[Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions
Oh, I was expecting that it would also be desirable to SRU this back to focal, as I expected CONFIG_SECURITY_DMESG_RESTRICT to come back with the HWE kernels, but looking at the config for linux-hwe-5.8, it appears that the old behavior was kept. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912122 Title: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884887] Re: rsyslogd dmesg unit leaves /var/log/dmesg* world readable
*** This bug is a duplicate of bug 1912122 *** https://bugs.launchpad.net/bugs/1912122 ** This bug has been marked a duplicate of bug 1912122 /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884887 Title: rsyslogd dmesg unit leaves /var/log/dmesg* world readable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912122] Re: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions
The Ubuntu Security team would like to see this fixed, though it probably would be worth adding the following change to the service file so that on log rotation the permissions are corrected as well: -ExecStartPre=-/usr/bin/savelog -q -p -n -c 5 /var/log/dmesg +ExecStartPre=-/usr/bin/savelog -m640 -q -p -n -c 5 /var/log/dmesg Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912122 Title: /var/log/dmesg is 0644, should be 0640 to match new DMESG_RESTRICT restrictions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1912122/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910608] Re: openvswitch embedded code copy of lldpd is vulnerable to CVE-2015-8011
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910608 Title: openvswitch embedded code copy of lldpd is vulnerable to CVE-2015-8011 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvswitch/+bug/1910608/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1909698] Re: new upstream release 2020f
Hi Brian, Thanks for the trusty and precise debdiffs. I have gone ahead and published the updates to trusty-esm and precise-esm, after verifying the fixes. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1909698 Title: new upstream release 2020f To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tzdata/+bug/1909698/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1889248] Re: [MIR] mdevctl, jq, libonig
I reviewed jq 1.6-2.1 as checked into hirsute. This shouldn't be considered a full audit but rather a quick gauge of maintainability. jq is a flexible command-line JSON processor. It ends up implementing its own language for querying and manipulating JSON structures. As such, there are times where it is used to parse and process untrusted input. - The jq package has had a couple of CVEs, one for a one-byte heap overflow, and one for unbounded stack usage in some situations. Upstream has been reasonably responsive in addressing the issues in a timely matter. - No build depends of concern. It does use bison/flex for its manipulation language parser and ruby for generating docs. - No pre/post inst/rm scripts. - No init scripts. - No systemd units. - No dbus services. - No setuid binaries. - The only binary provided is jq. - No sudo fragments. - No polkit files. - No udev rules. - No autopkgtests. jq provides a bunch of functional tests that are run during the build, while wrapped by valgrind to find memory errors. - No cron jobs. - Lintian clean. The build produces some warnings, mostly around the casting performed for the builtin language functions, as well as some implicit case/switch fall-through that look to be "clever" programming. (The generated lexer also had one signedness comparison warning) - Does not spawn processes. - Memory management is okay. In most cases, allocation wrappers are used that check for failures directly, and reference counting is used for higher level JSON objects. - As a general purpose command line tool, files are either read from stdin or passed on the command line. It tries to be defensive in its handling of JSON input. It also supports module loading, but this is again specified via command line arguments. - Error logging is handled through wrapper functions and avoids format string issues. - jq uses environment variables for module loading paths and for specifying colorized output. - No use of privileged functions. - Does not appear to Use of cryptography / random number sources etc. - Does not appear to use temp files. - Does not use networking. - No use of WebKit. - No use of PolicyKit. - Most issues coverity and cppcheck highlighted are either false positives or non-issues that come about from "clever" programming. - Only shellcheck issues are in build scripts and tests. Generally, jq is implemented with thought and care. It attempts to be cautious in its handling of input. The only concern that I have about supporting jq is that it is dense and complex code, and for future issues, backporting fixes may be difficult where significant code changes have occurred. The extensive test suite helps mitigate this somewhat. Security team ACK for promoting jq to main. ** Changed in: jq (Ubuntu) Status: New => In Progress ** Changed in: jq (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1889248 Title: [MIR] mdevctl, jq, libonig To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jq/+bug/1889248/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1895298] Re: After tnstall the Ubuntu, I must disable the "Secure Boot " & " Fast Boot " in my sys motherboard. Why ?
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1895298 Title: After tnstall the Ubuntu, I must disable the "Secure Boot " & " Fast Boot " in my sys motherboard. Why ? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub-installer/+bug/1895298/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872036] Re: grub-customizer assert failure: grub-customizer: ../../src/xcb_io.c:260: poll_for_event: Předpoklad „!xcb_xlib_threads_sequence_lost“ nesplněn.
** Information type changed from Private to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872036 Title: grub-customizer assert failure: grub-customizer: ../../src/xcb_io.c:260: poll_for_event: Předpoklad „!xcb_xlib_threads_sequence_lost“ nesplněn. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub-customizer/+bug/1872036/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1872831] Re: grub-customizer crashed with SIGSEGV in SettingsController::updateTimeoutSettingAction()
** Information type changed from Private to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872831 Title: grub-customizer crashed with SIGSEGV in SettingsController::updateTimeoutSettingAction() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub-customizer/+bug/1872831/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905401] Re: package grub-pc 2.04-1ubuntu26.7 failed to install/upgrade: installed grub-pc package post-installation script subprocess returned error exit status 127
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905401 Title: package grub-pc 2.04-1ubuntu26.7 failed to install/upgrade: installed grub-pc package post-installation script subprocess returned error exit status 127 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1905401/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1894980] Re: CVE-2020-16120: unprivileged overlayfs permission checking
** Changed in: linux (Ubuntu) Status: Confirmed => Fix Released ** Information type changed from Private Security to Public Security ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-16120 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1894980 Title: CVE-2020-16120: unprivileged overlayfs permission checking To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1894980/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1901020] Re: new upstream release 2020d
After confirming the behavior around SystemV timezones and changed timezones, tzdata 2020d-0ubuntu0.12.04 and tzdata 2020d- 0ubuntu0.14.04+esm1 are now published in their respective ESM releases. Thanks for preparing the updates, Brian! ** Changed in: tzdata (Ubuntu Precise) Status: In Progress => Fix Released ** Changed in: tzdata (Ubuntu Trusty) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1901020 Title: new upstream release 2020d To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tzdata/+bug/1901020/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1881447] Re: package ca-certificates 20180409 failed to install/upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 1
Hey Vern, Sorry you were having difficulties. 'sudo apt install -f' should cause apt to attempt to finish installing packages that had problems during the post install phase, where the error that is tripped over (like the dangling symlink in /etc/ssl/certs) has been resolved. ** Changed in: ca-certificates (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881447 Title: package ca-certificates 20180409 failed to install/upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1881447/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1901020] Re: new upstream release 2020d
Thanks Brian, these look good, will take these into Trusty and Precise ESM. (For the record, I noticed that the 2020d dropped the US/Pacific-New timezone, which was a symlink to the US/Pacific timezone. Testing demonstrated that a system with a configured Pacific-New timezone functioned correctly post package upgrade. See debian bug 815200 for details on why it was dropped.) Also, Ubuntu Security Team ack on publishing the xenial, bionic, focal, and groovy versions to the respective -security pockets for those releases, despite building in -proposed; there are no binaries or dependencies that should cause an issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1901020 Title: new upstream release 2020d To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tzdata/+bug/1901020/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1901020] Re: new upstream release 2020d
** Changed in: tzdata (Ubuntu Precise) Status: New => In Progress ** Changed in: tzdata (Ubuntu Trusty) Status: New => In Progress ** Changed in: tzdata (Ubuntu Precise) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Changed in: tzdata (Ubuntu Trusty) Assignee: (unassigned) => Steve Beattie (sbeattie) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1901020 Title: new upstream release 2020d To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tzdata/+bug/1901020/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 856489] Re: Improper verification of updated key via apt-key net-update
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-3374 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/856489 Title: Improper verification of updated key via apt-key net-update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/856489/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1864666] Re: [MIR] python-octavia-lib, ovn-octavia-provider
I reviewed python-octavia-lib 2.2.0-0ubuntu1 as checked into groovy. This shouldn't be considered a full audit but rather a quick gauge of maintainability. python-octavia-lib is a python3 library for developers writing Octavia load balancer provider drivers. - No CVE history. - No concerning build or runtime depends. - Only autogenerated maintainer scripts for removing python compiled bytecode. - No init scripts. - No systemd units. - No dbus services. - No setuid binaries. - No binaries in PATH. - No sudo fragments. - No polkit files. - No udev rules. - Some unit tests, run at build time. No autopkgtests. - No cron jobs. - Build log is okay, no lintian warnings or errors.: - No apparent processes spawned. - Limited file IO. Uses AF_UNIX sockets to communicate with driver agents. - No apparent logging. - No apparent environment variable usage. - No use of privileged functions. - Cryptography: allows use of SSLv3 for pools and listeners. - No apparent use of temp files. - No use of WebKit. - No use of PolicyKit. - No Coverity findings. - No significant bandit results. Security team ACK for promoting python-octavia-lib to main. ** Tags added: security-review-done ** Changed in: python-octavia-lib (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1864666 Title: [MIR] python-octavia-lib, ovn-octavia-provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ovn-octavia-provider/+bug/1864666/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1889688] Re: [MIR] nvme-cli
I reviewed nvme-cli 1.12-1ubuntu1 as checked into groovy. This shouldn't be considered a full audit but rather a quick gauge of maintainability. nvme-cli is a set of command line tools for managing NVMe devices. - No history of CVEs. - No init scripts - Four systemd units, that are used to trigger nvme discovery - No dbus services. - No setuid binaries. - Only binary is /usr/sbin/nvme - No sudo fragments. - No polkit files. - Two udev files, for supporting nvme over fiber channel. - Unit tests are not run at buld time, due to needing an nvme device. No autopkgtests. - No cron jobs. - No build errors or warnings. - Processes spawned? The micron and wdc plugins unfortunately both use system(), when collecting log information, but are likely okay as the nvme tool is not setuid. - Memory management in the core looks reasonable, with lots of uses of asprint(); the plugins tend to do more strcpy() and sprintf() operations. - For file I/O, most of the file operations are performed on the nvme devices, and some abstraction is provided for that. - Most logging is done through stderr, via perror or using strerror()m and loks okay. - Only one use of environment variabbles, ok. - Only privileged function used is ioctl(), and given the purpose of the software, expected. - No apparent use of cryptography. - No apparent use of tmpfiles. - Use of networking is for fabric discovery, looks ok. - No use of WebKit - No use of PolicyKit Coverity did find several issues, including some resource leaks (file descriptors and unfreed memory in some situations); however, a number of issues that Coverity raised were false positives due to it's lack of understanding of asprintf(3) semantics, and really, seeing widespread use of asprint() I consider a positive indicator of quality. Security team ACK for promoting nvme-cli to main. ** Tags added: security-review-done ** Changed in: nvme-cli (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1889688 Title: [MIR] nvme-cli To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nvme-cli/+bug/1889688/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1899046] Re: /usr/bin/aa-notify:ModuleNotFoundError:/usr/bin/aa-notify@39
That is correct (apparmor-notify package needs an added dependency on python3-psutil). We have an upload in progress to address it. Thanks! ** Changed in: apparmor (Ubuntu) Status: New => In Progress ** Changed in: apparmor (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1899046 Title: /usr/bin/aa-notify:ModuleNotFoundError:/usr/bin/aa-notify@39 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1899046/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1898742] Re: Linux Kernel "ppp_cp_parse_cr()" Denial of Service Vulnerability
** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1898742 Title: Linux Kernel "ppp_cp_parse_cr()" Denial of Service Vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1898742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1896246] Re: Vendor golang-* build dependencies
For the record, the Ubuntu Security team signs off on the plan to vendor the golang dependencies for the google-guest-agent and google-oslogin- agent packages as they go through the MIR process, for the reasons given above. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1896246 Title: Vendor golang-* build dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/google-guest-agent/+bug/1896246/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1887577] Re: DEP8: Invalid capability setuid
The fix for this is included in the apparmor 3.0.0~beta1-0ubuntu5 upload into groovy-proposed, which is waiting to migrate to groovy. ** Changed in: apparmor (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887577 Title: DEP8: Invalid capability setuid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1887577/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1385013] Re: proper fix for apparmor mediation of lower (encrypted) filesystem
** Changed in: apparmor (Ubuntu) Status: Fix Released => Confirmed ** Changed in: ecryptfs-utils (Ubuntu) Status: Fix Released => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1385013 Title: proper fix for apparmor mediation of lower (encrypted) filesystem To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1385013/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882093] Re: CVE-2020-{5963|5967} NVIDIA
Publication to focal-updates for nvidia-driver-440-server 440.95.01-0ubuntu0.20.04.1 and for groovy happened as well, closing tasks. ** Changed in: nvidia-graphics-drivers-440-server (Ubuntu Focal) Status: Fix Committed => Fix Released ** Changed in: nvidia-graphics-drivers-440-server (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1882093 Title: CVE-2020-{5963|5967} NVIDIA To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-390/+bug/1882093/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1883793] Re: systemd-resolved leaks mDNS queries to DNS
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1883793 Title: systemd-resolved leaks mDNS queries to DNS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1883793/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library.
Closing ntp task for groovy. ** Changed in: ntp (Ubuntu) Status: New => Invalid ** Changed in: openssl (Ubuntu Bionic) Status: In Progress => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1891361] Re: sshfs crashes entire Ubuntu 20.04.1 LTS system
** Information type changed from Public Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1891361 Title: sshfs crashes entire Ubuntu 20.04.1 LTS system To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sshfs-fuse/+bug/1891361/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1889672] Re: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.
This was addressed in bionic in https://launchpad.net/ubuntu/+source/ark/4:17.12.3-0ubuntu1.1 and focal in https://launchpad.net/ubuntu/+source/ark/4:19.12.3-0ubuntu1.1, and covered in USN 4461-1. Thanks for preparing the updates and helping to protect users, vishnunaini! ** Changed in: ark (Ubuntu Bionic) Status: New => Fix Released ** Changed in: ark (Ubuntu Focal) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1889672 Title: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1889672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1889672] Re: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.
** Also affects: ark (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1889672 Title: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1889672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890066] Re: package grub-pc-bin 2.04-1ubuntu26.2 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configuration
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890066 Title: package grub-pc-bin 2.04-1ubuntu26.2 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configuration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1890066/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1889672] Re: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.
vishnunaini, thanks for testing and the pointer to the reproducer. I also went ahead and carried back the patch to bionic's ark as well, and have uploaded it to the same ppa. For xenial, the patch fails to apply because the passed archive entry type is different, and it was not clear to me whether the older version of the type contained an equivalent way to get access to the result of the fullPath() method call. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1889672 Title: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1889672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1889672] Re: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.
Thanks for preparing the debdiff and adding the ubuntu-security-sponsors account; I'll be taking a look at this. I've pushed the focal version to the ubuntu security proposed ppa (https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa) after adjusting the version to match the versioning scheme described at https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging and tweaking the changelog message. I don't suppose upstream added any tests to verify correct behavior? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1889672 Title: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1889672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1889672] Re: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory.
** Changed in: ark (Ubuntu Focal) Assignee: (unassigned) => Steve Beattie (sbeattie) -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to ark in Ubuntu. https://bugs.launchpad.net/bugs/1889672 Title: KDE Project Security Advisory: Ark: maliciously crafted archive can install files outside the extraction directory. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1889672/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1887577] Re: DEP8: Invalid capability setuid
This is due to a change in behavior in make 4.3. It was addressed in the upstream merge request https://gitlab.com/apparmor/apparmor/-/merge_requests/461 and was cherrypicked into the apparmor 2.13 branch via merge request https://gitlab.com/apparmor/apparmor/-/merge_requests/465. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887577 Title: DEP8: Invalid capability setuid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1887577/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1888890] [NEW] openscap: xenial version is lower than version published in trusty/esm
Public bug reported: openscap 1.2.8 was backported to the trusty ESM product to support some of the improvements we are making to our generated OVAL data and consumption on that platform. Unfortunately, the version used in the trusty esm update is 1.2.8-1ubuntu02+esm1 which is greater than the 1.2.8-1ubuntu0.2 version in xenial-security. This means that users upgrading from trusty ESM to xenial will not get the version of openscap in xenial, built with the xenial toolchain, which can lead to problems. The only way to resolve this is for an update to the xenial package to a version greater than the version in trusty ESM. ** Affects: openscap (Ubuntu) Importance: Undecided Status: Invalid ** Affects: openscap (Ubuntu Xenial) Importance: Undecided Status: Confirmed ** Also affects: openscap (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: openscap (Ubuntu) Status: New => Invalid ** Changed in: openscap (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/190 Title: openscap: xenial version is lower than version published in trusty/esm To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/190/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1871538] Re: dbus timeout-ed during an upgrade, taking services down including gdm
I also hit this again in focal on 2020-06-25, with an update to systemd 245.4-4ubuntu3.1; I had previously updated dbus to 1.12.16-2ubuntu2.1 on 2020-06-17 without event. It's still an issue at least with updates to systemd in focal. Similar messages end up in the journal: Jun 25 13:04:55 kryten dbus-daemon[1541]: Unknown group "power" in message bus configuration file Jun 25 13:04:55 kryten dbus-daemon[1541]: [system] Reloaded configuration Jun 25 13:04:55 kryten dbus-daemon[1541]: Unknown group "power" in message bus configuration file Jun 25 13:04:55 kryten dbus-daemon[1541]: [system] Reloaded configuration Jun 25 13:05:09 kryten dbus-daemon[1541]: Unknown group "power" in message bus configuration file Jun 25 13:05:09 kryten dbus-daemon[1541]: [system] Reloaded configuration Jun 25 13:05:09 kryten dbus-daemon[1541]: Unknown group "power" in message bus configuration file Jun 25 13:05:09 kryten dbus-daemon[1541]: [system] Reloaded configuration Jun 25 13:05:09 kryten dbus-daemon[1541]: Unknown group "power" in message bus configuration file Jun 25 13:05:09 kryten dbus-daemon[1541]: [system] Reloaded configuration Jun 25 13:05:09 kryten dbus-daemon[1541]: Unknown group "power" in message bus configuration file Jun 25 13:05:09 kryten dbus-daemon[1541]: [system] Reloaded configuration Jun 25 13:05:09 kryten dbus-daemon[1541]: Unknown group "power" in message bus configuration file Jun 25 13:05:09 kryten dbus-daemon[1541]: [system] Reloaded configuration Jun 25 13:05:10 kryten dbus-daemon[1541]: Unknown group "power" in message bus configuration file Jun 25 13:05:10 kryten dbus-daemon[1541]: [system] Reloaded configuration Jun 25 13:05:10 kryten dbus-daemon[1541]: Unknown group "power" in message bus configuration file Jun 25 13:05:10 kryten dbus-daemon[1541]: [system] Reloaded configuration Jun 25 13:05:10 kryten dbus-daemon[1541]: Unknown group "power" in message bus configuration file Jun 25 13:05:10 kryten systemd[1]: Reloading. Jun 25 13:05:11 kryten systemd[1]: /lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly. Jun 25 13:05:11 kryten systemd[1]: /lib/systemd/system/fancontrol.service:11: PIDFile= references a path below legacy directory /var/run/, updating /var/run/fancontrol.pid → /run/fancontrol.pid; please update the unit file accordingly. Jun 25 13:05:36 kryten systemd[1]: We couldn't coldplug machine-qemu\x2d1\x2dkeybase\x2dbionic\x2damd64.scope, proceeding anyway: Connection timed out Jun 25 13:05:36 kryten dbus-daemon[1541]: [system] Reloaded configuration Jun 25 13:05:36 kryten audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=rtkit-daemon comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 25 13:05:36 kryten audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=switcheroo-control comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 25 13:05:36 kryten audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=polkit comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 25 13:05:36 kryten audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=colord comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 25 13:05:36 kryten systemd[1]: NetworkManager.service: Unexpected error response from GetNameOwner(): Connection terminated Jun 25 13:05:36 kryten ModemManager[1689]: Caught signal, shutting down... Jun 25 13:05:36 kryten thermald[1605]: [WARN]Terminating ... Jun 25 13:05:36 kryten audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=upower comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 25 13:05:36 kryten audit[1541]: USER_AVC pid=1541 uid=105 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_signal" bus="system" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.NetworkManager" member="CheckPermissions" name=":1.9" mask="receive" pid=4082 label="bitlbee" pe> exe="/usr/bin/dbus-daemon" sauid=105 hostname=? addr=? terminal=?' Jun 25 13:05:36 kryten audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=accounts-daemon comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 25 13:05:36 kryten systemd[1]: udisks2.service: Unexpected error response from GetNameOwner(): Connection terminated Jun 25 13:05:36 kryten bluetoothd[1536]: Terminating Jun 25 13:05:36 kryten systemd[1]: switcheroo-control.service: Unexpected error response from GetNameOwner(): Connection terminated Jun 25 13:05:36 kryten avahi-daemon[1535]: Got SIGTERM, quitting. Jun 25 13:05:36 kryten systemd[1]:
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
