Re: [integer-Ticket #81335] Log4J Sicherheitslücke

[Jeffrey Walton]

On Sat, Dec 18, 2021 at 3:50 PM Christian Ehrhardt <
christian.ehrha...@canonical.com> wrote:

>
> On Tue, Dec 14, 2021 at 10:17 PM integer GmbH 
> wrote:
>
>> Hello Ubuntu-Team,
>> can you please tell me if the follwoing software is affected by the Log4J
>> exploit?
>>
>
> *disclaimer: I'm not from the security team and this is not a definitive
> or formal answer*
>
> In general for CVEs you'd want to check the https://ubuntu.com/security
> entry for it.
> It will mention its status, affected packages and link to further
> ressources one should know about.
> In this case the links to USN and the wiki page are very helpful as well.
>
> In this case that is at: https://ubuntu.com/security/CVE-2021-44228
>

Related, it looks like CVE-2021-45046 against log4j2 v2.15 applies as well.
It can result in a Remote Code Execution (RCE) under certain circumstances.
Also see https://www.openwall.com/lists/oss-security/2021/12/18/1.

Jeff
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Ubuntu 21.10 gdal python3

[Terrance McMinn]

Hello

I seem to have an underlining issue with libgdal28:

I have installed gdal-bin gdal-data python3-gdal.

In a bash terminal:

python3 /usr/share/doc/python3-gdal/examples/assemblepoly.py
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/osgeo/__init__.py", line 18, in 
swig_import_helper

    return importlib.import_module(mname)
  File "/usr/lib/python3.9/importlib/__init__.py", line 127, in 
import_module

    return _bootstrap._gcd_import(name[level:], package, level)
  File "", line 1030, in _gcd_import
  File "", line 1007, in _find_and_load
  File "", line 986, in 
_find_and_load_unlocked

  File "", line 666, in _load_unlocked
  File "", line 565, in module_from_spec
  File "", line 1173, in 
create_module
  File "", line 228, in 
_call_with_frames_removed
ImportError: /lib/libgdal.so.28: undefined symbol: 
TIFFGetStrileByteCount, version LIBTIFF_4.0


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/share/doc/python3-gdal/examples/assemblepoly.py", line 33, 
in 

    from osgeo import ogr
  File "/usr/lib/python3/dist-packages/osgeo/__init__.py", line 32, in 


    _gdal = swig_import_helper()
  File "/usr/lib/python3/dist-packages/osgeo/__init__.py", line 31, in 
swig_import_helper

    return importlib.import_module('_gdal')
  File "/usr/lib/python3.9/importlib/__init__.py", line 127, in 
import_module

    return _bootstrap._gcd_import(name[level:], package, level)
ModuleNotFoundError: No module named '_gdal'

This same error prevents me from install qgis as qgis-providers requires 
libqgis28


ls -lai /usr/lib/libgdal*
7999020 lrwxrwxrwx 1 root root   17 Sep  9 19:03 
/usr/lib/libgdal.so.28 -> libgdal.so.28.0.2
7999019 -rw-r--r-- 1 root root 21914864 Sep  9 19:03 
/usr/lib/libgdal.so.28.0.2


Any suggestions on fixes?

--
Kind Regards
*Terrance McMinn*
Please consider the environment before printing this email.

Notice - This message contains confidential information intended only 
for the exclusive use of the addressee named above. No confidentiality 
is waived or lost by any mistaken transmission to you. If you have 
received this message in error please delete the document and notify me 
immediately.


Any opinion, text, documentation or attachment received is valid as at 
the date of issue only. The recipient is responsible for reviewing the 
status of the transferred information and should advise me immediately 
upon receipt of any discrepancy.
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: [integer-Ticket #81335] Log4J Sicherheitslücke

[Christian Ehrhardt]

On Tue, Dec 14, 2021 at 10:17 PM integer GmbH  wrote:

> Hello Ubuntu-Team,
> can you please tell me if the follwoing software is affected by the Log4J
> exploit?
>

*disclaimer: I'm not from the security team and this is not a definitive or
formal answer*

Hi,
In general for CVEs you'd want to check the https://ubuntu.com/security
entry for it.
It will mention its status, affected packages and link to further
ressources one should know about.
In this case the links to USN and the wiki page are very helpful as well.

