses=4294967295 msg='apparmor="DENIED" operation="dbus_signal"  bus="system" 
path="/org/freedesktop/NetworkManager" 
interface="org.freedesktop.NetworkManager" member="CheckPermissions" 
name=":1.9" mask="receive" pid=4082 label="bitlbee" pe>
 exe="/usr/bin/dbus-daemon" sauid=105 
hostname=? addr=? terminal=?'
Jun 25 13:05:36 kryten audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 
ses=4294967295 msg='unit=accounts-daemon comm="systemd" 
exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jun 25 13:05:36 kryten systemd[1]: udisks2.service: Unexpected error response 
from GetNameOwner(): Connection terminated
Jun 25 13:05:36 kryten bluetoothd[1536]: Terminating
Jun 25 13:05:36 kryten systemd[1]: switcheroo-control.service: Unexpected error 
response from GetNameOwner(): Connection terminated
Jun 25 13:05:36 kryten avahi-daemon[1535]: Got SIGTERM, quitting.
Jun 25 13:05:36 kryten systemd[1]: 

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

2020-07-14 Thread Steve Beattie
** Changed in: openssl (Ubuntu Bionic)
   Status: New => Confirmed

** Changed in: openssl (Ubuntu)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl
  library.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

2020-07-14 Thread Steve Beattie
** Changed in: nss (Ubuntu)
   Status: New => In Progress

** Changed in: nss (Ubuntu Bionic)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885562

Title:
  [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

2020-07-14 Thread Steve Beattie
** Changed in: linux-flo (Ubuntu Xenial)
   Status: New => Won't Fix

** Changed in: linux-mako (Ubuntu Xenial)
   Status: New => Won't Fix

** Changed in: linux-flo (Ubuntu)
   Status: New => Won't Fix

** Changed in: linux-goldfish (Ubuntu)
   Status: New => Won't Fix

** Changed in: linux-mako (Ubuntu)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1452115] Re: Python interpreter binary is not compiled as PIE

2020-07-14 Thread Steve Beattie
** Changed in: python3.7 (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1452115

Title:
  Python interpreter binary is not compiled as PIE

To manage notifications about this bug go to:
https://bugs.launchpad.net/python/+bug/1452115/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

2020-07-14 Thread Steve Beattie
** Changed in: linux-goldfish (Ubuntu Xenial)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1705359] Re: The default PAM configuration for kerberos authentication allows unauthenticated SSH access

2020-07-14 Thread Steve Beattie
** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1705359

Title:
  The default PAM configuration for kerberos authentication allows
  unauthenticated SSH access

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/auth-client-config/+bug/1705359/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1886668] Re: linux 4.15.0-109-generic network DoS regression vs -108

2020-07-08 Thread Steve Beattie
** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1886668

Title:
  linux 4.15.0-109-generic network DoS regression vs -108

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886668/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1882093] Re: CVE-2020-{5963|5967} NVIDIA

2020-07-02 Thread Steve Beattie
** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1882093

Title:
  CVE-2020-{5963|5967} NVIDIA

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-390/+bug/1882093/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884887] Re: rsyslogd dmesg unit leaves /var/log/dmesg* world readable

2020-06-30 Thread Steve Beattie
Updated groovy debdiff against the merge from debian currently in
groovy-proposed.

** Patch added: "rsyslog_8.2006.0-2ubuntu2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+attachment/5388559/+files/rsyslog_8.2006.0-2ubuntu2.debdiff

** Patch removed: "rsyslog_8.2001.0-1ubuntu2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+attachment/5386928/+files/rsyslog_8.2001.0-1ubuntu2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884887

Title:
  rsyslogd dmesg unit leaves /var/log/dmesg* world readable

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1877027] Re: SNMP stopped running all of sudden (snmpd 5.8+dfsg-2)

2020-06-25 Thread Steve Beattie
FYI, this was assigned CVE-2019-20892.

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-20892

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1877027

Title:
   SNMP stopped running all of sudden (snmpd 5.8+dfsg-2)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884887] Re: rsyslogd dmesg unit leaves /var/log/dmesg* world readable

2020-06-24 Thread Steve Beattie
Fixed debdiff to add the bug reference for groovy.

** Patch removed: "rsyslog_8.2001.0-1ubuntu2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+attachment/5386642/+files/rsyslog_8.2001.0-1ubuntu2.debdiff

** Patch added: "rsyslog_8.2001.0-1ubuntu2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+attachment/5386928/+files/rsyslog_8.2001.0-1ubuntu2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884887

Title:
  rsyslogd dmesg unit leaves /var/log/dmesg* world readable

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884887] Re: rsyslogd dmesg unit leaves /var/log/dmesg* world readable

2020-06-24 Thread Steve Beattie
Focal version.