** Changed in: openssl (Ubuntu Bionic) Status: New => Confirmed ** Changed in: openssl (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
** Changed in: nss (Ubuntu) Status: New => In Progress ** Changed in: nss (Ubuntu Bionic) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Changed in: linux-flo (Ubuntu Xenial) Status: New => Won't Fix ** Changed in: linux-mako (Ubuntu Xenial) Status: New => Won't Fix ** Changed in: linux-flo (Ubuntu) Status: New => Won't Fix ** Changed in: linux-goldfish (Ubuntu) Status: New => Won't Fix ** Changed in: linux-mako (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1452115] Re: Python interpreter binary is not compiled as PIE
** Changed in: python3.7 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1452115 Title: Python interpreter binary is not compiled as PIE To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1452115/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Changed in: linux-goldfish (Ubuntu Xenial) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1705359] Re: The default PAM configuration for kerberos authentication allows unauthenticated SSH access
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1705359 Title: The default PAM configuration for kerberos authentication allows unauthenticated SSH access To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/auth-client-config/+bug/1705359/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1886668] Re: linux 4.15.0-109-generic network DoS regression vs -108
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1886668 Title: linux 4.15.0-109-generic network DoS regression vs -108 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1886668/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882093] Re: CVE-2020-{5963|5967} NVIDIA
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1882093 Title: CVE-2020-{5963|5967} NVIDIA To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-390/+bug/1882093/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884887] Re: rsyslogd dmesg unit leaves /var/log/dmesg* world readable
Updated groovy debdiff against the merge from debian currently in groovy-proposed. ** Patch added: "rsyslog_8.2006.0-2ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+attachment/5388559/+files/rsyslog_8.2006.0-2ubuntu2.debdiff ** Patch removed: "rsyslog_8.2001.0-1ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+attachment/5386928/+files/rsyslog_8.2001.0-1ubuntu2.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884887 Title: rsyslogd dmesg unit leaves /var/log/dmesg* world readable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1877027] Re: SNMP stopped running all of sudden (snmpd 5.8+dfsg-2)
FYI, this was assigned CVE-2019-20892. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-20892 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877027 Title: SNMP stopped running all of sudden (snmpd 5.8+dfsg-2) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884887] Re: rsyslogd dmesg unit leaves /var/log/dmesg* world readable
Fixed debdiff to add the bug reference for groovy. ** Patch removed: "rsyslog_8.2001.0-1ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+attachment/5386642/+files/rsyslog_8.2001.0-1ubuntu2.debdiff ** Patch added: "rsyslog_8.2001.0-1ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+attachment/5386928/+files/rsyslog_8.2001.0-1ubuntu2.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884887 Title: rsyslogd dmesg unit leaves /var/log/dmesg* world readable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884887] Re: rsyslogd dmesg unit leaves /var/log/dmesg* world readable
Focal version. ** Patch added: "rsyslog_8.2001.0-1ubuntu1.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+attachment/5386929/+files/rsyslog_8.2001.0-1ubuntu1.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884887 Title: rsyslogd dmesg unit leaves /var/log/dmesg* world readable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1877027] Re: SNMP stopped running all of sudden (snmpd 5.8+dfsg-2)
Andreas, agreed, I think (speaking from the Ubuntu Security Team's perspective), this should go to focal-security. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877027 Title: SNMP stopped running all of sudden (snmpd 5.8+dfsg-2) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884887] Re: rsyslogd dmesg unit leaves /var/log/dmesg* world readable
Debdiff for groovy attached: - adds a second ExecStartPost entru to chmod /var/log/dmesg - adjusts the savelog(8) call in ExecStartPre to set the permission mode to 640 explicitly when rotating dmesg logs ** Patch added: "rsyslog_8.2001.0-1ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+attachment/5386642/+files/rsyslog_8.2001.0-1ubuntu2.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884887 Title: rsyslogd dmesg unit leaves /var/log/dmesg* world readable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884887] [NEW] rsyslogd dmesg unit leaves /var/log/dmesg* world readable
Public bug reported: [Impact] The rsyslog dmesg systemd unit /lib/systemd/system/dmesg.service in eoan, focal, and groovy create /var/log/dmesg* with the following permissions: -rw-r--r-- 1 root adm 45146 Jun 16 12:32 /var/log/dmesg Most other system logs in /var/log/ are only readable by root and group adm. While it's true that the kernel dmesg buffer by default can be read by anyone using the dmesg(1) command, this can be disabled by setting the sysctl kernel.dmesg_restrict to 1, but doing so as a hardening measure is thwarted by the world readable nature of /var/log/dmesg. The reason dmesg output is sensitive is that it sometimes contains kernel addresses for diagnosing kernel problems, but attackers looking to attack a kernel are also interested in kernel addresses and other information that shows up there. [Test Case] To reproduce: $ ls -l /var/log/dmesg* should show only root and group adm access like so: -rw-r- 1 root adm 50178 Jun 23 12:55 /var/log/dmesg -rw-r- 1 root adm 50217 Jun 23 12:55 /var/log/dmesg.0 -rw-r- 1 root adm 13941 Jun 23 12:47 /var/log/dmesg.1.gz and not world readable: -rw-r--r-- 1 root adm 45146 Jun 16 12:32 /var/log/dmesg [Regression Potential] It's possible tools like apport and others might expect /var/log/dmesg to be world-readable. ** Affects: rsyslog (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884887 Title: rsyslogd dmesg unit leaves /var/log/dmesg* world readable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1884887/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1811861] Re: incorrect permissions on /var/log after debootstrap
Thanks for clarifying, closing. ** Changed in: rsyslog (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811861 Title: incorrect permissions on /var/log after debootstrap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1811861/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1881942] Re: default configuration forwards sshd failures to port 7070
Hi John, I'm not sure what's happened here, but the default /etc/rsyslog.d/50-default.conf contains no such snippet (a pristine copy is also stored in /usr/share/rsyslog/50-default.conf) and is managed via ucf. The contents of a pristine version are attached. Either another package you have installed has modified this config file (and looking at the failban package and postinstall script, I don't see anything there that would add anything like that. Doing a limited google search on the comment string "# Transform and forward data" turned up this recipe: https://devconnected.com /geolocating-ssh-hackers-in-real-time/ ; is it possible that this was added as part of a recipe you were following? Thanks. ** Attachment added: "50-default.conf" https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1881942/+attachment/5386636/+files/50-default.conf ** Changed in: rsyslog (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881942 Title: default configuration forwards sshd failures to port 7070 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1881942/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1880663] Re: Dell Latitude 7300, sig=0x806eb/20200609, sometimes stuck at purple screen after grub and fails to boot up
Acelan, did this system also fail with the 20191115 microcode, revision 0x00ca? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880663 Title: Dell Latitude 7300, sig=0x806eb/20200609, sometimes stuck at purple screen after grub and fails to boot up To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1880663/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1883002] Re: Dell Latitude 7300, i7-8665U, sig=0x806ec/20200609: hangs on Whiskey Lake
Andrea, thanks again for the report and the testing you've done, and again, sorry you are having this issue. I have filed https://github.com/intel/Intel-Linux-Processor-Microcode-Data- Files/issues/35 specifically for this issue with sig=0x806ea revision=0xd6. ** Bug watch added: github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues #35 https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35 ** Bug watch removed: github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues #24 https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1883002 Title: Dell Latitude 7300, i7-8665U, sig=0x806ec/20200609: hangs on Whiskey Lake To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883002/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1742903] Re: Microcode updates require a reboot to apply, but package postinst doesn't touch /run/reboot-required
The needrestart package has some sophisticated logic to detect whether the system needs to be booted to get an updated microcode applied (needrestart -w is how it can be invoked directly to report on microcode status). The needrestart package is a bit much to be included as a dependency or even a recommends for the intel-microcode package, but re- using some of the logic might be appropriate. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1742903 Title: Microcode updates require a reboot to apply, but package postinst doesn't touch /run/reboot-required To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1742903/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1608933] Re: intel-microcode updates fail to install when running from live (read-only /boot) media
** Summary changed: - package intel-microcode 3.20151106.1 failed to install/upgrade: subprocess installed post-removal script returned error exit status 1 + intel-microcode updates fail to install when running from live (read-only /boot) media -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1608933 Title: intel-microcode updates fail to install when running from live (read- only /boot) media To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1608933/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854764] Re: Dell 5280 (id=0x00050654/06-55-04) hangs on warm reboot after upgrading intel-microcode package
** Summary changed: - Dell 5280 hangs on warm reboot after upgrading intel-microcode package + Dell 5280 (id=0x00050654/06-55-04) hangs on warm reboot after upgrading intel-microcode package -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854764 Title: Dell 5280 (id=0x00050654/06-55-04) hangs on warm reboot after upgrading intel-microcode package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1854764/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1883598] Re: efi: Restrict efivar_ssdt_load when the kernel is locked down
** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1883598 Title: efi: Restrict efivar_ssdt_load when the kernel is locked down To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1883595] Re: fwupd-signed needs to be updated in sync with fwupd security update
** Changed in: fwupd-signed (Ubuntu Bionic) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1883595 Title: fwupd-signed needs to be updated in sync with fwupd security update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fwupd-signed/+bug/1883595/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1883598] Re: efi: Restrict efivar_ssdt_load when the kernel is locked down
** Description changed: Upstream git commit 1957a85b0032 needs to be backported to older releases: efi: Restrict efivar_ssdt_load when the kernel is locked down efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an EFI variable, which gives arbitrary code execution in ring 0. Prevent that when the kernel is locked down. + + Code introduced in 475fb4e8b2fd1d7b406ff3a7d21bc89a1e6f + + break-fix: 475fb4e8b2fd1d7b406ff3a7d21bc89a1e6f + 1957a85b0032a81e6482ca4aab883643b8dae06e -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1883598 Title: efi: Restrict efivar_ssdt_load when the kernel is locked down To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1883598] [NEW] efi: Restrict efivar_ssdt_load when the kernel is locked down
*** This bug is a security vulnerability *** Public security bug reported: Upstream git commit 1957a85b0032 needs to be backported to older releases: efi: Restrict efivar_ssdt_load when the kernel is locked down efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an EFI variable, which gives arbitrary code execution in ring 0. Prevent that when the kernel is locked down. Code introduced in 475fb4e8b2fd1d7b406ff3a7d21bc89a1e6f break-fix: 475fb4e8b2fd1d7b406ff3a7d21bc89a1e6f 1957a85b0032a81e6482ca4aab883643b8dae06e ** Affects: linux (Ubuntu) Importance: Undecided Status: New ** Description changed: Upstream git commit 1957a85b0032 needs to be backported to older releases: - efi: Restrict efivar_ssdt_load when the kernel is locked down + efi: Restrict efivar_ssdt_load when the kernel is locked down - efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an - EFI variable, which gives arbitrary code execution in ring 0. Prevent - that when the kernel is locked down. + efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an + EFI variable, which gives arbitrary code execution in ring 0. Prevent + that when the kernel is locked down. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1883598 Title: efi: Restrict efivar_ssdt_load when the kernel is locked down To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1883595] [NEW] fwupd-signed needs to be updated in sync with fwupd security update
Public bug reported: A security update was issued for fwupd (https://usn.ubuntu.com/4395-1/) in bionic, eoan, and focal; however fwupd-signed needs to be updated at the same time. ** Affects: fwupd-signed (Ubuntu) Importance: Undecided Status: Invalid ** Affects: fwupd-signed (Ubuntu Bionic) Importance: Undecided Status: New ** Affects: fwupd-signed (Ubuntu Eoan) Importance: Undecided Status: New ** Affects: fwupd-signed (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: fwupd-signed (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: fwupd-signed (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: fwupd-signed (Ubuntu Eoan) Importance: Undecided Status: New ** Changed in: fwupd-signed (Ubuntu) Status: New => Invalid ** Description changed: - A security update was issued for fwupd (https://usn.ubuntu.com/4395-1/); - however fwupd-signed needs to be updated at the same time. + A security update was issued for fwupd (https://usn.ubuntu.com/4395-1/) + in bionic, eoan, and focal; however fwupd-signed needs to be updated at + the same time. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1883595 Title: fwupd-signed needs to be updated in sync with fwupd security update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fwupd-signed/+bug/1883595/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1880663] Re: Dell Latitude 7300 ( cpu id 0x806eb) sometimes stuck at purple screen after grub and fails to boot up
** Summary changed: - Dell Latitude 7300 sometimes stuck at purple screen after grub and fails to boot up + Dell Latitude 7300 ( cpu id 0x806eb) sometimes stuck at purple screen after grub and fails to boot up -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880663 Title: Dell Latitude 7300 ( cpu id 0x806eb) sometimes stuck at purple screen after grub and fails to boot up To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1880663/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1883002] Re: intel-ucode 20200609: hangs on Whiskey Lake
Thanks for testing! The issue you are seeing looks very similar to https://github.com/intel/Intel-Linux-Processor-Microcode-Data- Files/issues/24 except that in that report, version 0xca was also problematic. ** Bug watch added: github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues #24 https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1883002 Title: intel-ucode 20200609: hangs on Whiskey Lake To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883002/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862751] Re: Hard lockups using microcode releases 20191115 on Intel Whiskey Lake
Hi You-Sheng Yang, are you still seeing this issue after the release of the 20200609 microcode update? Particularly after a warm reboot? Bug 1883002 looks to be the same processor id and reports similar instability with the 20200609 microcode, particularly after a warm reboot. Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862751 Title: Hard lockups using microcode releases 20191115 on Intel Whiskey Lake To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1862751/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1883002] Re: intel-ucode 20200609: hangs on Whiskey Lake