In this case that is at: https://ubuntu.com/security/CVE-2021-44228

The TL;DR could be, you do not list the affected package "apache-log4j1.2",
so not affected.
But TBH your customers website clearly runs apache2 + php which isn't
listed here.
Might there also be some java or any other solution (like an appliance
which sometimes
aren't transparent what they use internally) that uses log4j2, no one here
would know.

python3.8
> python3.8-minimal
> python3-appdirs
> python3-apt
> python3-certifi
> python3-chardet
> python3-crypto
> python3-dbus
> python3-distlib
> python3-distro
> python3-distro-info
> python3-distupgrade
> python3-distutils
> python3-dnspython
> python3-filelock
> python3-gi
> python3-gpg
> python3-idna
> python3-importlib-metadata
> python3-ldb
> python3-lib2to3
> python3-markdown
> python3-minimal
> python3-more-itertools
> python3-netifaces
> python3-packaging
> python3-pkg-resources
> python3-pygments
> python3-pyparsing
> python3-requests
> python3-samba
> python3-six
> python3-talloc
> python3-tdb
> python3-update-manager
> python3-urllib3
> python3-virtualenv
> python3-yaml
> python3-zipp
> python3.6-minimal
> readline-common
> rename
> resolvconf
> rsync
> rsyslog
> samba
> samba-common
> samba-common-bin
> samba-dsdb-modules
> samba-libs
> samba-vfs-modules
> sed
> sensible-utils
> shared-mime-info
> socat
> squid
> squid-common
> squid-langpack
> ssl-cert
> sudo
> systemd
> systemd-sysv
> systemd-timesyncd
> sysvinit-utils
> tar
> tcpd
> tdb-tools
> thermald
> tzdata
> ubuntu-advantage-tools
> ubuntu-minimal
> ubuntu-release-upgrader-core
> ucf
> udev
> update-inetd
> update-manager-core
> usb.ids
> usbutils
> util-linux
> vim-common
> vim-tiny
> virtualenv
> wget
> whiptail
> winbind
> xauth
> xdg-user-dirs
> xkb-data
> xxd
> xz-utils
> zerofree
> zlib1g
> tasksel
> tasksel-data
>
> Our client Hopfenveredlung St. Johann is using this software and we want
> to make sure they are not affected by the Log4J exploit.
>
> Best Regards
> Jonas Böck
>
>
> _ _ _
> integer GmbH Support
> Telefon 08252 - 96031 - 10
> |
> E-Mail: supp...@integer-it.de
>  
> Hans-Sachs-Weg 25
> |
> 86529
> Schrobenhausen
> Registergericht: Amtsgericht Ingolstadt
> Registernummer: HRB 7821
> Geschäftsführer: Luise Krammer
> Allgemeine Datenschutzhinweise:
> *https://integer-it.de/ds.html* 
> Folgen Sie uns auf: [image: Facebook] 
>  [image: Instagram] F
>
>
> 
> 
> 
> _ _ _
>
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>


-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Tuxconfig v 2.

[rob brew]

> Hi.
>
> I hope you are well.
>
> I did approach Ubuntu a few years ago about a concept to install devices
> not supported by apt without having to git clone and build repositories
> into machine code before inserting them into the kernel.
>
> I've rewritten it in python, I've made it possible to install software not
> available via apt in Linux at 1 key press.
>
> No more searching for GitHub repositories and dkms install, it's a wrapper
> around dkms GitHub repositories which allows the user to install software
> from the best repository as rated in GitHub stars for their device.
>
> It supports multiple platforms and multiple architectures.
>
> *How do developers submit their code:*
>
> They add a file in their repository called tuxconfig.conf listing:
>
>-
>
>The supported USB / pci ids.
>-
>
>The architecture supported, eg. i386, x86_64, BCM2711 for raspberry pi
>4.
>-
>
>The install file location.
>-
>
>The dkms module name.
>-
>
>A test script which exits with "0" should the device be detected as
>installed properly.
>-
>
>They link their repository to our system
>
> *What about dodgy code being imported?*
>
> We have a vetting console for each repository, it requires 3 sign offs to
> ensure each repository is safe to install.
>
> *What if the "best" repository doesn't work?*
>
> The system offers the next best one.
>
> *Why should I contribute repositories?*
>
> If a device is installed successfully we provide details of the user who
> contributed and signed off on it, free publicity :)
>
> It's available at www.tuxconfig.com
>
> If the Ubuntu developers would like to work on this, not just for Ubuntu
> but all Linux distributions, please get in touch.
>
> The main differences between my original submission are:
>
>- We rate the quality of device drivers using GitHub stars.
>- We don't rely on the user to see if a device is installed correctly,
>we ascertain that using a test script.
>- It's rewritten in Python.
>- We check previous instals with future ones on the client device, as
>these change in time.  Previously the second best voted submission would be
>pulled from the server, in this version the client compares the rating of
>their submission against what is now available.
>- Static libraries are not missing.
>
> Please get in touch if you have any channels to contribute to this,
> including a UI,  and the coverage needed to to encourage developers to
> submit repositories to the system.
>
> Thanks,
>
>   Rob Brew.
>
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss