2023-07-10 18:55:24 |
Bun K Tan |
bug |
|
|
added bug |
2023-07-10 18:55:24 |
Bun K Tan |
attachment added |
|
gp-saml-gui-hangs-attachment.zip https://bugs.launchpad.net/bugs/2026771/+attachment/5685256/+files/gp-saml-gui-hangs-attachment.zip |
|
2023-07-10 18:56:14 |
Bun K Tan |
bug |
|
|
added subscriber sverdy |
2023-07-10 18:56:51 |
Bun K Tan |
bug |
|
|
added subscriber Cindy Goldberg |
2023-07-10 18:58:06 |
Bun K Tan |
bug |
|
|
added subscriber Marcelo Cerri |
2023-07-10 18:58:49 |
Bun K Tan |
bug |
|
|
added subscriber Matthieuj Clemenceau |
2023-07-10 19:00:18 |
Bun K Tan |
bug |
|
|
added subscriber pragyansri.pathi@intel.com |
2023-07-10 19:23:47 |
Bun K Tan |
removed subscriber Matthieuj Clemenceau |
|
|
|
2023-07-10 19:24:10 |
Bun K Tan |
bug |
|
|
added subscriber Matthieu Clemenceau |
2023-07-10 21:56:38 |
Bun K Tan |
intel: importance |
Undecided |
High |
|
2023-07-10 22:00:33 |
Bun K Tan |
bug task added |
|
ubuntu |
|
2023-07-10 22:01:08 |
Bun K Tan |
affects |
ubuntu |
linux (Ubuntu) |
|
2023-07-12 21:03:36 |
Bun K Tan |
bug watch added |
|
https://github.com/dlenski/gp-saml-gui/issues/37 |
|
2023-07-12 21:04:48 |
Bun K Tan |
attachment added |
|
login_success.png https://bugs.launchpad.net/intel/+bug/2026771/+attachment/5685868/+files/login_success.png |
|
2023-07-12 21:09:09 |
Bun K Tan |
attachment added |
|
2026771-attachments.zip https://bugs.launchpad.net/intel/+bug/2026771/+attachment/5685869/+files/2026771-attachments.zip |
|
2023-07-20 16:46:09 |
Shane McKee |
affects |
linux (Ubuntu) |
gp-saml-gui (Ubuntu) |
|
2023-07-20 16:46:09 |
Shane McKee |
gp-saml-gui (Ubuntu): status |
New |
Confirmed |
|
2023-07-20 16:46:09 |
Shane McKee |
gp-saml-gui (Ubuntu): assignee |
|
Shane McKee (mckeesh) |
|
2023-07-20 18:34:00 |
Shane McKee |
summary |
gp-saml-gui hangs after successful authentication |
PAGP (Palo Alto Global Protect) with SAML authentication is broken on Ubuntu desktop |
|
2023-07-20 19:38:38 |
Frank Heimes |
nominated for series |
|
Ubuntu Lunar |
|
2023-07-20 19:38:38 |
Frank Heimes |
bug task added |
|
gp-saml-gui (Ubuntu Lunar) |
|
2023-07-20 19:38:38 |
Frank Heimes |
nominated for series |
|
Ubuntu Focal |
|
2023-07-20 19:38:38 |
Frank Heimes |
bug task added |
|
gp-saml-gui (Ubuntu Focal) |
|
2023-07-20 19:38:38 |
Frank Heimes |
nominated for series |
|
Ubuntu Jammy |
|
2023-07-20 19:38:38 |
Frank Heimes |
bug task added |
|
gp-saml-gui (Ubuntu Jammy) |
|
2023-07-20 19:38:38 |
Frank Heimes |
nominated for series |
|
Ubuntu Mantic |
|
2023-07-20 19:38:38 |
Frank Heimes |
bug task added |
|
gp-saml-gui (Ubuntu Mantic) |
|
2023-07-20 19:41:30 |
Frank Heimes |
intel: status |
New |
Confirmed |
|
2023-07-20 19:41:40 |
Shane McKee |
gp-saml-gui (Ubuntu Lunar): assignee |
|
Shane McKee (mckeesh) |
|
2023-07-20 19:41:46 |
Shane McKee |
gp-saml-gui (Ubuntu Focal): assignee |
|
Shane McKee (mckeesh) |
|
2023-07-20 19:41:52 |
Shane McKee |
gp-saml-gui (Ubuntu Jammy): assignee |
|
Shane McKee (mckeesh) |
|
2023-07-20 20:55:33 |
Bun K Tan |
information type |
Private |
Public |
|
2023-07-27 01:13:23 |
Shane McKee |
description |
When using 'gp-saml-gui' in order to connect to the Palo Alto Global Protect (PAGP) VPN, 'gp-saml-gui' hangs after a successful authentication.
