[Bug 1564388] Re: mysqlnd is vulnerable to BACKRONYM (CVE-2015-3152)
MITRE assigned CVE-2015-8838: http://www.openwall.com/lists/oss- security/2016/03/31/13 Thanks ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-8838 ** Summary changed: - mysqlnd is vulnerable to BACKRONYM (CVE-2015-3152) + mysqlnd is vulnerable to BACKRONYM (CVE-2015-8838) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1564388 Title: mysqlnd is vulnerable to BACKRONYM (CVE-2015-8838) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1564388/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1534368] Re: HTTP/2 is not enabled for nginx-extras
Thomas and the nginx team have convinced me that nginx's http/2 implementation is widely used and mature enough to enable before 16.04 LTS release. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1534368 Title: HTTP/2 is not enabled for nginx-extras To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1534368/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1564451] Re: User processes are counted towards systemd limit for sshd processes
I'm having trouble reproducing this. I started a few thousand /bin/sleep commands and was able to log in via ssh as another user; the error message when logging in again as my normal user account showed an error message that looked appropriate. In one ssh: sarnold@sec-xenial-amd64:~$ for i in `seq 1 6000` ; do /bin/sleep 10 & done ... [15813] 24043 [15814] 24044 [15815] 24045 -bash: fork: retry: Resource temporarily unavailable -bash: fork: retry: Resource temporarily unavailable In another terminal: $ ssh -oControlPath=none root@sec-xenial-amd64 Welcome to Ubuntu Xenial Xerus (development branch) (GNU/Linux 4.4.0-16-generic x86_64) * Documentation: https://help.ubuntu.com/ 0 packages can be updated. 0 updates are security updates. Last login: Thu Mar 31 15:42:23 2016 from 192.168.122.1 root@sec-xenial-amd64:~# $ ssh -oControlPath=none sec-xenial-amd64 shell request failed on channel 0 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1564451 Title: User processes are counted towards systemd limit for sshd processes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1564451/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1564451] Re: User processes are counted towards systemd limit for sshd processes
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1564451 Title: User processes are counted towards systemd limit for sshd processes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1564451/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1564388] Re: mysqlnd is vulnerable to BACKRONYM (CVE-2015-3152)
I've asked MITRE if this needs a new CVE or not: http://www.openwall.com/lists/oss-security/2016/03/31/10 Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1564388 Title: mysqlnd is vulnerable to BACKRONYM (CVE-2015-3152) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1564388/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1564388] Re: mysqlnd is vulnerable to BACKRONYM (CVE-2015-3152)
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1564388 Title: mysqlnd is vulnerable to BACKRONYM (CVE-2015-3152) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1564388/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1562583] Re: package amavisd-new 1:2.10.1-2ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to amavisd-new in Ubuntu. https://bugs.launchpad.net/bugs/1562583 Title: package amavisd-new 1:2.10.1-2ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/amavisd-new/+bug/1562583/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1528251] Re: WARNING: no suitable primes in /etc/ssh/primes
OFERBA, I suspect you have a different issue than this bug report, which is about a misleading pathname in an error message. I'd suggest filing a new bug for your issue however I do not think it is appropriate to be shipping a new release with 1024 bit DH primes as a default supported configuration. See https://weakdh.org/ for more information. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1528251 Title: WARNING: no suitable primes in /etc/ssh/primes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1528251/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1556175] Re: networking.service hangs on shutdown -- killing dhclient has no effect any more
Likely related to https://bugs.launchpad.net/ubuntu/+source/isc- dhcp/+bug/1551855 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1556175 Title: networking.service hangs on shutdown -- killing dhclient has no effect any more To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1556175/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1553237] Re: Cannot stop samba service
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1553237 Title: Cannot stop samba service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1553237/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1553023] [NEW] [FFe] libvirt v1.3.2 -- zfs support
Public bug reported: Please consider a Feature Freeze exception for libvirt upstream version 1.3.2 which enables ZFS support on Linux hosts: https://libvirt.org/news.html ZFS is an excellent match for virtual machine storage: - transparent high-speed compression that improves performance - lightweight snapshots - lightweight clones - checksums and self-healing to fight bitrot - makes the most of iops on multiple drives - zfs send | zfs receive for backups, distribution, or moving images libvirt has support ZFS on FreeBSD for years; while the Linux support is new most of the codebase has had extensive testing elsewhere. libvirt 1.3.2 does bring along many other changes but most look like the sort of bugfixes that we would need to perform eventually via SRU. I intend to help fill out this request with the full details requested on the FreezeExceptionProcess wiki page soon. This is mostly a placeholder until then. Thanks ** Affects: libvirt (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/1553023 Title: [FFe] libvirt v1.3.2 -- zfs support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1553023/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1552949] Re: the "http2" parameter requires ngx_http_v2_module
I've asked teward to keep HTTP/2 disabled in nginx for a little while. We certainly want HTTP/2 support in 16.04 LTS but (a) http/2 is very new (b) http/2 is based on design patterns that have proved to be very difficult to implement without security issues. So I hope to offer http/2 support in nginx via an SRU shortly after 16.04 LTS is released. Security issues in complex software is a given; part of my role on the security team is balancing new features against security risks. I'd feel immensely better about offering http/2 to our users after the wider security community has had some time to find 'easy' issues. (I say this with full respect for what the nginx team have built; I suspect they feel similarly otherwise they would have already released 1.10 with http/2 a first-class citizen.) I wish the timing were a little different: however, both nginx and 16.04 LTS are aiming for roughly the same date, so there's no easy way to get the wider coverage I'd like http/2 to get before we ship our next LTS release. If you'd like to contribute, please consider running e.g. https://github.com/c0nrad/http2fuzz against nginx mainline releases or nginx hg tip builds. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1552949 Title: the "http2" parameter requires ngx_http_v2_module To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1552949/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1352617] Re: php5-fpm UNIX sockets in Precise do not listen as www-data:www-data by default, and causes 502s with webservers trying to use socket
I'm sceptical of pushing an update for config files to precise; it's only got a year left, people probably have it working or they're deploying trusty or xenial instead. The change itself looks fine though. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1352617 Title: php5-fpm UNIX sockets in Precise do not listen as www-data:www-data by default, and causes 502s with webservers trying to use socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1352617/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1548497] Re: Cross-Container ARP Poisoning
Jesse, thanks for the excellent detailed report; please do report future findings. I'm setting this public as it's apparently public enough already. Thanks ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1548497 Title: Cross-Container ARP Poisoning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1548497/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1267255] Re: [MIR] php5 (php5-fpm binary)
Neal, https://launchpad.net/ubuntu/+source/php5/+bugs?field.searchtext=fpm The FPM mode of execution feels far better to me than running a PHP interpreter in the same address space as the webserver -- however I have to balance my enthusiasm for the better design against the fact that there are a huge pile of bugs currently open that mention 'fpm', a complete unfamiliarity with the codebase, and Robie expressed that they're stretched too thin as it is. Demoting mod_php to universe may or may not help the 'spread too thin' aspect. But having the php interpreter in the same address space as TLS secrets seems insane to me. :) Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1267255 Title: [MIR] php5 (php5-fpm binary) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1267255/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1547640] Re: proxy tries ipv6 and gets 503 when no ipv6 routes
Adding dns_v4_first on to my 14.04 LTS /etc/squid-deb-proxy/squid-deb- proxy.conf solved this for me. My personal best guess is that something happened during machine reboots in the Canonical datacenter to address the glibc updates. My failures were to both security.ubuntu.com and archive.ubuntu.com, e.g.: W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/trusty- security/restricted/binary-amd64/Packages 503 Service Unavailable W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty- proposed/restricted/binary-amd64/Packages 503 Service Unavailable (there were dozens more like this, these two were just side-by-side in scrollback.) Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to squid-deb-proxy in Ubuntu. https://bugs.launchpad.net/bugs/1547640 Title: proxy tries ipv6 and gets 503 when no ipv6 routes To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1547640/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1271653] Re: [MIR] libiscsi
I reviewed libiscsi version 1.12.0-2 as checked into xenial. This shouldn't be considered a full security audit but rather a quick gauge of maintainability. - libiscsi provides user-space iscsi initiator support so applications can use iscsi targets without needing privileged access to the host. - Build-Depends: debhelper, dh-autoreconf, libcunit1-dev - Only does CHAP, MD5 cryptography - Extensive networking support - Does not itself daemonize - Does not itself listen on the network - No pre/post inst/rm - No initscripts - No dbus services - No setuid executables - iscsi-test-cu, iscsi-ls, iscsi-swp, iscsi-inq, iscsi-readcapacity16 executables in path - No sudo fragments - No udev rules - iscsi-test-cu looks like an incredible test suite, if it functions as advertised - No cron jobs - Clean build logs - No subprocesses spawned - Very careful memory management, nice per-scsi-task abstraction layer - No file IO - Extensive error logging, spot checks all looked careful - Several environment variables are used: LD_ISCSI_GET_LBA_STATUS LD_ISCSI_DEBUG (not-packaged ld_iscsi.so) LIBISCSI_DEBUG LIBISCSI_TCP_USER_TIMEOUT LIBISCSI_TCP_KEEPCNT LIBISCSI_TCP_KEEPINTVL LIBISCSI_TCP_KEEPIDLE LIBISCSI_TCP_SYNCNT LIBISCSI_BIND_INTERFACES LIBISCSI_CHAP_USERNAME LIBISCSI_CHAP_PASSWORD Results were typically handed to atoi(3) and then used to set settings; maybe strtoul(3) would be more robust but this is fine - No privileged operations - Essentially no cryptography -- CHAP barely counts. Use this on trusted networks or over IPsec. (Trusted networks is the expected use, this isn't unreasonable.) - Extensive networking; spot checks on networking syscalls all looked careful - No portions of code looked more privileged than others - No temporary file handling - Does not use WebKit - Clean cppcheck - Clean shellcheck - No PolicyKit libiscsi looks professionally programmed; SCSI and TCP/IP aren't exactly easy things but the design of this package looks careful and thoughtful. I haven't inspected the SCSI state machine in any way but the methods I inspected all looked like they inspected preconditions and logged violations, all pieces feel like logical separations of concerns and designed for testing. The iscsi-test-cu test suite looks incredible if true. No tests are run during the build but it would be difficult to test these functions deeply during build. The only bug I found is a series of slightly misleading error messages: - lib/login.c has instances of 'aprintf failed' error strings but the memory allocation is stack-based buffers, and the failed function is snprintf(). ld_iscsi looks like a _very_ cute hack -- pity it is too immature to enable it but I love the idea. (I did not review its code because it's clearly labeled not-yet-ready for use.) Security team ACK for promoting libiscsi to main. Please keep an eye on ld_iscsi in future syncs with Debian to ensure it doesn't get released before it is ready. Thanks ** Changed in: libiscsi (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libiscsi in Ubuntu. https://bugs.launchpad.net/bugs/1271653 Title: [MIR] libiscsi To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libiscsi/+bug/1271653/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1542509] Re: /build/qemu-YZq7uh/qemu-2.3+dfsg/nbd.c:nbd_init():L670: Failed to set NBD socket
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu in Ubuntu. https://bugs.launchpad.net/bugs/1542509 Title: /build/qemu-YZq7uh/qemu-2.3+dfsg/nbd.c:nbd_init():L670: Failed to set NBD socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1542509/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1542560] Re: Apache incorrect building path when Alias directive argument is root ('/')
Thanks for the report; considering the WP install looks useless with
this configuration, I don't think the path presence outside the root is
much issue.
(I personally think the "path disclosure" issues are a bit thin at best
-- if the web server really shouldn't see some paths, it ought to be
configured with the OS permissions to actually only allow it to interact
with what it should see.)
So I'm making this public, non-security.
Thanks
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1542560
Title:
Apache incorrect building path when Alias directive argument is root
('/')
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1542560/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1473691] Re: squid: Update to latest upstream release (3.5)
e-Vent, we rated this issue "low" because: - snmp is not enabled by default - squid's snmp listener can listen on specific interfaces - local iptables / ufw rules probably already allow only specific services on the hosts that run squid - network firewalls / routers probably already allow only specific services on the networks that run squid In general allowing untrusted access to SNMP is not a good idea regardless if this is fixed. We have limited resources and we have to prioritize the work we do accordingly. If you have the time and inclination to prepare and test a patch for this issue, we'd be happy to sponsor updates. See https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation for more details. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1473691 Title: squid: Update to latest upstream release (3.5) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1473691/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1432644] Re: VM permanently tries to read /dev/shm/lttng-ust-wait-5
Ken, that's great: denying lttng in the profile just to silence the logs is certainly unfortunate for the people who want to use lttng to measure and inspect their VMs as the reason why lttng doesn't work is impossible to discover. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ceph in Ubuntu. https://bugs.launchpad.net/bugs/1432644 Title: VM permanently tries to read /dev/shm/lttng-ust-wait-5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1432644/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1541322] Re: package mysql-server-5.6 5.6.28-0ubuntu0.15.10.1 failed to install/upgrade: subprocess new pre-installation script returned error exit status 1
Note the following: Aborting downgrade from (at least) 10.0 to 5.6. If are sure you want to downgrade to 5.6, remove the file /var/lib/mysql/debian-*.flag and try installing again. I suspect this is intentional behaviour, thus I'm closing the bug. If this isn't intentional, feel free to set the status back to 'new' and describe what happened. Thanks ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-5.6 in Ubuntu. https://bugs.launchpad.net/bugs/1541322 Title: package mysql-server-5.6 5.6.28-0ubuntu0.15.10.1 failed to install/upgrade: subprocess new pre-installation script returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-5.6/+bug/1541322/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1541322] Bug is not a security issue
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Changed in: mysql-5.6 (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-5.6 in Ubuntu. https://bugs.launchpad.net/bugs/1541322 Title: package mysql-server-5.6 5.6.28-0ubuntu0.15.10.1 failed to install/upgrade: subprocess new pre-installation script returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-5.6/+bug/1541322/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1432644] Re: VM permanently tries to read /dev/shm/lttng-ust-wait-5
Note that adding that entry may allow virtual machines an unexpected and unwelcome amount of influence over the host system. If you just want the errors silenced, use 'deny /run/shm/lttng-ust-wait-5 rw,' instead. If you actually want lttng to function, then feel free to continue using the allow rule but be sure you know why you want it and what it allows guests to do. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ceph in Ubuntu. https://bugs.launchpad.net/bugs/1432644 Title: VM permanently tries to read /dev/shm/lttng-ust-wait-5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1432644/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1539840] Re: not able to make changes in the ubuntu 14.04 and web videos are not playing
Thank you for using Ubuntu and taking the time to report a bug. Your report should contain, at a minimum, the following information so we can better find the source of the bug and work to resolve it. Submitting the bug about the proper source package is essential. For help see https://wiki.ubuntu.com/Bugs/FindRightPackage . Additionally, in the report please include: 1) The release of Ubuntu you are using, via 'cat /etc/lsb-release' or System -> About Ubuntu. 2) The version of the package you are using, via 'dpkg -l PKGNAME | cat' or by checking in Synaptic. 3) What happened and what you expected to happen. The Ubuntu community has also created debugging procedures for a wide variety of packages at https://wiki.ubuntu.com/DebuggingProcedures . Following the debugging instructions for the affected package will make your bug report much more complete. Thanks! ** Information type changed from Private Security to Public ** Changed in: apr (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apr in Ubuntu. https://bugs.launchpad.net/bugs/1539840 Title: not able to make changes in the ubuntu 14.04 and web videos are not playing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apr/+bug/1539840/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1429739] Re: neutron-server does not start: OperationalError: (OperationalError) no such table: ml2_vlan_allocations
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Public Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to neutron in Ubuntu. https://bugs.launchpad.net/bugs/1429739 Title: neutron-server does not start: OperationalError: (OperationalError) no such table: ml2_vlan_allocations To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/neutron/+bug/1429739/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1532160] Re: package python-ldb 1:1.1.18-1ubuntu0.1 [origin: Ubuntu] failed to install/upgrade: package python-ldb is already installed and configured
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public ** Package changed: ldb (Ubuntu) => dpkg (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ldb in Ubuntu. https://bugs.launchpad.net/bugs/1532160 Title: package python-ldb 1:1.1.18-1ubuntu0.1 [origin: Ubuntu] failed to install/upgrade: package python-ldb is already installed and configured To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1532160/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1532007] Re: libvirt's apparmor policy prevents starting domain with hugepage-backed memory store
Christy, can you please include the full relevant DENIED lines from your logs so that we can best determine which rules need to be added to the libvirt profiles? Thanks ** Changed in: apparmor (Ubuntu) Status: New => Incomplete ** Also affects: libvirt (Ubuntu) Importance: Undecided Status: New ** Changed in: libvirt (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/1532007 Title: libvirt's apparmor policy prevents starting domain with hugepage- backed memory store To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1532007/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1530914] Re: sshd crashed with SIGSEGV in _IO_vfprintf_internal()
On Wed, Jan 06, 2016 at 02:07:59PM -, msp3k wrote: > I tried following one of the links to ubuntu.com, but was told "Sorry, > you are not a member of a group that is allowed to see the data from > error reports." Hmm, I thought you'd always be able to view your own reports. > If you think it's safe to do so, I can reply with the last few links. > Would it be safe to assume that they are listed in a newest-first order? I believe it is safe; I don't recall seeing anything private in the other reports but didn't want to risk it.. but if you've got URLs for your reports, then they probably are making it to the error tracker. The thing is, very few reports are -- you may be the only one gettnig these. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1530914 Title: sshd crashed with SIGSEGV in _IO_vfprintf_internal() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1530914/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1531061] Re: Rsync path spoofing attack vulnerability
Looks like this is http://people.canonical.com/~ubuntu- security/cve/2014/CVE-2014-9512.html ** Information type changed from Private Security to Public Security ** Changed in: rsync (Ubuntu) Status: New => Confirmed ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-9512 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to rsync in Ubuntu. https://bugs.launchpad.net/bugs/1531061 Title: Rsync path spoofing attack vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsync/+bug/1531061/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1514046] Re: Shell command injection - samba-tool domain classicupgrade
Thanks for finding and reporting this issue; I'm inclined to agree with upstream that this isn't crossing a security boundary, even though it is relatively unpleasant. Thanks ** Changed in: samba (Ubuntu) Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1514046 Title: Shell command injection - samba-tool domain classicupgrade To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1514046/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1530914] Re: sshd crashed with SIGSEGV in _IO_vfprintf_internal()
It may not be making its way to errors.ubuntu.com. If you've got the GUI installed, you can find a link to reported issues via the control panel, security & privacy, diagnostics --> "show previous reports". I didn't see any errors that matched _IO_vfprintf_internal(), though I did notice that the pam_winbind module was segfaulting a lot for someone... Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1530914 Title: sshd crashed with SIGSEGV in _IO_vfprintf_internal() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1530914/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1473691] Re: Update to latest upstream stable release (3.5)
Note that the Ubuntu packages have had CVE-2014-7141 and CVE-2014-7142 fixed; CVE-2014-6270 is still open. We've rated CVE-2014-6270 as a low priority issue and will update it when a higher priority issue is found. http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7141.html http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7142.html http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6270.html Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1473691 Title: Update to latest upstream stable release (3.5) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1473691/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1525568] Re: package awstats (not installed) failed to install/upgrade: trying to overwrite '/usr/lib/cgi-bin', which is also in package php5-cgi 5.5.9+dfsg-1ubuntu4.14
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to awstats in Ubuntu. https://bugs.launchpad.net/bugs/1525568 Title: package awstats (not installed) failed to install/upgrade: trying to overwrite '/usr/lib/cgi-bin', which is also in package php5-cgi 5.5.9 +dfsg-1ubuntu4.14 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/awstats/+bug/1525568/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1510096] Re: Please merge 1.9.6-2 (main) from Debian Unstable (main)
Please disable HTTP/2 / SPDY for initial inclusion into Xenial; the security team would really prefer this code have some more real-world exposure and fuzzing before we turn it on. We can always turn it on after release via an SRU later. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1510096 Title: Please merge 1.9.6-2 (main) from Debian Unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1510096/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1520568] Re: All queries fails when 'google' is used: ERR_SSL_PROTOCOL_ERROR
Which IPs show the errors? It could be that different results may be due to different TLS terminators at Google. Figuring out one specific IP that demonstrates the issue may help (assuming Google hasn't done something crazy like anycast on their search IPs). -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1520568 Title: All queries fails when 'google' is used: ERR_SSL_PROTOCOL_ERROR To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1520568/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1516280] Re: package dlm 4.0.1-0ubuntu1 failed to install/upgrade: el subproceso instalado el script post-installation devolvió el código de salida de error 2
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dlm in Ubuntu. https://bugs.launchpad.net/bugs/1516280 Title: package dlm 4.0.1-0ubuntu1 failed to install/upgrade: el subproceso instalado el script post-installation devolvió el código de salida de error 2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dlm/+bug/1516280/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1509586] Re: SSLv3 enabled in apache2 by default
I don't think we will want to push updates to disable ssl3 on existing systems, and I'm not sure how feasible it would be to push an update that only modifies the defaults for brand-new installs. I suspect the only thing to be done for 14.04 LTS is to educate system administrators about the risks of ssl3 and how to disable it. We should certainly verify that ssl3 is disabled by default in xenial. Thanks ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1509586 Title: SSLv3 enabled in apache2 by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1509586/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1292234] Re: qcow2 image corruption on non-extent filesystems (ext3)
Chris, please do, I just recreated the issue with the "uvt update -rf" recipe from earlier; four of six VMs couldn't boot to a login: prompt, presumably from this bug. Linux hunt 3.13.0-65-generic #106-Ubuntu SMP Fri Oct 2 22:08:27 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux (I know, it misses this week's update. I can't keep up on this treadmill...) Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu in Ubuntu. https://bugs.launchpad.net/bugs/1292234 Title: qcow2 image corruption on non-extent filesystems (ext3) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1292234/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1508248] Re: chkrootkit gives false positive ebury
I had the impression that chkrootkit hadn't been maintained for many years the last time I looked at it; it may require significant work to make it functional. Thanks ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to chkrootkit in Ubuntu. https://bugs.launchpad.net/bugs/1508248 Title: chkrootkit gives false positive ebury To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/1508248/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1506238] Re: ship new public certificate
http://www.ubuntu.com/usn/usn-2709-2/ ** Changed in: pollinate (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to pollinate in Ubuntu. https://bugs.launchpad.net/bugs/1506238 Title: ship new public certificate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pollinate/+bug/1506238/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1506238] [NEW] ship new public certificate
*** This bug is a security vulnerability *** Public security bug reported: USN-2709-1 supplied a new certificate but did not include the entire certificate chain. This is similar to bugs #1304777 #1381359 #1483762. Robie Basak provided debdiffs, http://paste.ubuntu.com/12774324/ and http://paste.ubuntu.com/12774331/ Thanks ** Affects: pollinate (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to pollinate in Ubuntu. https://bugs.launchpad.net/bugs/1506238 Title: ship new public certificate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pollinate/+bug/1506238/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1292234] Re: qcow2 image corruption on non-extent filesystems (ext3)
Is this still open against the 14.04.1 LTS kernel? Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu in Ubuntu. https://bugs.launchpad.net/bugs/1292234 Title: qcow2 image corruption on non-extent filesystems (ext3) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1292234/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1499392] Re: OpenSSH Security and SHA1
Thank you Colin, that's great news. I think we should have a discussion about which algorithms to deprecate, when, for the whole distribution. I'd like a consistent approach to when we stop supporting md5/sha-1/rc4 etc. Of course different protocols may have different threat models so it may not be appropriate to apply a single blanket rule for any algorithm, but supporting 16.04 LTS in 2021 makes me think that we ought to be willing to cut the algorithms known to be weak today. OpenSSH's choices for e.g. 7.1 will probably make a lot of sense for today but may make less sense in five years, when we're still supporting 7.1 but they've moved on. Other upstreams may not be as reliable as OpenSSH, either, and second guessing their choices may make more sense. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1499392 Title: OpenSSH Security and SHA1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1499392/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1501966] Re: support changing Apparmor hats
~ubuntu-reviewers, the patch posted here is intended to sketch what a new patch for this feature may look like and is not intended to be used as-is in any capacity. Feel free to unsub from this bug. Thanks ** Tags removed: patch -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1501966 Title: support changing Apparmor hats To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1501966/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1499392] Re: OpenSSH Security and SHA1
Hello Eldin, you're right that it is time to begin migrating away from SHA-1 in default OpenSSH configurations. However there is some historical baggage in parts of the launchpad infrastructure that prevented upgrading algorithms earlier. (Strictly speaking, the defaults aren't tied to launchpad but a configuration that doesn't allow developers to work out of the box is less than ideal.) Some related bugs that might help explain the situation: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1445620 https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1445624 https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1445625 A site with many general guidelines that may influence more than just default keysize and hash selections: https://stribika.github.io/2015/01/04/secure-secure-shell.html And, of course, whatever we select should be tested against Cisco gear, since there's always a bug or two with every openssh configuration change that prevents people from logging into or using Cisco equipment. Colin, is it feasible to start making algorithm changes yet? Thanks ** Changed in: openssh (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1499392 Title: OpenSSH Security and SHA1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1499392/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1499392] Re: OpenSSH Security and SHA1
