ebarrettoGuest38, if you want to send to security@ubuntu.com all the false positives you might be facing. I can take a look at all of them 08:28
Guest38ok thanks08:29
ahasenack_hi #security, any history on an apparmor rule that is like this:18:55
ahasenack_  /usr/sbin/swanctl             r,18:55
ahasenack_getting a DENIED:18:55
ahasenack_[Fri Dec 16 18:44:52 2022] audit: type=1400 audit(1671216292.135:459): apparmor="DENIED" operation="file_mmap" class="file" namespace="root//lxd-l1_<var-snap-lxd-common-lxd>" profile="/usr/sbin/swanctl" name="/usr/sbin/swanctl" pid=31160 comm="swanctl" requested_mask="m" denied_mask="m" fsuid=1000000 ouid=100000018:55
ahasenack_but JUST on ppc64el?18:55
ahasenack_oh, and another wrinkle: just when inside lxd18:55
ahasenack_on a ppc64el HOST, it works fine18:55
ahasenack_and on non-ppc64el, it works fine anywhere (host or lxd)18:55
ahasenack_and, of course, when it gets a denied, it segfaults, why not :)18:55
ahasenack_root@l1:~# swanctl 18:56
ahasenack_Segmentation fault18:56
ahasenack_oh, and only lunar combo (host/lxd)18:56
ahasenack_well, tbh, didn't test other release on ppc64el, but the test that is breaking works fine in all other arches in lunar18:56
ahasenack_I can fix that by adding the "m" flag to that apparmor rule18:56
ahasenack_but this being so unique (ppc64el only, lunar only, lxd only), that I thought about asking briefly before doing that18:56
sdeziel ahasenack_ I've seen binaries needing "rm" for a while when inside containers19:11
sdezielon amd64 that is though19:11
sdezielahasenack_: all the binaries in https://salsa.debian.org/debian/strongswan/-/blob/debian/master/debian/usr.lib.ipsec.charon have the "m"19:13
ahasenack_swanctl has its own little profile19:18
ahasenack_i'm testing a new build now19:18
sdezielright but swanctl isn't what was used typically on Debian and derivatives19:19
sdezieldespite being the modern alternative19:19
ahasenack_yeah, I wrote the new test thinking like that, using the "modern" alternative19:20
ahasenack_there is still some confusion in the packaging, it's still possible to install incorrect packages so that you have 2x charon running19:20
ahasenack_one directly by systemd, and the other one started by ipsec19:21
sdezielahasenack_: re the "rmix" part, I had bugged sarnold some years back and here what he explained: https://salsa.debian.org/debian/strongswan/-/blob/debian/master/debian/usr.lib.ipsec.charon19:33
sdezielwrong link, sorry, take #2: https://salsa.debian.org/debian/strongswan/-/merge_requests/4#note_7618619:33
-ubottu:#ubuntu-security- Merge 4 in debian/strongswan "Apparmor fixes" [Merged]19:33
ahasenack_again, containers mentioned19:37
ahasenack_grmbl, forgot to enable ppc64el in the ppa19:57
sdezielhey, strongswan 5.9.8 will at least catch the 2x charon running problem because they disabled `SO_REUSEADDR`20:24
ahasenack_I didn't notice that, only that the tunnel wouldn't work20:50
ahasenack_by "catch" you mean something in the logs?20:50
sdezielI'd expect one of the services to fail due to being unable to bind the IKE port(s)20:51
sdezielsee the last item at the bottom of https://www.strongswan.org/blog/2022/10/03/strongswan-5.9.8-released.html20:52
ahasenack_maybe that doesn't prevent them from starting, but the logs will show something20:53
Guest38ebarretto thanks for fixing OVAL definitions22:58
Guest38on my server, these ones (kernel related CVE) are cleared : CVE-2022-4394522:59
-ubottu:#ubuntu-security- The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43945>22:59
-ubottu:#ubuntu-security- In the Linux kernel 5.8 through 5.19.x before 5.19.16, local attackers able to inject WLAN frames into the mac80211 stack could cause a NULL pointer dereference denial-of-service attack against the beacon protection of P2P devices. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42722>22:59
-ubottu:#ubuntu-security- Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after-free conditions to potentially execute code. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42720>22:59
-ubottu:#ubuntu-security- mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42703>22:59
-ubottu:#ubuntu-security- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2602>22:59
-ubottu:#ubuntu-security- A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in turn, potentially execute code. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42721>22:59
-ubottu:#ubuntu-security- A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42719>22:59
-ubottu:#ubuntu-security- An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41674>22:59
-ubottu:#ubuntu-security- drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40768>22:59

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!