This appears to be due to bug in 'gp-saml-gui' which was triggered as a result of server-side changes in PAGP;
'gp-saml-gui' expects the HTTP headers returned by the PAGP server to be in lowercase format, but the headers are being returned in mixed-case format.
The HTTP specification requires headers to be interpreted in a case-insensitive manner.
This upstream patch in 'gp-saml-gui' fixes the issue: https://github.com/dlenski/gp-saml-gui/commit/085d3276e17e1094e22e5d49545e273147598eb4
Manually applying the change in the patch to my system fixes the issue.
Without applying the patch, 'gp-saml-gui' cannot connect to the VPN server and is thus broken.
This bug appears to fall under the Stable Release Update (SRU) criteria of a "High-impact bug", because an update needs to be applied to the package due to a change in the PAGP VPN server which causes the current version to cease working.
I therefore request that the aforementioned patch be applied to the stable 'gp-saml-gui' package. |
SRU justification:
[ Impact ]
While trying to connect to the Palo Alto Global Protect (PAGP) VPN, gp-saml-gui hangs after authentication. Additionally, gp-saml-gui is not even available for 20.04 LTS users.
This fixes the first issue by backporting the following patch to each version of this package:
https://github.com/dlenski/gp-saml-gui/commit/085d3276e17e1094e22e5d49545e273147598eb4
gp-saml-gui expects lowercase HTTP headers, so this patch allows gp-saml-gui to handle mixed-case headers as well.
It fixes the second issue by creating a gp-saml-gui focal package.
[ Test Plan ]
Assumptions:
1. User has gp-saml-gui installed
2. User has valid PEM-encoded client certificate at '~/.cert/certificate.pem' and PEM-encoded client certificate private key at '~/.cert/vpn-priv-key-plain.pem'
3. Server is configured to use client certificate for authentication
4. Server is configured to also use Microsoft SAML for authentication
5. Server does not require "unsafe legacy negotiation" or user has applied appropriate workaround (see: https://github.com/dlenski/gp-saml-gui/issues/37)
6. Server is located at ${VPN_URL}
Instructions:
1. Run the following command from the shell: gp-saml-gui -g -c ~/.cert/certificate.pem --key ~/.cert/vpn-priv-key-plain.pem -S ${VPN_URL}
2. Authenticate in the pop-up window (see 'login.png'); this might consist of:
- Login e-mail
- Login password
- OTP code
3. Pop-up window changes to "Login Successful!" and stays there indefinitely (see 'login_success.png')
[ Where problems could occur ]
* The patch is pretty innocuous looking and already exists upstream, but if it breaks
functionality, it could break authentication for all current users of this package
and prevent anyone from accessing their VPNs.
* Any backport which does not take all of the preceding patches risks missing
some required patches in between.
[ Other Info ]
* focal does not yet have a gp_saml_gui package, this is the initial upload on partner request (same version different version number than jammy)
* kinetic/22.10 is ignored, because it went EOL on July 20th, 2023
* fix is the same and applies as is to all further affected Ubuntu releases
* The debhelper-compat dependency version had to be downgraded to 12 in
debian/control for Focal since that is the version we have there.
--- Original Description ---
When using 'gp-saml-gui' in order to connect to the Palo Alto Global Protect (PAGP) VPN, 'gp-saml-gui' hangs after a successful authentication.
This appears to be due to bug in 'gp-saml-gui' which was triggered as a result of server-side changes in PAGP;
'gp-saml-gui' expects the HTTP headers returned by the PAGP server to be in lowercase format, but the headers are being returned in mixed-case format.
The HTTP specification requires headers to be interpreted in a case-insensitive manner.
This upstream patch in 'gp-saml-gui' fixes the issue: https://github.com/dlenski/gp-saml-gui/commit/085d3276e17e1094e22e5d49545e273147598eb4
Manually applying the change in the patch to my system fixes the issue.
Without applying the patch, 'gp-saml-gui' cannot connect to the VPN server and is thus broken.
This bug appears to fall under the Stable Release Update (SRU) criteria of a "High-impact bug", because an update needs to be applied to the package due to a change in the PAGP VPN server which causes the current version to cease working.
I therefore request that the aforementioned patch be applied to the stable 'gp-saml-gui' package. |
|
2023-07-27 16:11:28 |
Shane McKee |
attachment added |
|
debdiffs.tar.xz https://bugs.launchpad.net/intel/+bug/2026771/+attachment/5688865/+files/debdiffs.tar.xz |
|
2023-07-27 16:55:29 |
Frank Heimes |
bug |
|
|
added subscriber Frank Heimes |
2023-07-27 16:58:36 |
Frank Heimes |
description |
SRU justification:
[ Impact ]
While trying to connect to the Palo Alto Global Protect (PAGP) VPN, gp-saml-gui hangs after authentication. Additionally, gp-saml-gui is not even available for 20.04 LTS users.
This fixes the first issue by backporting the following patch to each version of this package:
https://github.com/dlenski/gp-saml-gui/commit/085d3276e17e1094e22e5d49545e273147598eb4
gp-saml-gui expects lowercase HTTP headers, so this patch allows gp-saml-gui to handle mixed-case headers as well.
It fixes the second issue by creating a gp-saml-gui focal package.
[ Test Plan ]
Assumptions:
1. User has gp-saml-gui installed
2. User has valid PEM-encoded client certificate at '~/.cert/certificate.pem' and PEM-encoded client certificate private key at '~/.cert/vpn-priv-key-plain.pem'
3. Server is configured to use client certificate for authentication
4. Server is configured to also use Microsoft SAML for authentication
5. Server does not require "unsafe legacy negotiation" or user has applied appropriate workaround (see: https://github.com/dlenski/gp-saml-gui/issues/37)
6. Server is located at ${VPN_URL}
Instructions:
1. Run the following command from the shell: gp-saml-gui -g -c ~/.cert/certificate.pem --key ~/.cert/vpn-priv-key-plain.pem -S ${VPN_URL}
2. Authenticate in the pop-up window (see 'login.png'); this might consist of:
- Login e-mail
- Login password
- OTP code
3. Pop-up window changes to "Login Successful!" and stays there indefinitely (see 'login_success.png')
[ Where problems could occur ]
* The patch is pretty innocuous looking and already exists upstream, but if it breaks
functionality, it could break authentication for all current users of this package
and prevent anyone from accessing their VPNs.
* Any backport which does not take all of the preceding patches risks missing
some required patches in between.
[ Other Info ]
* focal does not yet have a gp_saml_gui package, this is the initial upload on partner request (same version different version number than jammy)
* kinetic/22.10 is ignored, because it went EOL on July 20th, 2023
* fix is the same and applies as is to all further affected Ubuntu releases
* The debhelper-compat dependency version had to be downgraded to 12 in
debian/control for Focal since that is the version we have there.
--- Original Description ---
When using 'gp-saml-gui' in order to connect to the Palo Alto Global Protect (PAGP) VPN, 'gp-saml-gui' hangs after a successful authentication.
This appears to be due to bug in 'gp-saml-gui' which was triggered as a result of server-side changes in PAGP;
'gp-saml-gui' expects the HTTP headers returned by the PAGP server to be in lowercase format, but the headers are being returned in mixed-case format.
The HTTP specification requires headers to be interpreted in a case-insensitive manner.
This upstream patch in 'gp-saml-gui' fixes the issue: https://github.com/dlenski/gp-saml-gui/commit/085d3276e17e1094e22e5d49545e273147598eb4
Manually applying the change in the patch to my system fixes the issue.
Without applying the patch, 'gp-saml-gui' cannot connect to the VPN server and is thus broken.
This bug appears to fall under the Stable Release Update (SRU) criteria of a "High-impact bug", because an update needs to be applied to the package due to a change in the PAGP VPN server which causes the current version to cease working.
I therefore request that the aforementioned patch be applied to the stable 'gp-saml-gui' package. |
SRU Justification:
[ Impact ]
While trying to connect to the Palo Alto Global Protect (PAGP) VPN, gp-saml-gui hangs after authentication. Additionally, gp-saml-gui is not even available for 20.04 LTS users.
This fixes the first issue by backporting the following patch to each version of this package:
https://github.com/dlenski/gp-saml-gui/commit/085d3276e17e1094e22e5d49545e273147598eb4
gp-saml-gui expects lowercase HTTP headers, so this patch allows gp-saml-gui to handle mixed-case headers as well.
It fixes the second issue by creating a gp-saml-gui focal package.
[ Test Plan ]
Assumptions:
1. User has gp-saml-gui installed
2. User has valid PEM-encoded client certificate at '~/.cert/certificate.pem' and PEM-encoded client certificate private key at '~/.cert/vpn-priv-key-plain.pem'
3. Server is configured to use client certificate for authentication
4. Server is configured to also use Microsoft SAML for authentication
5. Server does not require "unsafe legacy negotiation" or user has applied appropriate workaround (see: https://github.com/dlenski/gp-saml-gui/issues/37)
6. Server is located at ${VPN_URL}
Instructions:
1. Run the following command from the shell: gp-saml-gui -g -c ~/.cert/certificate.pem --key ~/.cert/vpn-priv-key-plain.pem -S ${VPN_URL}
2. Authenticate in the pop-up window (see 'login.png'); this might consist of:
- Login e-mail
- Login password
- OTP code
3. Pop-up window changes to "Login Successful!" and stays there indefinitely (see 'login_success.png')
[ Where problems could occur ]
* The patch is pretty innocuous looking and already exists upstream, but if it breaks
functionality, it could break authentication for all current users of this package
and prevent anyone from accessing their VPNs.
* Any backport which does not take all of the preceding patches risks missing
some required patches in between.
[ Other Info ]
* focal does not yet have a gp_saml_gui package, this is the initial upload on partner request (same version different version number than jammy)
* kinetic/22.10 is ignored, because it went EOL on July 20th, 2023
* fix is the same and applies as is to all further affected Ubuntu releases
* The debhelper-compat dependency version had to be downgraded to 12 in
debian/control for Focal since that is the version we have there.
--- Original Description ---
When using 'gp-saml-gui' in order to connect to the Palo Alto Global Protect (PAGP) VPN, 'gp-saml-gui' hangs after a successful authentication.
This appears to be due to bug in 'gp-saml-gui' which was triggered as a result of server-side changes in PAGP;
'gp-saml-gui' expects the HTTP headers returned by the PAGP server to be in lowercase format, but the headers are being returned in mixed-case format.
The HTTP specification requires headers to be interpreted in a case-insensitive manner.
This upstream patch in 'gp-saml-gui' fixes the issue: https://github.com/dlenski/gp-saml-gui/commit/085d3276e17e1094e22e5d49545e273147598eb4
Manually applying the change in the patch to my system fixes the issue.
Without applying the patch, 'gp-saml-gui' cannot connect to the VPN server and is thus broken.
This bug appears to fall under the Stable Release Update (SRU) criteria of a "High-impact bug", because an update needs to be applied to the package due to a change in the PAGP VPN server which causes the current version to cease working.
I therefore request that the aforementioned patch be applied to the stable 'gp-saml-gui' package. |
|
2023-07-27 17:07:00 |
Shane McKee |
attachment added |
|
debdiffs.tar.xz https://bugs.launchpad.net/intel/+bug/2026771/+attachment/5688866/+files/debdiffs.tar.xz |
|
2023-07-27 20:48:50 |
Frank Heimes |
gp-saml-gui (Ubuntu Mantic): status |
Confirmed |
In Progress |
|
2023-07-27 20:48:54 |
Frank Heimes |
gp-saml-gui (Ubuntu Lunar): status |
New |
In Progress |
|
2023-07-27 20:48:58 |
Frank Heimes |
gp-saml-gui (Ubuntu Jammy): status |
New |
In Progress |
|
2023-07-27 20:49:03 |
Frank Heimes |
gp-saml-gui (Ubuntu Focal): status |
New |
In Progress |
|
2023-07-27 20:49:05 |
Frank Heimes |
intel: status |
Confirmed |
In Progress |
|
2023-07-27 20:56:28 |
Launchpad Janitor |
gp-saml-gui (Ubuntu Mantic): status |
In Progress |
Fix Released |
|
2023-07-28 10:57:52 |
Timo Aaltonen |
gp-saml-gui (Ubuntu Lunar): status |
In Progress |
Fix Committed |
|
2023-07-28 10:57:53 |
Timo Aaltonen |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2023-07-28 10:57:58 |
Timo Aaltonen |
bug |
|
|
added subscriber SRU Verification |
2023-07-28 10:58:01 |
Timo Aaltonen |
tags |
|
verification-needed verification-needed-lunar |
|
2023-07-28 11:16:46 |
Timo Aaltonen |
gp-saml-gui (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2023-07-28 11:16:50 |
Timo Aaltonen |
tags |
verification-needed verification-needed-lunar |
verification-needed verification-needed-jammy verification-needed-lunar |
|
2023-07-31 08:44:17 |
Łukasz Zemczak |
gp-saml-gui (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2023-07-31 08:44:21 |
Łukasz Zemczak |
tags |
verification-needed verification-needed-jammy verification-needed-lunar |
verification-needed verification-needed-focal verification-needed-jammy verification-needed-lunar |
|
2023-08-02 00:29:37 |
Shane McKee |
attachment added |
|
debdiff_gp-saml-gui_mantic_from_gp-saml-gui_0.0~git20210909-1_to_0.0~git20210909-1ubuntu0.20.04.2.diff https://bugs.launchpad.net/intel/+bug/2026771/+attachment/5689903/+files/debdiff_gp-saml-gui_mantic_from_gp-saml-gui_0.0~git20210909-1_to_0.0~git20210909-1ubuntu0.20.04.2.diff |
|
2023-08-10 07:06:51 |
Frank Heimes |
tags |
verification-needed verification-needed-focal verification-needed-jammy verification-needed-lunar |
verification-done-jammy verification-done-lunar verification-needed verification-needed-focal |
|
2023-08-10 07:08:27 |
Frank Heimes |
tags |
verification-done-jammy verification-done-lunar verification-needed verification-needed-focal |
verification-done-jammy verification-done-lunar verification-failed-focal verification-needed verification-needed-focal |
|
2023-08-10 08:03:29 |
Frank Heimes |
attachment added |
|
debdiff_gp-saml-gui_focal_from_0.0~git20210909-1ubuntu0.20.04.1_to_0.0~git20210909-1ubuntu0.20.04.2.diff https://bugs.launchpad.net/intel/+bug/2026771/+attachment/5691405/+files/debdiff_gp-saml-gui_focal_from_0.0~git20210909-1ubuntu0.20.04.1_to_0.0~git20210909-1ubuntu0.20.04.2.diff |
|
2023-08-10 20:53:39 |
Andreas Hasenack |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2023-08-10 20:54:11 |
Launchpad Janitor |
gp-saml-gui (Ubuntu Lunar): status |
Fix Committed |
Fix Released |
|
2023-08-10 21:36:48 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
2023-08-16 16:15:36 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2023-08-16 16:15:39 |
Robie Basak |
tags |
verification-done-jammy verification-done-lunar verification-failed-focal verification-needed verification-needed-focal |
verification-done-jammy verification-done-lunar verification-needed verification-needed-focal |
|
2023-08-16 16:17:18 |
Launchpad Janitor |
gp-saml-gui (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2023-09-14 16:03:05 |
Luís Infante da Câmara |
tags |
verification-done-jammy verification-done-lunar verification-needed verification-needed-focal |
verification-done verification-done-focal verification-done-jammy verification-done-lunar |
|
2023-09-20 06:05:17 |
Launchpad Janitor |
gp-saml-gui (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|