** Changed in: intel-microcode (Ubuntu) Status: Fix Released => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1883002 Title: intel-ucode 20200609: hangs on Whiskey Lake To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883002/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882943] Re: Boot freezes silently after 'intel-microcode' upgrade
Thanks for testing and sorry you're experiencing this. Can you confirm that the output of 'iucode-tool -Sv' contains: iucode-tool: system has processor(s) with signature 0x000906ed output of lscpu would be useful too, along with ensuring you have the latest BIOS installed from Dell. Raising the issue at https://github.com/intel/Intel-Linux-Processor- Microcode-Data-Files/issues/ will get the problem you are having more of a chance to get on Intel's radar. THanks again. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1882943 Title: Boot freezes silently after 'intel-microcode' upgrade To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882943/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862938] Re: Enable late loading of microcode by default
The version in eoan was superceded by the 20200609 release. In focal and groovy, this change was reverted in 3.20200609.0ubuntu0.20.04.2 because the tmpfiles.d approach, in addition to attmepting to late load early in the boot process, also caused late loading to trigger during package installation. Enabling late loading by default also makes it more difficult to recover from a problematic microcode update, attempting to boot an earlier kernel/initramfs with a known-good microcode to recover will be thwarted by the late loaded problematic microcode. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862938 Title: Enable late loading of microcode by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1862938/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1883016] Re: revert tmpfiles.d loading of microcode
This was fixed in 3.20200609.0ubuntu0.20.04.2 in focal and groovy (thanks for the forward copy!). The eoan patch to add tmpfiles.d late loading never made it out of eoan-proposed. Closing all tasks. Thanks! ** Changed in: intel-microcode (Ubuntu Focal) Status: In Progress => Fix Released ** Changed in: intel-microcode (Ubuntu Groovy) Status: In Progress => Fix Released ** Changed in: intel-microcode (Ubuntu Eoan) Status: In Progress => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1883016 Title: revert tmpfiles.d loading of microcode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883016/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1883002] Re: intel-ucode 20200609: hangs on Whiskey Lake
** Changed in: intel-microcode (Ubuntu) Status: Fix Released => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1883002 Title: intel-ucode 20200609: hangs on Whiskey Lake To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883002/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882943] Re: Boot freezes silently after 'intel-microcode' upgrade
This is on Ubuntu 20.04 LTS/focal, correct? If so, this is either exacerbated or triggered entirely because focal's intel-microcode package enabled late loading of microcode (known to be risky) that would get triggered while updating the intel-microcode package itself; see LP: #1883002. Even worse, it would get triggered even if you booted with an earliuer A regression update for focal's intel-microcode package (3.20200609.0ubuntu0.20.04.2) has been published, https://usn.ubuntu.com/4385-2. Can you test with that version to see if your processor still has problems with the updated 3.20200609.0ubuntu0.20.04.2 version? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1882943 Title: Boot freezes silently after 'intel-microcode' upgrade To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882943/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1883002] Re: intel-ucode 20200609: hangs on Whiskey Lake
Henrique, I didn't realize until today that the systemd tmpfiles.d would also get triggered as part of the intel-microcode postinst in addition to very early in the boot process. I have reverted it for focal (and eventually groovy) because of the increased risk of instability and the greater difficulty that it adds to recovery from a bad microcode update; booting an earlier kernel/initramfs combination with an older microcode embedded would still get the new bad microcode loaded via the tmpfiles.d snippet. I used this bug report as a reference for the upload, but re-opened the issue as it's not clear whether an early-loaded microcode is a problem for the reporter. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1883002 Title: intel-ucode 20200609: hangs on Whiskey Lake To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883002/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1883002] Re: intel-ucode 20200609: hangs on Whiskey Lake
** Changed in: intel-microcode (Ubuntu) Status: Fix Released => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1883002 Title: intel-ucode 20200609: hangs on Whiskey Lake To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883002/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1883002] Re: intel-ucode 20200609: hangs on Whiskey Lake
For others hitting this issue, add the 'dis_ucode_ldr' kernel boot option in grub before booting to disable microcode loading. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1883002 Title: intel-ucode 20200609: hangs on Whiskey Lake To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883002/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1883002] Re: intel-ucode 20200609: hangs on Whiskey Lake
Henrique, I think that's a consequence of the change in focal's intel- microcode to add a tmpfiles.d snippet to do late loading of microcode (LP: #1862938), the intel-microcode postinst generated ends up calling 'systemd-tmpfiles --create' on the added microcode conf file, causing it to be triggered immediately. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1883002 Title: intel-ucode 20200609: hangs on Whiskey Lake To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883002/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882890] Re: intel-ucode/06-4e-03 from release 20200609 hangs system in early boot
** Also affects: intel-microcode (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: intel-microcode (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: intel-microcode (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: intel-microcode (Ubuntu Eoan) Importance: Undecided Status: New ** Changed in: intel-microcode (Ubuntu Bionic) Status: New => Confirmed ** Changed in: intel-microcode (Ubuntu Xenial) Status: New => Confirmed ** Changed in: intel-microcode (Ubuntu Eoan) Status: New => Confirmed ** Changed in: intel-microcode (Ubuntu Focal) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1882890 Title: intel-ucode/06-4e-03 from release 20200609 hangs system in early boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882890/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882914] Re: Thinkpad T460S won't boot with latest intel-microcode update
*** This bug is a duplicate of bug 1882890 *** https://bugs.launchpad.net/bugs/1882890 Great, thank you, appreciated. And yes, I'll mark this as a duplicate of the other. ** This bug has been marked a duplicate of bug 1882890 intel-ucode/06-4e-03 from release 20200609 hangs system in early boot -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1882914 Title: Thinkpad T460S won't boot with latest intel-microcode update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882914/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882914] Re: Thinkpad T460S won't boot with latest intel-microcode update
Thanks! I have packages that revert the problematic microcode back to the version included in the microcode updates from 20191115 available for testing in https://launchpad.net/~sbeattie/+archive/ubuntu/lp1882890/ ; can you confirm that after installing them from that ppa, that you can successfully reboot your system? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1882914 Title: Thinkpad T460S won't boot with latest intel-microcode update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882914/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882890] Re: intel-ucode/06-4e-03 from release 20200609 hangs system in early boot
Rodman: no, that's an older issue affecting a difference processor family. This issue is specifically affecting processors with id 0x406e3; if the output of dmesg | grep microcode does not contain "sig=0x406e3" then you have a different issue, and should open a new bug report. I am working on reverting the 0xdc version of the microcode for the 0x406e3 family back to the 0xd6 version included in 20191115 microcode update. Test packages should show up soon in https://launchpad.net/~sbeattie/+archive/ubuntu/lp1882890/ ; I would appreciate confirmation that those packages do allow affected systems to boot successfully. Thanks, and sorry for the problems people are having. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1882890 Title: intel-ucode/06-4e-03 from release 20200609 hangs system in early boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882890/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882890] Re: intel-ucode/06-4e-03 from release 20200609 hangs system in early boot
Philipp Classen: indeed, a full /boot/ will cause problems on upgrade that can result in failure to boot, unrelated to microcode issues. With that corrected, are you still having an issue? And again, can you confirm that dmesg | grep microcode contains "sig=0x406e3"? ** Changed in: intel-microcode (Ubuntu) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Changed in: intel-microcode (Ubuntu) Importance: Undecided => Critical -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1882890 Title: intel-ucode/06-4e-03 from release 20200609 hangs system in early boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882890/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882914] Re: Thinkpad T460S won't boot with latest intel-microcode update
Sorry, second line would contain the 'sig=' entry that identifies the processor family. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1882914 Title: Thinkpad T460S won't boot with latest intel-microcode update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882914/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882914] Re: Thinkpad T460S won't boot with latest intel-microcode update
Hi, can you please include the output of dmesg | grep microcode and confirm that the first line contains "sig=0x406e3"? If so, this is likely a duplicate of bug 1882890. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1882914 Title: Thinkpad T460S won't boot with latest intel-microcode update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882914/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1882943] Re: Boot freezes silently after 'intel-microcode' upgrade
Can you please post the output of: dmesg | grep microcode thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1882943 Title: Boot freezes silently after 'intel-microcode' upgrade To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882943/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1879340] Re: test_072_strict_devmem from ubuntu_qrt_kernel_security failed to build on F-OEM-5.6
This issue ultimately has the same root cause as LP: #1880659, namely that in the 5.6 development cycle, the proc_fs infrastructure was modified to not use the generic file_operations struct and instead use a simplified procfs_ops struct (see d56c0d45f0e27 'proc: decouple proc from VFS with "struct proc_ops"'), which is why this test is failing. This has been fixed in the qa-regression-testing tree in https://git.launchpad.net/qa-regression- testing/commit/?id=f815e50b3ffd0cacdca98dee62d324ff1488bcb3 Thanks. ** Changed in: qa-regression-testing Status: New => Fix Released ** Changed in: linux-oem-5.6 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1879340 Title: test_072_strict_devmem from ubuntu_qrt_kernel_security failed to build on F-OEM-5.6 To manage notifications about this bug go to: https://bugs.launchpad.net/qa-regression-testing/+bug/1879340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1880659] Re: test_120_smep_works from ubuntu_qrt_kernel_security fail on F-OEM-5.6
In the 5.6 development cycle, the proc_fs infrastructure was modified to not use the generic file_operations struct and instead use a simplified procfs_ops struct (see d56c0d45f0e27 'proc: decouple proc from VFS with "struct proc_ops"'), which is why this test is failing. I've fixed this in QRT with some compatibility definitions in https://git.launchpad.net/qa-regression- testing/commit/?id=f815e50b3ffd0cacdca98dee62d324ff1488bcb3 ** Changed in: qa-regression-testing Status: New => Fix Released ** Changed in: linux-signed-oem-5.6 (Ubuntu) Status: New => Invalid ** Package changed: linux-signed-oem-5.6 (Ubuntu) => linux-oem-5.6 (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880659 Title: test_120_smep_works from ubuntu_qrt_kernel_security fail on F-OEM-5.6 To manage notifications about this bug go to: https://bugs.launchpad.net/qa-regression-testing/+bug/1880659/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1851682] Re: oscap is broken in ubuntu 19.10
** Also affects: openscap (Ubuntu Groovy) Importance: Low Status: Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1851682 Title: oscap is broken in ubuntu 19.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1851682/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1880360] Re: package linux-modules-extra-5.4.0-31-generic 5.4.0-31.35 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting a removal
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1880360 Title: package linux-modules-extra-5.4.0-31-generic 5.4.0-31.35 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting a removal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1880360/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1878654] Re: Remove automatically added groups from os-login
Thanks, David, for the feedback, marking all versions as verification- done. ** Tags added: verification-done-bionic verification-done-eoan verification-done-focal verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1878654 Title: Remove automatically added groups from os-login To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gce-compute-image-packages/+bug/1878654/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1878499] Re: MY_MIRROR env could be better documented
How is one supposed to know about this environment variable? $ man ubuntu-security-status No manual entry for ubuntu-security-status $ ubuntu-security-status --help usage: ubuntu-security-status [-h] [--thirdparty] [--unavailable] Return information about security support for packages optional arguments: -h, --help show this help message and exit --thirdparty --unavailable Furthermore, the prior tool, ubuntu-support-status, did not need this magic under-documented environment variable to work: $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 18.04.4 LTS Release:18.04 Codename: bionic $ ubuntu-support-status Support status summary of 'HOSTNAME': You have 544 packages (14.4%) supported until April 2021 (Community - 3y) You have 2274 packages (60.3%) supported until April 2023 (Canonical - 5y) You have 3 packages (0.1%) supported until April 2021 (Canonical - 3y) You have 72 packages (1.9%) that can not/no-longer be downloaded You have 876 packages (23.2%) that are unsupported Your Hardware Enablement Stack (HWE) is supported until April 2023. Run with --show-unsupported, --show-supported or --show-all to see more details Why can't ubuntu-security-status work out which Packages files have a hash chain of trust that goes back to the ubuntu archive signing key, and then determine security support status based on that? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1878499 Title: MY_MIRROR env could be better documented To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1878499/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1878654] Re: Remove automatically added groups from os-login
Because these packages may end up getting copied to the security pockets, these have been built in the ubuntu-security-proposed ppa: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/ Direct links to the packages are focal: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+sourcepub/11292227/+listing-archive-extra eoan: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+sourcepub/11292236/+listing-archive-extra bionic: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+sourcepub/11292244/+listing-archive-extra xenial: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+sourcepub/11292249/+listing-archive-extra -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1878654 Title: Remove automatically added groups from os-login To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gce-compute-image-packages/+bug/1878654/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1879339] Re: test_310_config_security_perf_events_restrict / test_400_refcount_config in ubuntu_qrt_kernel_security failed on F-OEM-5.6
** Changed in: qa-regression-testing Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1879339 Title: test_310_config_security_perf_events_restrict / test_400_refcount_config in ubuntu_qrt_kernel_security failed on F-OEM-5.6 To manage notifications about this bug go to: https://bugs.launchpad.net/qa-regression-testing/+bug/1879339/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1879339] Re: test_310_config_security_perf_events_restrict / test_400_refcount_config in ubuntu_qrt_kernel_security failed on F-OEM-5.6
The test_400_refcount_config failure has been addressed in qa-regression-testing commit https://git.launchpad.net/qa-regression-testing/commit/?id=480aaab47c0e7e11ab5bad5b56f61742ac8fdf9e Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1879339 Title: test_310_config_security_perf_events_restrict / test_400_refcount_config in ubuntu_qrt_kernel_security failed on F-OEM-5.6 To manage notifications about this bug go to: https://bugs.launchpad.net/qa-regression-testing/+bug/1879339/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1878108] Re: new upstream release 2020a