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1499392 Title: OpenSSH Security and SHA1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1499392/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1501812] Re: package irqbalance 1.0.6-3ubuntu1 failed to install/upgrade: package irqbalance is not ready for configuration cannot configure (current status `half-installed')
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to irqbalance in Ubuntu. https://bugs.launchpad.net/bugs/1501812 Title: package irqbalance 1.0.6-3ubuntu1 failed to install/upgrade: package irqbalance is not ready for configuration cannot configure (current status `half-installed') To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/irqbalance/+bug/1501812/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1267393] Juju MIR resposne
On Mon, Sep 28, 2015 at 07:51:47AM -, Tim Penhey wrote: > > It is currently impossible to upgrade from 14.04 LTS to 15.04 due to > > incorrect version numbers. Has anyone else noticed this yet? When will > > this be fixed? Are there any changes in process needed to ensure this > > doesn't happen in the future? > [...] > We do test a number of upgrade combinations, and I'm curious as to why > you say it is impossible to upgrade? What exactly is the situation you > are attempting? In short, install trusty, install juju, apt-get update && apt-get -u dist-upgrade; then, use do-release-upgrade to upgrade from trusty to vivid. This upgrade will fail and uninstalling juju will be the easiest path forward for the administrator. I filed https://bugs.launchpad.net/ubuntu/+source/juju-core/+bug/1497087 for this bug. The Debian tool piuparts is one way to do automated testing for this case, it might be worth bringing it over to Ubuntu; in the meantime, teams need to be aware to make sure that version numbers in supported releases always allow upgrades. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to golang in Ubuntu. https://bugs.launchpad.net/bugs/1267393 Title: [MIR] juju-core, juju-mongodb, gccgo, golang To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gccgo-5/+bug/1267393/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1497087] [NEW] updates from trusty to vivid will fail when juju-core is installed
Public bug reported: juju 1.18.1 is in trusty-release Juju 1.22.6 is in trusty-updates Juju 1.22.1 is in vivid-release, meaning upgrades from updated trusty to vivid fail Juju 1.22.6 is in wily As a result of these version numbers, a fully-updated trusty system should fail to upgrade to vivid due to the incorrect juju versioning. Thanks ** Affects: juju-core (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to juju-core in Ubuntu. https://bugs.launchpad.net/bugs/1497087 Title: updates from trusty to vivid will fail when juju-core is installed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/juju-core/+bug/1497087/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1426549] Re: drop pyjuju from vivid and newer
juju 0.7 is still available in wily. Is it too late to remove it? Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to juju in Ubuntu. https://bugs.launchpad.net/bugs/1426549 Title: drop pyjuju from vivid and newer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/juju/+bug/1426549/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1267393] Re: [MIR] juju-core, juju-mongodb, gccgo, golang
I reviewed juju version ff791983cd1a186e2e09878a37cf243f7f9eb734. The review covered significantly less portion of the codebase than usual, and should not be considered a security audit. Juju 1.18.1 is in trusty-release Juju 1.22.6 is in trusty-updates Juju 1.22.1 is in vivid-release, meaning upgrades from updated trusty to vivid fail Juju 1.22.6 is in wily When were 1339770 1389326 1391276 fixed? Are they fixed in all supported releases? There's no mention of any of these bug numbers in the published changelogs: https://launchpad.net/ubuntu/+source/juju-core/+changelog These bugs were known to be dangerous in 2014 yet still caused extensive damage in May, 2015. What allowed them to persist so long? What steps have been taken to ensure future bugs of similar severity don't last unpatched in production for so long? In 1339770, in May 2015, it was mentioned that 1.18 was end-of-life and no further updates could be prepared for it. 1.18.0 was released just 13 months earlier and 1.18.1 had been included in 14.04 LTS. Why was the 1.18 infrastructure torn down so shortly after including 1.18 in a release with five-year support? Have there been any similar changes in process that would prevent or delay issuing an update to the currently supported versions of juju already in the archive? It is currently impossible to upgrade from 14.04 LTS to 15.04 due to incorrect version numbers. Has anyone else noticed this yet? When will this be fixed? Are there any changes in process needed to ensure this doesn't happen in the future? Will the juju team be asking for an MRE? Is it anticipated that new series (e.g., the 1.18 to 1.22 change) would be included as an MRE? What processes are in place to test updates before including updates into the archive? What processes are available to the security team to test updates that we would prepare? I had more trouble reading the Juju code this review cycle than last review cycle -- the Facade indirection mechanism makes code navigating harder. I'm worried about it for a few reasons: - Strings to reference method names are brittle and can't be checked at compile time. What methods are in place to ensure that these aren't typoed? - Generic args and return types defeat type checking. What ensures types being returned or accepted have the desired properties? - Java has had significant problems with their Reflection mechanism, probably dozens of issues per year. At what points of a process lifetimes is the Facade mechanism dynamic? Here's a few issues I found: - ./apiserver/apiserver.go logs passwords when tracing is enabled -- this is fine IFF this is loudly documented somewhere obvious. Is it? It'd be best to filter out passwords regardless. - Chown() doesn't quote the user or group - ./api/client.go WatchDebugLog() claims to read a line but looks like it may read up to 4096 bytes -- is this correct? - significant number of TODO comments; is there a method in place to find unowned comments and assign them somewhere? is there a process in place to ensure they get revisited? - Which versions of the client work with which versions of the servers? Where's that described? - ./api/keyupdater/authorisedkeys.go AuthorisedKeys(), WatchAuthorisedKeys() expects exactly one authorized key, this seems fragile - Is -static-libgo still being used? - Perhaps redundant to say it, the embedded code copies mostly need to be packaged separately. I don't know to what extent they deserve review, but they do represent a significant amount of code not written here that will run as root in many environments. There's a lot to like about the Juju codebase; error checking is rigorous, the coding style is consistent, the shellscript quoting infrastructure is awesome, it's inspired clever new Go packages that cleanly solve problems. I didn't review as much as I would have liked, but what I did see looked like rigorous work. Juju has been growing new features at an incredible pace. Will development of new features impede supporting deployed environments? The security team cannot support Juju alone -- there is far too much domain-specific knowledge required to properly maintain Juju. We will need the Juju team's help to address practically every issue for all stages of future security-relevant bugs: proper diagnosis, proper fix preperation, proper backporting to all supported releases, proper test development, and proper testing. I'm concerned with how previous issues have been handled -- the three referenced bug reports have combined to represent the single most expensive consequence I've personally seen and all were known issues five months earlier. So I need reassurance that the Juju team will help the security team maintain Juju in our supported releases: - Ask for an MRE, if that's the most appropriate mechanism to update Juju. - Ask for special treatment that allow more frequent full-version updates, if that's the most appropriate mechanism to update
[Bug 1490361] Re: IncompatibleObjectVersion: Version 1.2 of PciDeviceList is not supported
** Information type changed from Public Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/1490361 Title: IncompatibleObjectVersion: Version 1.2 of PciDeviceList is not supported To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1490361/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1490382] Re: cannot login to crouton on chromeOS
Are you sure that the Ubuntu OpenSSH should be running 'inside' the crouton environment? Does crouton run things in a VM, or chroot, or full containers? There's many X11 errors mentioned there, are they indicative of bigger problems in the crouton environment? This is probably worth a parallel bug report to crouton folks, I'm not sure what Ubuntu could do to fix this. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1490382 Title: cannot login to crouton on chromeOS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1490382/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1483762] Re: [SRU] ship new public cert
I overlooked a missing bug number for the cert update in the vivid changelog. Sorry. ** Changed in: pollinate (Ubuntu Vivid) Status: In Progress = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to pollinate in Ubuntu. https://bugs.launchpad.net/bugs/1483762 Title: [SRU] ship new public cert To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pollinate/+bug/1483762/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1484593] Re: package mongodb-server (not installed) failed to install/upgrade: subprocess installed pre-removal script returned error exit status 1
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a regular (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mongodb in Ubuntu. https://bugs.launchpad.net/bugs/1484593 Title: package mongodb-server (not installed) failed to install/upgrade: subprocess installed pre-removal script returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mongodb/+bug/1484593/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1482640] Re: package sa-compile 3.4.0-3ubuntu2.1 failed to install/upgrade: Unterprozess installiertes post-installation-Skript gab den Fehlerwert 28 zurück
Thank you for taking the time to report this bug and helping to make Ubuntu better. You appear to be running a release of Ubuntu that is no longer supported. Please see https://wiki.ubuntu.com/Releases for information on our currently supported releases; consider using one of the LTS releases, as they will be supported for the longest amount of time. Some additional information on upgrading can be found in our community wiki, https://help.ubuntu.com/community/UpgradeNotes Thanks ** Information type changed from Private Security to Public ** Changed in: spamassassin (Ubuntu) Status: New = Invalid -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to spamassassin in Ubuntu. https://bugs.launchpad.net/bugs/1482640 Title: package sa-compile 3.4.0-3ubuntu2.1 failed to install/upgrade: Unterprozess installiertes post-installation-Skript gab den Fehlerwert 28 zurück To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1482640/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1267393] Re: [MIR] juju-core, juju-mongodb, gccgo, golang
My primary concern was with the confused double duty of the shell quoting -- sometimes it was being used to protect an input from a user, and sometimes it was being used to transmit scripts to remote peers. I really hope to see something akin to sql prepared statements in juju that use the class system to enforce proper quoting of inputs when they must be used as an argument to a command, so that ad hoc constructions aren't scattered throughout the codebase. Replacing juju-backup sounds like an improvement, but that was just one instance of the above complaint. Embedding sudo into the program to avoid running the entire bootstrap process as root does make sense, but I do wonder if unprivileged lxc containers would be more appropriate at this point. It still seems like a large assumption about how sudo can be used on the juju host -- perhaps it is fair to say the juju host must be dedicated to the task, but it'd be nice to see that spelled out explicitly. I'll ask Tyler to look at our backlog and fit this in where we can. Thanks. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to golang in Ubuntu. https://bugs.launchpad.net/bugs/1267393 Title: [MIR] juju-core, juju-mongodb, gccgo, golang To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gccgo-5/+bug/1267393/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1381537] Re: Dovecot version in precise too old to switch off SSLv3 protocol for poodle fix
Port 25 is probably handled by postfix, exim, or sendmail, not dovecot. In any event, you can't simply connect directly to SMTP with TLS; SMTP requires using the STARTTLS command to upgrade a connection to TLS. I suspect you'll find similar issues with your other ports; I don't know the details of those off-hand as well as SMTP, so I'll just ask how confident you are that your test case accurately reflects the protocols you're trying to test. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dovecot in Ubuntu. https://bugs.launchpad.net/bugs/1381537 Title: Dovecot version in precise too old to switch off SSLv3 protocol for poodle fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1381537/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1472142] Re: /var/cache/lxc not world readable
Please see bug #1244635 -- I'm afraid this bug may re-introduce 1244635 if not handled carefully. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1472142 Title: /var/cache/lxc not world readable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1472142/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1472713] Re: HAProxy 1.5.3 requires security updates
Hello, the Ubuntu Security Team does not provide security support for the backports project. If you wish to prepare a debdiff to address the security issues, or help the backports project prepare an update to a newer version, I suspect the backports project would be happy for the help. Please see https://help.ubuntu.com/community/UbuntuBackports for more information. Thanks ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to haproxy in Ubuntu. https://bugs.launchpad.net/bugs/1472713 Title: HAProxy 1.5.3 requires security updates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/1472713/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1471373] Re: My wifi keeps disconnecting after some interval of time
** Information type changed from Public Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to irqbalance in Ubuntu. https://bugs.launchpad.net/bugs/1471373 Title: My wifi keeps disconnecting after some interval of time To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/irqbalance/+bug/1471373/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1471370] Re: package slapd 2.4.31-1+nmu2ubuntu8.1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a regular (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1471370 Title: package slapd 2.4.31-1+nmu2ubuntu8.1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1471370/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1432644] Re: VM permanently tries to read /dev/shm/lttng-ust-wait-5
George, if you want to allow the lttng accesses, edit /etc/apparmor.d/libvirt/TEMPLATE and the other similar profiles in /etc/apparmor.d/libvirt/ and add: /run/shm/lttng-ust-wait-5 rw, Then run apparmor_parser --replace $(ls -1 /etc/apparmor.d/libvirt/libvirt* | grep -v files) This does allow for cross-domain contamination. If you want to deny these accesses instead you can prepend deny to that rule above; I don't know if libvirt handles that gracefully or not, but it would prevent cross-domain contamination. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ceph in Ubuntu. https://bugs.launchpad.net/bugs/1432644 Title: VM permanently tries to read /dev/shm/lttng-ust-wait-5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/1432644/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1470009] Re: Conky does not Monitor ntp network connections
NTP uses UDP port 123. The pasted conky configuration doesn't monitor any UDP ports. Thanks ** Information type changed from Private Security to Public ** Changed in: ntp (Ubuntu) Status: New = Invalid -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1470009 Title: Conky does not Monitor ntp network connections To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1470009/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1466103] Re: dnsmasq runs unconfined due to starting before apparmor on boot
I don't think stopped apparmor is going to do it -- the generic apparmor profiles are loaded via a sysv-init compatibility script. I think the job file that starts this dnsmasq instance needs to use apparmor load before starting the process: http://upstart.ubuntu.com/cookbook/#apparmor-load I hope this helps -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/1466103 Title: dnsmasq runs unconfined due to starting before apparmor on boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1466103/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1464118] Re: package nginx-core (not installed) failed to install/upgrade: sub-processo script post-installation instalado retornou estado de saída de erro 1
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a regular (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1464118 Title: package nginx-core (not installed) failed to install/upgrade: sub- processo script post-installation instalado retornou estado de saída de erro 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1464118/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1463383] Re: package nginx-extras 1.6.2-5ubuntu3 failed to install/upgrade: sub-processo script post-installation instalado retornou estado de saída de erro 1
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a regular (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1463383 Title: package nginx-extras 1.6.2-5ubuntu3 failed to install/upgrade: sub- processo script post-installation instalado retornou estado de saída de erro 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1463383/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1458052] Re: Azure Datasource writes user password in plain text
We've decided this is a security hardening measure rather than a security issue, and thus won't apply for a CVE and won't attempt an embargoed coordination with other vendors: any process that has sufficient privileges to read this file and thus the password has every opportunity to perform dozens of other privileged operations that would expose or reset this password. Ben said he'd follow through with the SRU process; this makes sense to us. Thanks ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1458052 Title: Azure Datasource writes user password in plain text To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1458052/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1455299] Re: lubuntu 15.04 err 404
Does not affect nova; this is probably a misconfiguration rather than a bug. ** Information type changed from Private Security to Public ** Changed in: nova (Ubuntu) Status: New = Invalid ** Package changed: nova (Ubuntu) = ubuntu -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nova in Ubuntu. https://bugs.launchpad.net/bugs/1455299 Title: lubuntu 15.04 err 404 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1455299/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1446448] Re: ssh-agent terminates
Andrej, sorry, normally the person who supplies the additional information sets the status back to 'new' or 'confirmed' as needed. We don't say that nearly often enough. sorry. ** Changed in: openssh (Ubuntu) Status: Incomplete = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1446448 Title: ssh-agent terminates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1446448/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 216847] Re: sshd will not start at boot if ListenAddress is set, because network interface is not yet up
Changing the ssh service file to use network-online.target should also work; see http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ for more information. ** Tags added: systemd-boot -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/216847 Title: sshd will not start at boot if ListenAddress is set, because network interface is not yet up To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/216847/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1450960] Re: dev file system is mounted without noexec
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1450960 Title: dev file system is mounted without noexec To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1450960/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1381450] Re: [MIR] conntrack, libnetfilter-queue, libnetfilter-cttimeout, libnetfilter-cthelper
I reviewed conntrack version 1:1.4.2-2ubuntu1 sa checked into ubuntu vivid. This should not be considered a full security audit but rather a quick gauge of maintainability. - conntrack provides both a connection tracking daemon that can interface with the Linux kernel's netfilter interfaces as well as an information-publishing tool that can provide better filtering of flow information than the /proc/ interfaces. The connection tracking daemon can be used to support HA stateful firewalls. - Build-Depends: autotools-dev, bison, debhelper, dh-systemd, flex, libmnl-dev, libnetfilter-conntrack-dev, libnetfilter-cthelper0-dev, libnetfilter-cttimeout-dev, libnetfilter-queue-dev, libnfnetlink-dev - pre/post inst/rm scripts have complicated mechanisms to handle previous configuration file locations and init.d vs systemd handling. Review by domain expert would be welcome. - initscript and systemd service file look reasonable enough - No dbus services - No setuid binaries - Provides conntrack, conntrackd, nfct binaries - No sudo fragments - No udev rules - No cronjobs - No test suite run during build - No subprocesses spawned - Memory management looks careful - Few files opened; log files, configuration file, /proc/sys/net/netfilter/nf_conntrack_count - Logging looked careful - No environment variable use - A handful of privileged operations are used, but the entirety of the package does privileged operations - No cryptography - Extensive netlink use; conntrackd can communicate with other conntrackd instances on other hosts, requires a private privileged network. Can spawn helpers to inspect and modify packets -- helpers are provided for ftp, rpc, and tns. (Helpers looked careful, though this kind of code is prone to mistakes. I'd love to see privilege separation / seccomp kinds of things for userspace helpers.) - No tempory file handling - No webkit - No javascript - No policykit - Clean cppcheck Here's a few issues I found while reviewing this package, in the hopes these findings are useful: - nfct_helper_free() in libnetfilter-cthelper has a use-after-free bug that may result in sigsegv: http://www.openwall.com/lists/oss-security/2015/04/22/5 A fix has already been pushed to upstream git, this may be worth an SRU - nfq_queue_cb() leaks myct if pktb_alloc(), helper_run(), or pkt_verdict_issue() return failures - fork_process_new() will leak struct child_process c if the fork() fails - I'm concerned that the daemon closes stderr and stdout before starting its main loop; there are many printf() and printf(stderr) calls in the codebase. Making sure that stdout and stderr refer to something useful at any given point is difficult. I suggest duping /dev/null to those descriptors if they are truly not going to used in the life of the daemon. There's also an issue in the packaging, the binaries are not built PIE. I realize it is too late to make them PIE before the release of vivid, so please ensure this is handled shortly after the U series is opened, so that it is not forgotten. Security team ACK for promoting conntrack to main. Thanks ** Changed in: conntrack (Ubuntu) Assignee: Seth Arnold (seth-arnold) = (unassigned) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnetfilter-cthelper in Ubuntu. https://bugs.launchpad.net/bugs/1381450 Title: [MIR] conntrack, libnetfilter-queue, libnetfilter-cttimeout, libnetfilter-cthelper To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/conntrack/+bug/1381450/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1446448] Re: ssh-agent terminates
Brendan Gregg has an awesome execsnoop tool that can report systemwide execs in his perf-tools package, the whole thing is a goldmine of amazing tools: http://www.brendangregg.com/blog/2014-07-28/execsnoop-for-linux.html Probably this is easier than the process accounting. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1446448 Title: ssh-agent terminates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1446448/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1445624] Re: Change SSH defaults to non-SHA-1 by 16.04
While this might initially seem like prematurely early to end support for SHA-1, it's the tail end of 16.04 LTS's support window that worries me -- I suspect SHA-1 will feel less safe by 2021, but removing support for it in an LTS release feels like the wrong approach. We may also wish to consider what the server accepts and what the client accepts separately if there's some class of devices that force using SHA-1 in the meantime. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1445624 Title: Change SSH defaults to non-SHA-1 by 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1445624/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1430082] Re: [MIR] python-cryptography, python-cffi, pycparser, enum34
python-cryptography-vectors is as described -- an impressive collection of test vectors. The only slightly surprising thing is the pre/post inst/rm scripts, due to this being part of a python module package. Security team ACK for promoting python-cryptography-vectors to main, though I suspect we don't strictly need the binary packages themselves in main. Either way, doesn't really matter. Thanks ** Changed in: python-cryptography-vectors (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) = (unassigned) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-cffi in Ubuntu. https://bugs.launchpad.net/bugs/1430082 Title: [MIR] python-cryptography, python-cffi, pycparser, enum34 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/enum34/+bug/1430082/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1430082] Re: [MIR] python-cryptography, python-cffi, pycparser, enum34
I reviewed python-cryptography version 0.8-1ubuntu2 as checked into Ubuntu vivid. This shouldn't be considered a full security audit but rather a quick gauge of maintainability. - python-cryptography provides a cffi interface to OpenSSL with friendly shims for better python integration - Build-Depends: debhelper, dh-python, python-all-dev, python3-all-dev, python-setuptools, python3-setuptools, python-cffi, python3-cffi, python-six, python3-six, libssl-dev, python-cryptography-vectors, python-cryptography-vectors, python3-cryptography-vectors, python3-cryptography-vectors, python-iso8601, python3-iso8601, python-pytest, python3-pytest, python-pretend, python3-pretend, python-pyasn1, python3-pyasn1, python-enum34, python3-enum34 - This package provides both recipes for safe cryptography use as well as a hazmat namespace for raw cryptography use. This package does not itself daemonize or connect to the network. - pre/post inst/rm scripts automatically generated - No initscripts - No dbus services - No binaries in the path - No setuid or setgid - No sudo fragments - No udev rules - No cronjobs - Extensive test suite with thousands of test cases run during the build - Clean build logs - No subprocesses are spawned - Memory management is very complicated; Python modules implemented in C need to manage both the python-GC system and the C unmanaged memory allocations. There were instructive comments near some C implementations about the proper way to manage that object type's memory, but errors feel inevitable. - Very few file operations itself - Logging looked safe - No environment variable use on Linux, looked safe on Windows - No privileged portions of code - Extensive cryptography, much under control of client programs - No networking - No temporary file handling - No WebKit - No javascript - No PolicyKit python-cryptography is intricate, involved code; Python modules and cffi are complicated, and OpenSSL's API is dangerous at the best of times. That said, this code looks careful -- there's good parameter checking, asserts throughout, comments are descriptive where they are used, documentation is good. I did not extensively check the cryptography used; spot checks looked fine, Fernets looked interesting. Security team ACK for promoting python-cryptography to main. Thanks ** Changed in: python-cryptography (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) = (unassigned) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-cffi in Ubuntu. https://bugs.launchpad.net/bugs/1430082 Title: [MIR] python-cryptography, python-cffi, pycparser, enum34 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/enum34/+bug/1430082/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1298611] Re: [FFe] apparmor signal and ptrace mediation
Ken,
The ptrace mediation in 12.04 LTS is very rudimentary; if you add
capability sys_ptrace, to a profile then processes running in that
profile are allowed to trace any process the discretionary access
controls allow. The fine-grained permissions introduced in 14.04 LTS
require both the new kernel and userspace.
I tested that the apparmor 2.7.102-0ubuntu3.10 package with the linux-
generic-lts-trusty 3.13.0.49.43 package will allow ptrace using the
capability sys_ptrace, permission via a strace profile:
# cat usr.bin.strace
# Last Modified: Sat Apr 11 03:38:35 2015
#include tunables/global
/usr/bin/strace {
#include abstractions/base
capability sys_ptrace,
/bin/ls rix,
/home/*/ r,
/proc/filesystems r,
/usr/bin/strace mr,
}
I tested both strace /bin/ls and strace -p 1.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1298611
Title:
[FFe] apparmor signal and ptrace mediation
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1298611/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1441388] Re: numactl crashes with segfault
Do you know if a CVE has been assigned to this issue? I don't directly see how it could be used to cross privilege boundaries. Is there something I've missed? Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to numactl in Ubuntu. https://bugs.launchpad.net/bugs/1441388 Title: numactl crashes with segfault To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/numactl/+bug/1441388/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1440070] Re: openssh-server attempts to connect to upstart and the connection is refused
** Tags added: systemd-boot -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1440070 Title: openssh-server attempts to connect to upstart and the connection is refused To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1440070/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1407695] Re: [MIR] python-saml2, xmlsec1
Thanks James and Michael, looks good to me. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-pysaml2 in Ubuntu. https://bugs.launchpad.net/bugs/1407695 Title: [MIR] python-saml2, xmlsec1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-pysaml2/+bug/1407695/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1436096] [NEW] interrupting juju-deployer prevents juju destroy-environment from tearing it down cleanly
Public bug reported:
I tried to create a new undercloud on the server team's serverstack test
environment; I realized shortly after starting the juju-deployer that I
had made a mistake and used ^C to interrupt the deploy, to save ten
minutes of time, and then juju destroy-environment hung when trying to
clean up my mess:
$ juju-deployer -v --bootstrap -c default.yaml -d trusty-icehouse
2015-03-24 22:25:08 [DEBUG] deployer.cli: Using runtime GoEnvironment on secteam
2015-03-24 22:25:08 [INFO] deployer.cli: Starting deployment of trusty-icehouse
2015-03-24 22:25:08 [DEBUG] deployer.import: Getting charms...
2015-03-24 22:25:33 [DEBUG] deployer.deploy: Resolving configuration
2015-03-24 22:25:33 [INFO] deployer.env: bootstraping, this might take a
while...
^CTraceback (most recent call last):
File /usr/bin/juju-deployer, line 9, in module
load_entry_point('juju-deployer==0.4.3', 'console_scripts',
'juju-deployer')()
File /usr/lib/python2.7/dist-packages/deployer/cli.py, line 130, in main
run()
File /usr/lib/python2.7/dist-packages/deployer/cli.py, line 228, in run
importer.Importer(env, deployment, options).run()
File /usr/lib/python2.7/dist-packages/deployer/action/importer.py, line
193, in run
self.env.bootstrap()
File /usr/lib/python2.7/dist-packages/deployer/env/base.py, line 71, in
bootstrap
params, self.log, Failed to bootstrap)
File /usr/lib/python2.7/dist-packages/deployer/env/base.py, line 21, in
_check_call
return _check_call(*args, **kwargs)
File /usr/lib/python2.7/dist-packages/deployer/utils.py, line 253, in
_check_call
params, cwd=cwd, stderr=stderr, env=os.environ)
File /usr/lib/python2.7/subprocess.py, line 567, in check_output
output, unused_err = process.communicate()
File /usr/lib/python2.7/subprocess.py, line 791, in communicate
stdout = _eintr_retry_call(self.stdout.read)
File /usr/lib/python2.7/subprocess.py, line 476, in _eintr_retry_call
return func(*args)
KeyboardInterrupt
ubuntu@secteam-bastion:~/openstack-charm-testing$ ^C
ubuntu@secteam-bastion:~/openstack-charm-testing$ ^C
ubuntu@secteam-bastion:~/openstack-charm-testing$ ^C
ubuntu@secteam-bastion:~/openstack-charm-testing$ ^C
ubuntu@secteam-bastion:~/openstack-charm-testing$ ^C
ubuntu@secteam-bastion:~/openstack-charm-testing$ juju destroy-environment
secteam
WARNING! this command will destroy the secteam environment (type: openstack)
This includes all machines, services, data and other resources.
Continue [y/N]? y
^C
$ dpkg -l '*juju*' | awk 'OFS=\t {print $1, $2, $3, $4}'
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err:uppercase=bad)
||/ NameVersion Architecture
+++----===
ii juju1.22.0-0ubuntu1~14.04.2~juju1 all
ii juju-core 1.22.0-0ubuntu1~14.04.2~juju1 amd64
ii juju-deployer 0.4.3-0ubuntu1~ubuntu14.04.1~ppa1 all
ii python-jujuclient 0.50.1-2amd64
un python2.7-jujuclientnone none
Thanks
** Affects: juju-core (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to juju-core in Ubuntu.
https://bugs.launchpad.net/bugs/1436096
Title:
interrupting juju-deployer prevents juju destroy-environment from
tearing it down cleanly
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/juju-core/+bug/1436096/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1435443] Re: package mysql-server-5.6 5.6.23-1~exp1~ubuntu3 failed to install/upgrade: подпроцесс установлен сценарий post-removal возвратил код ошибки 1
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a regular (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-5.6 in Ubuntu. https://bugs.launchpad.net/bugs/1435443 Title: package mysql-server-5.6 5.6.23-1~exp1~ubuntu3 failed to install/upgrade: подпроцесс установлен сценарий post-removal возвратил код ошибки 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-5.6/+bug/1435443/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1435455] Re: package php5-cli 5.5.12+dfsg-2ubuntu4.3 failed to install/upgrade: package php5-cli is already installed and configured
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a regular (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1435455 Title: package php5-cli 5.5.12+dfsg-2ubuntu4.3 failed to install/upgrade: package php5-cli is already installed and configured To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1435455/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1434503] Re: package php5-json 1.3.2-2build1 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configuration
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a regular (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php-json in Ubuntu. https://bugs.launchpad.net/bugs/1434503 Title: package php5-json 1.3.2-2build1 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configuration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php-json/+bug/1434503/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1434006] Re: Information leak
** Information type changed from Private Security to Public Security ** Changed in: openssh (Ubuntu) Status: New = Invalid -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1434006 Title: Information leak To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1434006/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1434006] Re: Information leak
You can configure this with /etc/pam.d/sshd -- simply remove the pam_motd lines from your PAM sshd configuration and this information will no longer be shown when users successfully authenticate. (Neither sshd nor pam_motd.so care if your users are using bash or false or nologin for their shell; they successfully authenticated, which is all the pam_motd.so cares about.) Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1434006 Title: Information leak To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1434006/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1407695] Re: [MIR] python-saml2, python-repoze.who, xmlsec1
I got a response from Tres Seaver to some of the issues I raised in this MIR: Thanks for the report! 1.0.18 is a long time ago now (almost 4 1/2 years). The latest release is 2.2, and there will likely be a 2.2.1 released in the near future. We are pretty unlikely to make another 1.x release, unless you (or somebody else) submits PRs for them (I just opened a '1.0-maintenance' branch, in case someone wants to tackle it): https://github.com/repoze/repoze.who/tree/1.0-maintenance Changes since 1.0.18 relevant to your issues: - - Made `htpasswd' plugin more isochronous (2.1). - - Deprecated plugins, moving them to a new 'repoze.who.deprecatedplugins' project (2.0a3): - 'repoze.who.plugins.cookie.InsecureCookiePlugin' - 'repoze.who.plugins.form.FormPlugin' - 'repoze.who.plugins.form.RedirectingFormPlugin' On the trunk, the SQL plugin issues you report should probably get some attention: I don't actually use it myself, which makes that trickier to think about. It would be nice to use a more up-to-date version of repoze.who. Nearly five years out of date already, it would be nice to avoid being eleven years out of date at the end of the next LTS release. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-pysaml2 in Ubuntu. https://bugs.launchpad.net/bugs/1407695 Title: [MIR] python-saml2, python-repoze.who, xmlsec1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-pysaml2/+bug/1407695/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1407695] Re: [MIR] python-saml2, python-repoze.who, xmlsec1
I reviewed python-repoze.who version 1.0.18-4 from Ubuntu vivid. This should not be considered a full security audit but instead a quick gauge of maintainability. - python-repoze,who is a generic authentication middleware for python applications; it sits between a wsgi server and application and modifies http requests and responses. - Build-Depends: debhelper, cdbs, python-dev, dh-python, python-setuptools, python-sphinx, python-zope.interface, python-paste - Does not daemonize - pre/post inst/rm scripts automatically generated - No initscripts - No dbus services - No setuid executables - No sudo fragments - No udev rules - No cronjobs - Test suite run during the build - No subprocesses spawned - Files read under command of configurations - Logging looked simple - No environment variables used - No privileged portions of code - Networking driven by webserver - Slight cryptography used, actual provided password storage mechanisms are weak - No temporary files - No webkit - No javascript - No policykit While reviewing this code I found a few things that seemed worth reporting here: - ./repoze/who/plugins/htpasswd.py plain_check() function allows timing-based password discovery, crypt_check() hard-codes two character salt - InsecureCookiePlugin doesn't appear to authenticate or encrypt the cookie data, or set httponly flag or set secure flag; ignoring the secure flag makes some sense for an InsecureCookie mechanism but lacking httponly and authenicated data is perhaps surprising to authors. - doesn't appear to use HttpOnly cookie flag - no csrf protection in default login form in repoze/who/plugins/form.py - unknown session fixation prevention in default login form - default_password_compare in ./repoze/who/plugins/sql.py does not salt or iterate passwords; plaintext variant allows timing-based password guessing, and stored passwords cannot start with (SHA) I believe the core code of python-repoze.who is reliable enough, but the default providers for backends and forms don't look like they are production quality. Passwords are stored in plaintext, or insufficiently salted and iterated, and timing-sensitive comparison routines are used. The login form doesn't protect against session fixation or csrf. Simple and usual protections on cookies are ignored. This presents a dilemma; essentially, all non-toy programs have to provide their own storage and authentication plugins to be able to safely use this tool. It seems incorrect to promote a project to main with many known flaws in the defaults, but if no real tools actually use the defaults, the issues might be mostly academic. The use by python-pysaml2 seemed safe enough. The upstream authors have not yet responded to my questions. The above issues may warrant security fixes, issues that would be best to fix before shipment if we can. I'm concerned to hear that this package is orphaned in Debian because it also feels orphaned upstream. While we probably could take on maintenance of this package ourselves I have to ask if we should use a different mechanism for login tracking. So I propose a conditional ACK to promote this package to main, conditional on two pieces: *1* a statement from the server team that this package is the best known way for the pysaml2 tool to manage logins. *2* a statement from the server team that they will assist in maintenance efforts for the supported life of this package, and will ask to demote it again in the future if a viable replacement is found. Thanks ** Changed in: python-repoze.who (Ubuntu) Assignee: Seth Arnold (seth-arnold) = (unassigned) ** Changed in: python-pysaml2 (Ubuntu) Assignee: Seth Arnold (seth-arnold) = (unassigned) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-pysaml2 in Ubuntu. https://bugs.launchpad.net/bugs/1407695 Title: [MIR] python-saml2, python-repoze.who, xmlsec1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-pysaml2/+bug/1407695/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1407695] Re: [MIR] python-saml2, python-repoze.who, xmlsec1
I reviewed python-pysaml2 version 2.2.0-0ubuntu2 as found in Ubuntu vivid. This should not be considered a full security audit, but rather a quick gauge of maintainability. - python-pysaml2 is a middleware designed to handle SAML2 authentication, a competitor to oauth and FIDO. SAML2 is popular in enterprise environments. - Build-Depends: debhelper, python-all, python-setuptools, python-sphinx, python-crypto, python-dateutil, python-decorator, python-mako, python-memcache, python-openssl, python-paste, python-pyasn1, python-pytest, python-pymongo, python-repoze.who, python-requests, python-tz, python-zope.interface, xmlsec1 - Does not itself daemonize - Does not itself listen on external interfaces - pre/post inst/rm are automatically added - No initscripts - No dbus services - No setuid executables - No sudo fragments - No udev rules - No cron entries - Spawns subprocesses, looks careful - Files opened under direction of controlling programs - Logging looked careful, except for logged passwords - No environment variables - No privileged operations - Extensive cryptography - No privileged portions of the program - No temporary files - No webkit - No javascript - No PolicyKit Here's some issues I discovered while reading this program: - src/saml2/s_utils.py sid() provides highly-guessable session identifiers - src/saml2/s_utils.py rndstr() strings are not cryptographically strong, appear to be used for cryptographic purposes - src/sigver.py create_id() generated identifiers are not cryptographically strong - example/idp2/idp.py, example/idp2/idp_uwsgi.y, example/aa/aa.py, example/idp2_repoze/idp, all have a staticfile() method that will serve every file on the computer that is readable by the server userid. No effort is made to filter out .. path traversals. - example/idp2/service.py, example/idp2/idp.py, example/idp2/idp_uwsgi.py, example/aa/aa.py, example/idp2_repoze/idp.py all have password checks that do not attempt to prevent timing analysis. - src/saml2/authn.py verify() will logger.debug() a password - src/saml2/authn.py _verify() has a password check that does not attempt to prevent timing analysis - example/idp2/service.py, example/idp2/idp.py, example/idp2/idp_uwsgi.py, example/aa/aa.py, example/idp2_repoze/idp.py info_from_cookie() do not handle TypeError exception from b64decode, will these provide a simple DOS attack vector? - example/idp2/service.py, example/idp2/idp.py, example/idp2/idp_uwsgi.py, example/aa/aa.py, example/idp2_repoze/idp.py ecp() do not handle TypeError exception from b64decode, will these provide a simple DOS attack vector? This method also logs HTTP_AUTHORIZATION to logger.debug(), this may include passwords. I reported the above issues to the author, who provided fixes for them very quickly; he's inexperienced with CVEs but sounded willing to learn. Please update the packaged version to include these fixes; I do not know if they are security fixes, but it's plausible that some might be. Security team ACK for promoting version 2.3.0 or higher to main. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-pysaml2 in Ubuntu. https://bugs.launchpad.net/bugs/1407695 Title: [MIR] python-saml2, python-repoze.who, xmlsec1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-pysaml2/+bug/1407695/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1426549] [NEW] drop pyjuju from vivid and newer
Public bug reported: Hello, it appears that juju-0.7 is still available to install in vivid; given that the juju upstream team has moved on significantly from this point, I think it is best to drop the old pyjuju from vivid and all future releases. Note that it is not coming from Debian: https://packages.debian.org/search?suite=defaultsection=allarch=anysearchon=sourcenameskeywords=juju Thanks ** Affects: juju (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to juju in Ubuntu. https://bugs.launchpad.net/bugs/1426549 Title: drop pyjuju from vivid and newer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/juju/+bug/1426549/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 997269] Re: dovecot imap broken by apparmor policy
Valentin, do you have any DENIED messages from AppArmor in your dmesg output, /var/log/syslog, or /var/log/audit/audit.log files? Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dovecot in Ubuntu. https://bugs.launchpad.net/bugs/997269 Title: dovecot imap broken by apparmor policy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/997269/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1407695] Re: [MIR] python-saml2, python-repoze.who, xmlsec1
** Changed in: xmlsec1 (Ubuntu) Assignee: Seth Arnold (seth-arnold) = (unassigned) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-pysaml2 in Ubuntu. https://bugs.launchpad.net/bugs/1407695 Title: [MIR] python-saml2, python-repoze.who, xmlsec1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-pysaml2/+bug/1407695/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1423214] Re: package php5-mysql 5.5.9+dfsg-1ubuntu4.6 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a regular (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1423214 Title: package php5-mysql 5.5.9+dfsg-1ubuntu4.6 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1423214/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1421470] Re: package samba-common-bin 2:4.1.6+dfsg-1ubuntu2.14.04.5 failed to install/upgrade: impossible de copier les données extraites pour « ./usr/bin/smbpasswd » vers « /usr/bin/smbpasswd.dp
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a regular (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1421470 Title: package samba-common-bin 2:4.1.6+dfsg-1ubuntu2.14.04.5 failed to install/upgrade: impossible de copier les données extraites pour « ./usr/bin/smbpasswd » vers « /usr/bin/smbpasswd.dpkg-new » : fin de fichier ou de flux inattendue To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1421470/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1421470] Re: package samba-common-bin 2:4.1.6+dfsg-1ubuntu2.14.04.5 failed to install/upgrade: impossible de copier les données extraites pour « ./usr/bin/smbpasswd » vers « /usr/bin/smbpasswd.dp
I'd suggest running memtest86+ on your computer overnight or over a weekend; there are crashes from chrome, chromium-browser, gdb, software- center, apport-gtk, apt-check, oneconf-service. While many of the errors were in apt's libraries, making me suspect hard drive corruption there, that wouldn't explain all of them. So it might also be RAM. Good luck. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1421470 Title: package samba-common-bin 2:4.1.6+dfsg-1ubuntu2.14.04.5 failed to install/upgrade: impossible de copier les données extraites pour « ./usr/bin/smbpasswd » vers « /usr/bin/smbpasswd.dpkg-new » : fin de fichier ou de flux inattendue To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1421470/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1418778] Re: Stack smashing while using a lot of connections
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libfcgi in Ubuntu. https://bugs.launchpad.net/bugs/1418778 Title: Stack smashing while using a lot of connections To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/1418778/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1413028] Re: package libnss3 2:3.17.1-0ubuntu0.14.04.2 failed to install/upgrade: trying to overwrite shared '/usr/share/doc/libnss3/changelog.Debian.gz', which is different from other instances
This happened because your i386 version of the library and your amd64 version of the library are out of sync. I don't know why you have both installed, but if you can uninstall one that you don't need, that can help. Chances are good your mirror will be updated Soon Enough, and re- running apt-get update apt-get -u upgrade will fix it. If this is still broken in a day, please report back. Thanks ** Changed in: nss (Ubuntu) Status: New = Incomplete -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1413028 Title: package libnss3 2:3.17.1-0ubuntu0.14.04.2 failed to install/upgrade: trying to overwrite shared '/usr/share/doc/libnss3/changelog.Debian.gz', which is different from other instances of package libnss3:i386 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1413028/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1411811] Re: Please update php, mysql on ubuntu 15.04
** Package changed: php-ps (Ubuntu) = php5 (Ubuntu) ** Also affects: mysql-5.6 (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-5.6 in Ubuntu. https://bugs.launchpad.net/bugs/1411811 Title: Please update php, mysql on ubuntu 15.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-5.6/+bug/1411811/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