** Patch added: "rsyslog_8.2001.0-1ubuntu1.1.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+attachment/5386929/+files/rsyslog_8.2001.0-1ubuntu1.1.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884887

Title:
  rsyslogd dmesg unit leaves /var/log/dmesg* world readable

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1877027] Re: SNMP stopped running all of sudden (snmpd 5.8+dfsg-2)

2020-06-24 Thread Steve Beattie
Andreas, agreed, I think (speaking from the Ubuntu Security Team's
perspective), this should go to focal-security.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1877027

Title:
   SNMP stopped running all of sudden (snmpd 5.8+dfsg-2)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884887] Re: rsyslogd dmesg unit leaves /var/log/dmesg* world readable

2020-06-24 Thread Steve Beattie
Debdiff for groovy attached:

  - adds a second ExecStartPost entru to chmod /var/log/dmesg
  - adjusts the savelog(8) call in ExecStartPre to set the permission mode to 
640 explicitly when rotating dmesg logs

** Patch added: "rsyslog_8.2001.0-1ubuntu2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+attachment/5386642/+files/rsyslog_8.2001.0-1ubuntu2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884887

Title:
  rsyslogd dmesg unit leaves /var/log/dmesg* world readable

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884887] [NEW] rsyslogd dmesg unit leaves /var/log/dmesg* world readable

2020-06-24 Thread Steve Beattie
Public bug reported:

[Impact]

The rsyslog dmesg systemd unit /lib/systemd/system/dmesg.service in
eoan, focal, and groovy create /var/log/dmesg* with the following
permissions:

  -rw-r--r-- 1 root adm 45146 Jun 16 12:32 /var/log/dmesg

Most other system logs in /var/log/ are only readable by root and group
adm.

While it's true that the kernel dmesg buffer by default can be read by
anyone using the dmesg(1) command, this can be disabled by setting the
sysctl kernel.dmesg_restrict to 1, but doing so as a hardening measure
is thwarted by the world readable nature of /var/log/dmesg.

The reason dmesg output is sensitive is that it sometimes contains
kernel addresses for diagnosing kernel problems, but attackers looking
to attack a kernel are also interested in kernel addresses and other
information that shows up there.

[Test Case]

To reproduce:

 $ ls -l /var/log/dmesg*

should show only root and group adm access like so:

 -rw-r- 1 root adm 50178 Jun 23 12:55 /var/log/dmesg
 -rw-r- 1 root adm 50217 Jun 23 12:55 /var/log/dmesg.0
 -rw-r- 1 root adm 13941 Jun 23 12:47 /var/log/dmesg.1.gz

and not world readable:

 -rw-r--r-- 1 root adm 45146 Jun 16 12:32 /var/log/dmesg

[Regression Potential]

It's possible tools like apport and others might expect /var/log/dmesg
to be world-readable.

** Affects: rsyslog (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884887

Title:
  rsyslogd dmesg unit leaves /var/log/dmesg* world readable

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1811861] Re: incorrect permissions on /var/log after debootstrap

2020-06-23 Thread Steve Beattie
Thanks for clarifying, closing.

** Changed in: rsyslog (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1811861

Title:
  incorrect permissions on /var/log after debootstrap

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1811861/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1881942] Re: default configuration forwards sshd failures to port 7070

2020-06-23 Thread Steve Beattie
Hi John,

I'm not sure what's happened here, but the default
/etc/rsyslog.d/50-default.conf contains no such snippet (a pristine copy
is also stored in /usr/share/rsyslog/50-default.conf) and is managed via
ucf. The contents of a pristine version are attached.

Either another package you have installed has modified this config file
(and looking at the failban package and postinstall script, I don't see
anything there that would add anything like that.

Doing a limited google search on the comment string "# Transform and
forward data" turned up this recipe: https://devconnected.com
/geolocating-ssh-hackers-in-real-time/ ; is it possible that this was
added as part of a recipe you were following?

Thanks.

** Attachment added: "50-default.conf"
   
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1881942/+attachment/5386636/+files/50-default.conf

** Changed in: rsyslog (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1881942

Title:
  default configuration forwards sshd failures to port 7070

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1881942/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1880663] Re: Dell Latitude 7300, sig=0x806eb/20200609, sometimes stuck at purple screen after grub and fails to boot up

2020-06-17 Thread Steve Beattie
Acelan, did this system also fail with the 20191115 microcode, revision
0x00ca?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1880663

Title:
  Dell Latitude 7300, sig=0x806eb/20200609, sometimes stuck at purple
  screen after grub and fails to boot up

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1880663/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1883002] Re: Dell Latitude 7300, i7-8665U, sig=0x806ec/20200609: hangs on Whiskey Lake

2020-06-16 Thread Steve Beattie
Andrea, thanks again for the report and the testing you've done, and
again, sorry you are having this issue. I have filed
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-
Files/issues/35 specifically for this issue with sig=0x806ea
revision=0xd6.

** Bug watch added: 
github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues #35
   https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35

** Bug watch removed: 
github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues #24
   https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1883002

Title:
  Dell Latitude 7300, i7-8665U, sig=0x806ec/20200609: hangs on Whiskey
  Lake

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883002/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1742903] Re: Microcode updates require a reboot to apply, but package postinst doesn't touch /run/reboot-required

2020-06-16 Thread Steve Beattie
The needrestart package has some sophisticated logic to detect whether
the system needs to be booted to get an updated microcode applied
(needrestart -w is how it can be invoked directly to report on microcode
status). The needrestart package is a bit much to be included as a
dependency or even a recommends for the intel-microcode package, but re-
using some of the logic might be appropriate.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1742903

Title:
  Microcode updates require a reboot to apply, but package postinst
  doesn't touch /run/reboot-required

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1742903/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1608933] Re: intel-microcode updates fail to install when running from live (read-only /boot) media

2020-06-16 Thread Steve Beattie
** Summary changed:

- package intel-microcode 3.20151106.1 failed to install/upgrade: subprocess 
installed post-removal script returned error exit status 1
+ intel-microcode updates fail to install when running from live (read-only 
/boot) media

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1608933

Title:
  intel-microcode updates fail to install when running from live (read-
  only /boot) media

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1608933/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1854764] Re: Dell 5280 (id=0x00050654/06-55-04) hangs on warm reboot after upgrading intel-microcode package

2020-06-16 Thread Steve Beattie
** Summary changed:

- Dell 5280 hangs on warm reboot after upgrading intel-microcode package
+ Dell 5280 (id=0x00050654/06-55-04) hangs on warm reboot after upgrading 
intel-microcode package

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1854764

Title:
  Dell 5280 (id=0x00050654/06-55-04) hangs on warm reboot after
  upgrading intel-microcode package

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1854764/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1883598] Re: efi: Restrict efivar_ssdt_load when the kernel is locked down

2020-06-16 Thread Steve Beattie
** Changed in: linux (Ubuntu)
   Status: Incomplete => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1883598

Title:
  efi: Restrict efivar_ssdt_load when the kernel is locked down

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883598/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1883595] Re: fwupd-signed needs to be updated in sync with fwupd security update

2020-06-16 Thread Steve Beattie
** Changed in: fwupd-signed (Ubuntu Bionic)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1883595

Title:
  fwupd-signed needs to be updated in sync with fwupd security update

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwupd-signed/+bug/1883595/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1883598] Re: efi: Restrict efivar_ssdt_load when the kernel is locked down

2020-06-15 Thread Steve Beattie
** Description changed:

  Upstream git commit 1957a85b0032 needs to be backported to older
  releases:
  
    efi: Restrict efivar_ssdt_load when the kernel is locked down
  
    efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an
    EFI variable, which gives arbitrary code execution in ring 0. Prevent
    that when the kernel is locked down.
+ 
+ Code introduced in 475fb4e8b2fd1d7b406ff3a7d21bc89a1e6f
+ 
+ break-fix: 475fb4e8b2fd1d7b406ff3a7d21bc89a1e6f
+ 1957a85b0032a81e6482ca4aab883643b8dae06e

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1883598

Title:
  efi: Restrict efivar_ssdt_load when the kernel is locked down

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883598/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1883598] [NEW] efi: Restrict efivar_ssdt_load when the kernel is locked down

2020-06-15 Thread Steve Beattie
*** This bug is a security vulnerability ***

Public security bug reported:

Upstream git commit 1957a85b0032 needs to be backported to older
releases:

  efi: Restrict efivar_ssdt_load when the kernel is locked down

  efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an
  EFI variable, which gives arbitrary code execution in ring 0. Prevent
  that when the kernel is locked down.

Code introduced in 475fb4e8b2fd1d7b406ff3a7d21bc89a1e6f

break-fix: 475fb4e8b2fd1d7b406ff3a7d21bc89a1e6f
1957a85b0032a81e6482ca4aab883643b8dae06e

** Affects: linux (Ubuntu)
 Importance: Undecided
 Status: New

** Description changed:

  Upstream git commit 1957a85b0032 needs to be backported to older
  releases:
  
- efi: Restrict efivar_ssdt_load when the kernel is locked down
+   efi: Restrict efivar_ssdt_load when the kernel is locked down
  
- efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an
- EFI variable, which gives arbitrary code execution in ring 0. Prevent
- that when the kernel is locked down.
+   efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an
+   EFI variable, which gives arbitrary code execution in ring 0. Prevent
+   that when the kernel is locked down.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1883598

Title:
  efi: Restrict efivar_ssdt_load when the kernel is locked down

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883598/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1883595] [NEW] fwupd-signed needs to be updated in sync with fwupd security update

2020-06-15 Thread Steve Beattie
Public bug reported:

A security update was issued for fwupd (https://usn.ubuntu.com/4395-1/)
in bionic, eoan, and focal; however fwupd-signed needs to be updated at
the same time.

** Affects: fwupd-signed (Ubuntu)
 Importance: Undecided
 Status: Invalid

** Affects: fwupd-signed (Ubuntu Bionic)
 Importance: Undecided
 Status: New

** Affects: fwupd-signed (Ubuntu Eoan)
 Importance: Undecided
 Status: New

** Affects: fwupd-signed (Ubuntu Focal)
 Importance: Undecided
 Status: New

** Also affects: fwupd-signed (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: fwupd-signed (Ubuntu Focal)
   Importance: Undecided
   Status: New

** Also affects: fwupd-signed (Ubuntu Eoan)
   Importance: Undecided
   Status: New

** Changed in: fwupd-signed (Ubuntu)
   Status: New => Invalid

** Description changed:

- A security update was issued for fwupd (https://usn.ubuntu.com/4395-1/);
- however fwupd-signed needs to be updated at the same time.
+ A security update was issued for fwupd (https://usn.ubuntu.com/4395-1/)
+ in bionic, eoan, and focal; however fwupd-signed needs to be updated at
+ the same time.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1883595

Title:
  fwupd-signed needs to be updated in sync with fwupd security update

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwupd-signed/+bug/1883595/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1880663] Re: Dell Latitude 7300 ( cpu id 0x806eb) sometimes stuck at purple screen after grub and fails to boot up

2020-06-12 Thread Steve Beattie
** Summary changed:

- Dell Latitude 7300 sometimes stuck at purple screen after grub and fails to 
boot up
+ Dell Latitude 7300 ( cpu id 0x806eb) sometimes stuck at purple screen after 
grub and fails to boot up

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1880663

Title:
  Dell Latitude 7300 ( cpu id 0x806eb) sometimes stuck at purple screen
  after grub and fails to boot up

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1880663/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1883002] Re: intel-ucode 20200609: hangs on Whiskey Lake

2020-06-11 Thread Steve Beattie
Thanks for testing! The issue you are seeing looks very similar to
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-
Files/issues/24 except that in that report, version 0xca was also
problematic.


** Bug watch added: 
github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues #24
   https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1883002

Title:
  intel-ucode 20200609: hangs on Whiskey Lake

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883002/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1862751] Re: Hard lockups using microcode releases 20191115 on Intel Whiskey Lake

2020-06-11 Thread Steve Beattie
Hi You-Sheng Yang, are you still seeing this issue after the release of
the 20200609 microcode update? Particularly after a warm reboot?

Bug 1883002 looks to be the same processor id and reports similar
instability with the 20200609 microcode, particularly after a warm
reboot.

Thanks.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1862751

Title:
  Hard lockups using microcode releases 20191115 on Intel Whiskey Lake

To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1862751/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1883002] Re: intel-ucode 20200609: hangs on Whiskey Lake

2020-06-11 Thread Steve Beattie
** Changed in: intel-microcode (Ubuntu)
   Status: Fix Released => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1883002

Title:
  intel-ucode 20200609: hangs on Whiskey Lake

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883002/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1882943] Re: Boot freezes silently after 'intel-microcode' upgrade

2020-06-11 Thread Steve Beattie
Thanks for testing and sorry you're experiencing this. Can you confirm
that the output of 'iucode-tool -Sv' contains:

  iucode-tool: system has processor(s) with signature 0x000906ed

output of lscpu would be useful too, along with ensuring you have the
latest BIOS installed from Dell.

Raising the issue at https://github.com/intel/Intel-Linux-Processor-
Microcode-Data-Files/issues/ will get the problem you are having more of
a chance to get on Intel's radar.

THanks again.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1882943

Title:
  Boot freezes silently after 'intel-microcode' upgrade

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882943/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1862938] Re: Enable late loading of microcode by default

2020-06-11 Thread Steve Beattie
The version in eoan was superceded by the 20200609 release. In focal and
groovy, this change was reverted in 3.20200609.0ubuntu0.20.04.2 because
the tmpfiles.d approach, in addition to attmepting to late load early in
the boot process, also caused late loading to trigger during package
installation.

Enabling late loading by default also makes it more difficult to recover
from a problematic microcode update, attempting to boot an earlier
kernel/initramfs with a known-good microcode to recover will be thwarted
by the late loaded problematic microcode.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1862938

Title:
  Enable late loading of microcode by default

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1862938/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1883016] Re: revert tmpfiles.d loading of microcode

2020-06-11 Thread Steve Beattie
This was fixed in 3.20200609.0ubuntu0.20.04.2 in focal and groovy
(thanks for the forward copy!). The eoan patch to add tmpfiles.d late
loading never made it out of eoan-proposed.

Closing all tasks. Thanks!

** Changed in: intel-microcode (Ubuntu Focal)
   Status: In Progress => Fix Released

** Changed in: intel-microcode (Ubuntu Groovy)
   Status: In Progress => Fix Released

** Changed in: intel-microcode (Ubuntu Eoan)
   Status: In Progress => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1883016

Title:
  revert tmpfiles.d loading of microcode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883016/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1883002] Re: intel-ucode 20200609: hangs on Whiskey Lake

2020-06-10 Thread Steve Beattie
** Changed in: intel-microcode (Ubuntu)
   Status: Fix Released => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1883002

Title:
  intel-ucode 20200609: hangs on Whiskey Lake

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883002/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1882943] Re: Boot freezes silently after 'intel-microcode' upgrade

2020-06-10 Thread Steve Beattie
This is on Ubuntu 20.04 LTS/focal, correct?

If so, this is either exacerbated or triggered entirely because focal's
intel-microcode package enabled late loading of microcode (known to be
risky) that would get triggered while updating the intel-microcode
package itself; see LP: #1883002. Even worse, it would get triggered
even if you booted with an earliuer

A regression update for focal's intel-microcode package
(3.20200609.0ubuntu0.20.04.2) has been published,
https://usn.ubuntu.com/4385-2. Can you test with that version to see if
your processor still has problems with the updated
3.20200609.0ubuntu0.20.04.2 version?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1882943

Title:
  Boot freezes silently after 'intel-microcode' upgrade

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882943/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1883002] Re: intel-ucode 20200609: hangs on Whiskey Lake

2020-06-10 Thread Steve Beattie
Henrique, I didn't realize until today that the systemd tmpfiles.d would
also get triggered as part of the intel-microcode postinst in addition
to very early in the boot process. I have reverted it for focal (and
eventually groovy) because of the increased risk of instability and the
greater difficulty that it adds to recovery from a bad microcode update;
booting an earlier kernel/initramfs combination with an older microcode
embedded would still get the new bad microcode loaded via the tmpfiles.d
snippet.

I used this bug report as a reference for the upload, but re-opened the
issue as it's not clear whether an early-loaded microcode is a problem
for the reporter.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1883002

Title:
  intel-ucode 20200609: hangs on Whiskey Lake

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883002/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1883002] Re: intel-ucode 20200609: hangs on Whiskey Lake

2020-06-10 Thread Steve Beattie
** Changed in: intel-microcode (Ubuntu)
   Status: Fix Released => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1883002

Title:
  intel-ucode 20200609: hangs on Whiskey Lake

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883002/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1883002] Re: intel-ucode 20200609: hangs on Whiskey Lake

2020-06-10 Thread Steve Beattie
For others hitting this issue, add the 'dis_ucode_ldr' kernel boot
option in grub before booting to disable microcode loading.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1883002

Title:
  intel-ucode 20200609: hangs on Whiskey Lake

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883002/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1883002] Re: intel-ucode 20200609: hangs on Whiskey Lake

2020-06-10 Thread Steve Beattie
Henrique, I think that's a consequence of the change in focal's intel-
microcode to add a tmpfiles.d snippet to do late loading of microcode
(LP: #1862938), the intel-microcode postinst generated ends up calling
'systemd-tmpfiles --create' on the added microcode conf file, causing it
to be triggered immediately.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1883002

Title:
  intel-ucode 20200609: hangs on Whiskey Lake

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883002/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1882890] Re: intel-ucode/06-4e-03 from release 20200609 hangs system in early boot

2020-06-10 Thread Steve Beattie
** Also affects: intel-microcode (Ubuntu Focal)
   Importance: Undecided
   Status: New

** Also affects: intel-microcode (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: intel-microcode (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: intel-microcode (Ubuntu Eoan)
   Importance: Undecided
   Status: New

** Changed in: intel-microcode (Ubuntu Bionic)
   Status: New => Confirmed

** Changed in: intel-microcode (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: intel-microcode (Ubuntu Eoan)
   Status: New => Confirmed

** Changed in: intel-microcode (Ubuntu Focal)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1882890

Title:
  intel-ucode/06-4e-03 from release 20200609 hangs system in early boot

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882890/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1882914] Re: Thinkpad T460S won't boot with latest intel-microcode update

2020-06-10 Thread Steve Beattie
*** This bug is a duplicate of bug 1882890 ***
https://bugs.launchpad.net/bugs/1882890

Great, thank you, appreciated. And yes, I'll mark this as a duplicate of
the other.

** This bug has been marked a duplicate of bug 1882890
   intel-ucode/06-4e-03 from release 20200609 hangs system in early boot

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1882914

Title:
  Thinkpad T460S won't boot with latest intel-microcode update

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882914/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1882914] Re: Thinkpad T460S won't boot with latest intel-microcode update

2020-06-10 Thread Steve Beattie
Thanks!

I have packages that revert the problematic microcode back to the
version included in the microcode updates from 20191115 available for
testing in https://launchpad.net/~sbeattie/+archive/ubuntu/lp1882890/ ;
can you confirm that after installing them from that ppa, that you can
successfully reboot your system?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1882914

Title:
  Thinkpad T460S won't boot with latest intel-microcode update

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882914/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1882890] Re: intel-ucode/06-4e-03 from release 20200609 hangs system in early boot

2020-06-10 Thread Steve Beattie
Rodman: no, that's an older issue affecting a difference processor
family.

This issue is specifically affecting processors with id 0x406e3; if the
output of dmesg | grep microcode does not contain "sig=0x406e3" then you
have a different issue, and should open a new bug report.

I am working on reverting the 0xdc version of the microcode for the
0x406e3 family back to the 0xd6  version included in 20191115 microcode
update. Test packages should show up soon in
https://launchpad.net/~sbeattie/+archive/ubuntu/lp1882890/ ; I would
appreciate confirmation that those packages do allow affected systems to
boot successfully.

Thanks, and sorry for the problems people are having.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1882890

Title:
  intel-ucode/06-4e-03 from release 20200609 hangs system in early boot

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882890/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1882890] Re: intel-ucode/06-4e-03 from release 20200609 hangs system in early boot

2020-06-10 Thread Steve Beattie
Philipp Classen: indeed, a full /boot/ will cause problems on upgrade
that can result in failure to boot, unrelated to microcode issues. With
that corrected, are you still having an issue?

And again, can you confirm that

  dmesg | grep microcode

contains "sig=0x406e3"?

** Changed in: intel-microcode (Ubuntu)
 Assignee: (unassigned) => Steve Beattie (sbeattie)

** Changed in: intel-microcode (Ubuntu)
   Importance: Undecided => Critical

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1882890

Title:
  intel-ucode/06-4e-03 from release 20200609 hangs system in early boot

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882890/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1882914] Re: Thinkpad T460S won't boot with latest intel-microcode update

2020-06-10 Thread Steve Beattie
Sorry, second line would contain the 'sig=' entry that identifies the
processor family.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1882914

Title:
  Thinkpad T460S won't boot with latest intel-microcode update

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882914/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1882914] Re: Thinkpad T460S won't boot with latest intel-microcode update

2020-06-10 Thread Steve Beattie
Hi, can you please include the output of

  dmesg | grep microcode

and confirm that the first line contains "sig=0x406e3"?

If so, this is likely a duplicate of bug 1882890.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1882914

Title:
  Thinkpad T460S won't boot with latest intel-microcode update

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882914/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1882943] Re: Boot freezes silently after 'intel-microcode' upgrade

2020-06-10 Thread Steve Beattie
Can you please post the output of:

  dmesg | grep microcode

thanks

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1882943

Title:
  Boot freezes silently after 'intel-microcode' upgrade

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882943/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1879340] Re: test_072_strict_devmem from ubuntu_qrt_kernel_security failed to build on F-OEM-5.6

2020-06-08 Thread Steve Beattie
This issue ultimately has the same root cause as LP: #1880659, namely
that in the 5.6 development cycle, the proc_fs infrastructure was
modified to not use the generic file_operations struct and instead use a
simplified procfs_ops struct (see d56c0d45f0e27 'proc: decouple proc
from VFS with "struct proc_ops"'), which is why this test is failing.

This has been fixed in the qa-regression-testing tree in
https://git.launchpad.net/qa-regression-
testing/commit/?id=f815e50b3ffd0cacdca98dee62d324ff1488bcb3

Thanks.

** Changed in: qa-regression-testing
   Status: New => Fix Released

** Changed in: linux-oem-5.6 (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879340

Title:
  test_072_strict_devmem from ubuntu_qrt_kernel_security failed to build
  on F-OEM-5.6

To manage notifications about this bug go to:
https://bugs.launchpad.net/qa-regression-testing/+bug/1879340/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1880659] Re: test_120_smep_works from ubuntu_qrt_kernel_security fail on F-OEM-5.6

2020-06-08 Thread Steve Beattie
In the 5.6 development cycle, the proc_fs infrastructure was modified to
not use the generic file_operations struct and instead use a simplified
procfs_ops struct (see d56c0d45f0e27 'proc: decouple proc from VFS with
"struct proc_ops"'), which is why this test is failing.

I've fixed this in QRT with some compatibility definitions in
https://git.launchpad.net/qa-regression-
testing/commit/?id=f815e50b3ffd0cacdca98dee62d324ff1488bcb3


** Changed in: qa-regression-testing
   Status: New => Fix Released

** Changed in: linux-signed-oem-5.6 (Ubuntu)
   Status: New => Invalid

** Package changed: linux-signed-oem-5.6 (Ubuntu) => linux-oem-5.6
(Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1880659

Title:
  test_120_smep_works from ubuntu_qrt_kernel_security fail on F-OEM-5.6

To manage notifications about this bug go to:
https://bugs.launchpad.net/qa-regression-testing/+bug/1880659/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1851682] Re: oscap is broken in ubuntu 19.10

2020-06-05 Thread Steve Beattie
** Also affects: openscap (Ubuntu Groovy)
   Importance: Low
   Status: Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1851682

Title:
  oscap is broken in ubuntu 19.10

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1851682/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1880360] Re: package linux-modules-extra-5.4.0-31-generic 5.4.0-31.35 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting a removal

2020-06-02 Thread Steve Beattie
Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1880360

Title:
  package linux-modules-extra-5.4.0-31-generic 5.4.0-31.35 failed to
  install/upgrade: package is in a very bad inconsistent state; you
  should  reinstall it before attempting a removal

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1880360/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1878654] Re: Remove automatically added groups from os-login

2020-05-27 Thread Steve Beattie
Thanks, David, for the feedback, marking all versions as verification-
done.

** Tags added: verification-done-bionic verification-done-eoan
verification-done-focal verification-done-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878654

Title:
  Remove automatically added groups from os-login

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gce-compute-image-packages/+bug/1878654/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1878499] Re: MY_MIRROR env could be better documented

2020-05-26 Thread Steve Beattie
How is one supposed to know about this environment variable?

  $ man ubuntu-security-status
  No manual entry for ubuntu-security-status
  $ ubuntu-security-status --help
  usage: ubuntu-security-status [-h] [--thirdparty] [--unavailable]

  Return information about security support for packages

  optional arguments:
-h, --help show this help message and exit
--thirdparty
--unavailable

Furthermore, the prior tool, ubuntu-support-status, did not need this
magic under-documented environment variable to work:

  $ lsb_release -a
  No LSB modules are available.
  Distributor ID: Ubuntu
  Description:Ubuntu 18.04.4 LTS
  Release:18.04
  Codename:   bionic
  $ ubuntu-support-status
  Support status summary of 'HOSTNAME':

  You have 544 packages (14.4%) supported until April 2021 (Community - 3y)
  You have 2274 packages (60.3%) supported until April 2023 (Canonical - 5y)
  You have 3 packages (0.1%) supported until April 2021 (Canonical - 3y)

  You have 72 packages (1.9%) that can not/no-longer be downloaded
  You have 876 packages (23.2%) that are unsupported

  Your Hardware Enablement Stack (HWE) is supported until April 2023.

  Run with --show-unsupported, --show-supported or --show-all to see
more details

Why can't ubuntu-security-status work out which Packages files have a
hash chain of trust that goes back to the ubuntu archive signing key,
and then determine security support status based on that?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878499

Title:
  MY_MIRROR env could be better documented

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1878499/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1878654] Re: Remove automatically added groups from os-login

2020-05-21 Thread Steve Beattie
Because these packages may end up getting copied to the security
pockets, these have been built in the ubuntu-security-proposed ppa:

  https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/

Direct links to the packages are

focal:
  
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+sourcepub/11292227/+listing-archive-extra

eoan:
  
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+sourcepub/11292236/+listing-archive-extra

bionic:
  
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+sourcepub/11292244/+listing-archive-extra

xenial:
  
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+sourcepub/11292249/+listing-archive-extra

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878654

Title:
  Remove automatically added groups from os-login

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gce-compute-image-packages/+bug/1878654/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1879339] Re: test_310_config_security_perf_events_restrict / test_400_refcount_config in ubuntu_qrt_kernel_security failed on F-OEM-5.6

2020-05-21 Thread Steve Beattie
** Changed in: qa-regression-testing
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879339

Title:
  test_310_config_security_perf_events_restrict /
  test_400_refcount_config in ubuntu_qrt_kernel_security failed on
  F-OEM-5.6

To manage notifications about this bug go to:
https://bugs.launchpad.net/qa-regression-testing/+bug/1879339/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1879339] Re: test_310_config_security_perf_events_restrict / test_400_refcount_config in ubuntu_qrt_kernel_security failed on F-OEM-5.6

2020-05-21 Thread Steve Beattie
The test_400_refcount_config failure has been addressed in 
qa-regression-testing commit
https://git.launchpad.net/qa-regression-testing/commit/?id=480aaab47c0e7e11ab5bad5b56f61742ac8fdf9e

Thanks.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879339

Title:
  test_310_config_security_perf_events_restrict /
  test_400_refcount_config in ubuntu_qrt_kernel_security failed on
  F-OEM-5.6

To manage notifications about this bug go to:
https://bugs.launchpad.net/qa-regression-testing/+bug/1879339/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1878108] Re: new upstream release 2020a

2020-05-20 Thread Steve Beattie
Ubuntu Security team ack for binary copying these into the security
pockets as well.

Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878108

Title:
  new upstream release 2020a

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tzdata/+bug/1878108/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1879339] Re: test_310_config_security_perf_events_restrict / test_400_refcount_config in ubuntu_qrt_kernel_security failed on F-OEM-5.6

2020-05-20 Thread Steve Beattie
For the test_310_config_security_perf_events_restrict -- missing
SECURITY_PERF_EVENTS_RESTRICT option; it appears the linux-oem-5.6
kernel is missing the following Ubuntu SAUCE patch:

  commit 4e6246de75c468397327fa741b380c926020c81f
  Author: Ben Hutchings 
  Date:   Tue Aug 16 10:27:00 2016 -0600

UBUNTU: SAUCE: security,perf: Allow further restriction of
perf_event_open

For the test_400_refcount_config test, the ARCH_HAS_REFCOUNT and
REFCOUNT_FULL config options were removed upstream in the 5.5. kernel
cycle. I'm working on a patch to qrt to address this.

Thanks.

** Changed in: qa-regression-testing
   Status: New => Confirmed

** Changed in: linux-oem-5.6 (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879339

Title:
  test_310_config_security_perf_events_restrict /
  test_400_refcount_config in ubuntu_qrt_kernel_security failed on
  F-OEM-5.6

To manage notifications about this bug go to:
https://bugs.launchpad.net/qa-regression-testing/+bug/1879339/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1878654] Re: Remove automatically added groups from os-login

2020-05-19 Thread Steve Beattie
** Description changed:

- Incorporate upstream commits:
+ [Impact]
  
-   https://github.com/GoogleCloudPlatform/guest-
+ The google_oslogin_control script included in the google-compute-engine-
+ oslogin binary package adds every new user to several
+ unnecessary/unexpected groups. Upstream recommends disabling this
+ behavior.
+ 
+ [Test Case]
+ 
+ Examine the /usr/bin/google_oslogin_control and ensure that the variable
+ assignment for
+ 
+   group_conf_entry
+   
+ in the modify_group_conf() function does not contain any of the following 
groups: 
+ 
+   dip, plugdev, adm, docker, lxd
+ 
+ [Regression Potential]
+ 
+ Implemented incorrectly, this could break group setup for users on new
+ gce instances. Users may also have to alter configuration management
+ tools that expect users to already have access to e.g. the docker or lxd
+ group by default.
+ 
+ [References]
+ 
+ Upstream commits:
+ 
+   https://github.com/GoogleCloudPlatform/guest-
  oslogin/commit/50b0fb7b5804c22ef9581e7dc91875801dfa5469
  
-   https://github.com/GoogleCloudPlatform/guest-
+   https://github.com/GoogleCloudPlatform/guest-
  oslogin/commit/88f1ba85e20b3b3a07bfad2eeb723a6b06e41fc8

** Also affects: gce-compute-image-packages (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: gce-compute-image-packages (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: gce-compute-image-packages (Ubuntu Eoan)
   Importance: Undecided
   Status: New

** Also affects: gce-compute-image-packages (Ubuntu Groovy)
   Importance: Undecided
 Assignee: Steve Beattie (sbeattie)
   Status: New

** Also affects: gce-compute-image-packages (Ubuntu Focal)
   Importance: Undecided
   Status: New

** Changed in: gce-compute-image-packages (Ubuntu Xenial)
 Assignee: (unassigned) => Steve Beattie (sbeattie)

** Changed in: gce-compute-image-packages (Ubuntu Bionic)
 Assignee: (unassigned) => Steve Beattie (sbeattie)

** Changed in: gce-compute-image-packages (Ubuntu Eoan)
 Assignee: (unassigned) => Steve Beattie (sbeattie)

** Changed in: gce-compute-image-packages (Ubuntu Focal)
 Assignee: (unassigned) => Steve Beattie (sbeattie)

** Description changed:

  [Impact]
  
  The google_oslogin_control script included in the google-compute-engine-
  oslogin binary package adds every new user to several
  unnecessary/unexpected groups. Upstream recommends disabling this
  behavior.
  
  [Test Case]
  
  Examine the /usr/bin/google_oslogin_control and ensure that the variable
  assignment for
  
-   group_conf_entry
-   
- in the modify_group_conf() function does not contain any of the following 
groups: 
+   group_conf_entry
  
-   dip, plugdev, adm, docker, lxd
+ in the modify_group_conf() function does not contain any of the
+ following groups:
+ 
+   dip, plugdev, adm, docker, lxd
  
  [Regression Potential]
  
  Implemented incorrectly, this could break group setup for users on new
  gce instances. Users may also have to alter configuration management
  tools that expect users to already have access to e.g. the docker or lxd
  group by default.
  
  [References]
  
- Upstream commits:
+ Upstream PR and commits:
+ 
+   https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29
  
    https://github.com/GoogleCloudPlatform/guest-
  oslogin/commit/50b0fb7b5804c22ef9581e7dc91875801dfa5469
  
    https://github.com/GoogleCloudPlatform/guest-
  oslogin/commit/88f1ba85e20b3b3a07bfad2eeb723a6b06e41fc8

** Description changed:

  [Impact]
  
  The google_oslogin_control script included in the google-compute-engine-
  oslogin binary package adds every new user to several
  unnecessary/unexpected groups. Upstream recommends disabling this
  behavior.
  
  [Test Case]
  
  Examine the /usr/bin/google_oslogin_control and ensure that the variable
  assignment for
  
    group_conf_entry
  
  in the modify_group_conf() function does not contain any of the
  following groups:
  
    dip, plugdev, adm, docker, lxd
  
  [Regression Potential]
  
  Implemented incorrectly, this could break group setup for users on new
  gce instances. Users may also have to alter configuration management
  tools that expect users to already have access to e.g. the docker or lxd
  group by default.
  
  [References]
  
  Upstream PR and commits:
  
-   https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29
+   https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29
  
    https://github.com/GoogleCloudPlatform/guest-
  oslogin/commit/50b0fb7b5804c22ef9581e7dc91875801dfa5469
  
+   https://github.com/GoogleCloudPlatform/guest-oslogin/pull/30
+ 
    https://github.com/GoogleCloudPlatform/guest-
  oslogin/commit/88f1ba85e20b3b3a07bfad2eeb723a6b06e41fc8

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878654

Title:
  Remove automatically added groups from os-login

To manage notifications about

[Bug 1878654] [NEW] Remove automatically added groups from os-login

2020-05-14 Thread Steve Beattie
Public bug reported:

Incorporate upstream commits:

  https://github.com/GoogleCloudPlatform/guest-
oslogin/commit/50b0fb7b5804c22ef9581e7dc91875801dfa5469

  https://github.com/GoogleCloudPlatform/guest-
oslogin/commit/88f1ba85e20b3b3a07bfad2eeb723a6b06e41fc8

** Affects: gce-compute-image-packages (Ubuntu)
 Importance: Undecided
 Assignee: Steve Beattie (sbeattie)
 Status: New

** Changed in: gce-compute-image-packages (Ubuntu)
 Assignee: (unassigned) => Steve Beattie (sbeattie)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1878654

Title:
  Remove automatically added groups from os-login

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gce-compute-image-packages/+bug/1878654/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1876697] Re: test_regression_testsuite from ubuntu_qrt_apparmor failed on Focal zVM

2020-05-05 Thread Steve Beattie
All that about CONFIG_RT_GROUP_SCHED seems sensible, but then I am
confused as to why is it only showing up in s390x environments?

The test is trying to exercise CAP_SYS_NICE, and doing so by calling

  setpriority(PRIO_PROCESS, 0, -5)

Does the test needs to be put into a cgroup with rt allocations if
CONFIG_RT_GROUP_SCHED is set?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1876697

Title:
  test_regression_testsuite from ubuntu_qrt_apparmor failed on Focal zVM

To manage notifications about this bug go to:
https://bugs.launchpad.net/qa-regression-testing/+bug/1876697/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1876697] Re: test_regression_testsuite from ubuntu_qrt_apparmor failed on Focal zVM

2020-05-04 Thread Steve Beattie
I have seen a similar failure with that specific test when running the
tests under virtualbox on x86, though I have not tried it in several
years.

If this is the expected behavior going forward on s390s, we can address
it in qa-regression-testing.

Thanks.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1876697

Title:
  test_regression_testsuite from ubuntu_qrt_apparmor failed on Focal zVM

To manage notifications about this bug go to:
https://bugs.launchpad.net/qa-regression-testing/+bug/1876697/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865519] Re: apparmor depends on python3

2020-04-29 Thread Steve Beattie
An initial port of aa-status to C landed in
https://gitlab.com/apparmor/apparmor/-/commit/8f9046b1b179190d0003ae1beacf460ee93c5090
and will e in the upcoming AppArmor 3 release. There is a follow up
improvement in https://gitlab.com/apparmor/apparmor/-/merge_requests/487
that should also land.

** Also affects: apparmor
   Importance: Undecided
   Status: New

** Changed in: apparmor (Ubuntu)
   Status: New => Fix Committed

** Changed in: apparmor (Ubuntu)
   Status: Fix Committed => Confirmed

** Changed in: apparmor
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865519

Title:
  apparmor depends on python3

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1865519/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

  1   2   3   4   5   6   7   8   9   10   >