Ubuntu Security team ack for binary copying these into the security pockets as well. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1878108 Title: new upstream release 2020a To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tzdata/+bug/1878108/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1879339] Re: test_310_config_security_perf_events_restrict / test_400_refcount_config in ubuntu_qrt_kernel_security failed on F-OEM-5.6
For the test_310_config_security_perf_events_restrict -- missing SECURITY_PERF_EVENTS_RESTRICT option; it appears the linux-oem-5.6 kernel is missing the following Ubuntu SAUCE patch: commit 4e6246de75c468397327fa741b380c926020c81f Author: Ben Hutchings Date: Tue Aug 16 10:27:00 2016 -0600 UBUNTU: SAUCE: security,perf: Allow further restriction of perf_event_open For the test_400_refcount_config test, the ARCH_HAS_REFCOUNT and REFCOUNT_FULL config options were removed upstream in the 5.5. kernel cycle. I'm working on a patch to qrt to address this. Thanks. ** Changed in: qa-regression-testing Status: New => Confirmed ** Changed in: linux-oem-5.6 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1879339 Title: test_310_config_security_perf_events_restrict / test_400_refcount_config in ubuntu_qrt_kernel_security failed on F-OEM-5.6 To manage notifications about this bug go to: https://bugs.launchpad.net/qa-regression-testing/+bug/1879339/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1878654] Re: Remove automatically added groups from os-login
** Description changed: - Incorporate upstream commits: + [Impact] - https://github.com/GoogleCloudPlatform/guest- + The google_oslogin_control script included in the google-compute-engine- + oslogin binary package adds every new user to several + unnecessary/unexpected groups. Upstream recommends disabling this + behavior. + + [Test Case] + + Examine the /usr/bin/google_oslogin_control and ensure that the variable + assignment for + + group_conf_entry + + in the modify_group_conf() function does not contain any of the following groups: + + dip, plugdev, adm, docker, lxd + + [Regression Potential] + + Implemented incorrectly, this could break group setup for users on new + gce instances. Users may also have to alter configuration management + tools that expect users to already have access to e.g. the docker or lxd + group by default. + + [References] + + Upstream commits: + + https://github.com/GoogleCloudPlatform/guest- oslogin/commit/50b0fb7b5804c22ef9581e7dc91875801dfa5469 - https://github.com/GoogleCloudPlatform/guest- + https://github.com/GoogleCloudPlatform/guest- oslogin/commit/88f1ba85e20b3b3a07bfad2eeb723a6b06e41fc8 ** Also affects: gce-compute-image-packages (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: gce-compute-image-packages (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: gce-compute-image-packages (Ubuntu Eoan) Importance: Undecided Status: New ** Also affects: gce-compute-image-packages (Ubuntu Groovy) Importance: Undecided Assignee: Steve Beattie (sbeattie) Status: New ** Also affects: gce-compute-image-packages (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: gce-compute-image-packages (Ubuntu Xenial) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Changed in: gce-compute-image-packages (Ubuntu Bionic) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Changed in: gce-compute-image-packages (Ubuntu Eoan) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Changed in: gce-compute-image-packages (Ubuntu Focal) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Description changed: [Impact] The google_oslogin_control script included in the google-compute-engine- oslogin binary package adds every new user to several unnecessary/unexpected groups. Upstream recommends disabling this behavior. [Test Case] Examine the /usr/bin/google_oslogin_control and ensure that the variable assignment for - group_conf_entry - - in the modify_group_conf() function does not contain any of the following groups: + group_conf_entry - dip, plugdev, adm, docker, lxd + in the modify_group_conf() function does not contain any of the + following groups: + + dip, plugdev, adm, docker, lxd [Regression Potential] Implemented incorrectly, this could break group setup for users on new gce instances. Users may also have to alter configuration management tools that expect users to already have access to e.g. the docker or lxd group by default. [References] - Upstream commits: + Upstream PR and commits: + + https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29 https://github.com/GoogleCloudPlatform/guest- oslogin/commit/50b0fb7b5804c22ef9581e7dc91875801dfa5469 https://github.com/GoogleCloudPlatform/guest- oslogin/commit/88f1ba85e20b3b3a07bfad2eeb723a6b06e41fc8 ** Description changed: [Impact] The google_oslogin_control script included in the google-compute-engine- oslogin binary package adds every new user to several unnecessary/unexpected groups. Upstream recommends disabling this behavior. [Test Case] Examine the /usr/bin/google_oslogin_control and ensure that the variable assignment for group_conf_entry in the modify_group_conf() function does not contain any of the following groups: dip, plugdev, adm, docker, lxd [Regression Potential] Implemented incorrectly, this could break group setup for users on new gce instances. Users may also have to alter configuration management tools that expect users to already have access to e.g. the docker or lxd group by default. [References] Upstream PR and commits: - https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29 + https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29 https://github.com/GoogleCloudPlatform/guest- oslogin/commit/50b0fb7b5804c22ef9581e7dc91875801dfa5469 + https://github.com/GoogleCloudPlatform/guest-oslogin/pull/30 + https://github.com/GoogleCloudPlatform/guest- oslogin/commit/88f1ba85e20b3b3a07bfad2eeb723a6b06e41fc8 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1878654 Title: Remove automatically added groups from os-login To manage notifications about
[Bug 1878654] [NEW] Remove automatically added groups from os-login
Public bug reported: Incorporate upstream commits: https://github.com/GoogleCloudPlatform/guest- oslogin/commit/50b0fb7b5804c22ef9581e7dc91875801dfa5469 https://github.com/GoogleCloudPlatform/guest- oslogin/commit/88f1ba85e20b3b3a07bfad2eeb723a6b06e41fc8 ** Affects: gce-compute-image-packages (Ubuntu) Importance: Undecided Assignee: Steve Beattie (sbeattie) Status: New ** Changed in: gce-compute-image-packages (Ubuntu) Assignee: (unassigned) => Steve Beattie (sbeattie) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1878654 Title: Remove automatically added groups from os-login To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gce-compute-image-packages/+bug/1878654/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1876697] Re: test_regression_testsuite from ubuntu_qrt_apparmor failed on Focal zVM
All that about CONFIG_RT_GROUP_SCHED seems sensible, but then I am confused as to why is it only showing up in s390x environments? The test is trying to exercise CAP_SYS_NICE, and doing so by calling setpriority(PRIO_PROCESS, 0, -5) Does the test needs to be put into a cgroup with rt allocations if CONFIG_RT_GROUP_SCHED is set? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1876697 Title: test_regression_testsuite from ubuntu_qrt_apparmor failed on Focal zVM To manage notifications about this bug go to: https://bugs.launchpad.net/qa-regression-testing/+bug/1876697/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1876697] Re: test_regression_testsuite from ubuntu_qrt_apparmor failed on Focal zVM
I have seen a similar failure with that specific test when running the tests under virtualbox on x86, though I have not tried it in several years. If this is the expected behavior going forward on s390s, we can address it in qa-regression-testing. Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1876697 Title: test_regression_testsuite from ubuntu_qrt_apparmor failed on Focal zVM To manage notifications about this bug go to: https://bugs.launchpad.net/qa-regression-testing/+bug/1876697/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865519] Re: apparmor depends on python3
An initial port of aa-status to C landed in https://gitlab.com/apparmor/apparmor/-/commit/8f9046b1b179190d0003ae1beacf460ee93c5090 and will e in the upcoming AppArmor 3 release. There is a follow up improvement in https://gitlab.com/apparmor/apparmor/-/merge_requests/487 that should also land. ** Also affects: apparmor Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu) Status: New => Fix Committed ** Changed in: apparmor (Ubuntu) Status: Fix Committed => Confirmed ** Changed in: apparmor Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865519 Title: apparmor depends on python3 To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1865519/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs