Ubuntu
nfs-utils package

  1. Bug #1980095
  2. Activity log

Activity log for bug #1980095

Date Who What changed Old value New value Message
2022-06-28 13:55:22 Andreas Hasenack bug added bug
2022-06-28 14:14:15 Launchpad Janitor merge proposal linked https://code.launchpad.net/~ahasenack/ubuntu/+source/nfs-utils/+git/nfs-utils/+merge/425667
2022-06-30 10:04:31 Launchpad Janitor nfs-utils (Ubuntu): status In Progress Fix Released
2022-08-03 16:56:00 Launchpad Janitor merge proposal linked https://code.launchpad.net/~ahasenack/ubuntu/+source/nfs-utils/+git/nfs-utils/+merge/427771
2022-08-03 17:12:10 Andreas Hasenack description $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code. [Impact] * An explanation of the effects of the bug on users and * justification for backporting the fix to the stable release. * In addition, it is helpful, but not required, to include an explanation of how the upload fixes this bug. [Test Plan] * detailed instructions how to reproduce the bug * these should allow someone who is not familiar with the affected package to reproduce the bug and verify that the updated package fixes the problem. * if other testing is appropriate to perform before landing this update, this should also be described here. [Where problems could occur] * Think about what the upload changes in the software. Imagine the change is wrong or breaks something else: how would this show up? * It is assumed that any SRU candidate patch is well-tested before upload and has a low overall risk of regression, but it's important to make the effort to think about what ''could'' happen in the event of a regression. * This must '''never''' be "None" or "Low", or entirely an argument as to why your upload is low risk. * This both shows the SRU team that the risks have been considered, and provides guidance to testers in regression-testing the SRU. [Other Info] * Anything else you think is useful to include * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board * and address these questions in advance [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.
2022-08-03 17:27:17 Andreas Hasenack description [Impact] * An explanation of the effects of the bug on users and * justification for backporting the fix to the stable release. * In addition, it is helpful, but not required, to include an explanation of how the upload fixes this bug. [Test Plan] * detailed instructions how to reproduce the bug * these should allow someone who is not familiar with the affected package to reproduce the bug and verify that the updated package fixes the problem. * if other testing is appropriate to perform before landing this update, this should also be described here. [Where problems could occur] * Think about what the upload changes in the software. Imagine the change is wrong or breaks something else: how would this show up? * It is assumed that any SRU candidate patch is well-tested before upload and has a low overall risk of regression, but it's important to make the effort to think about what ''could'' happen in the event of a regression. * This must '''never''' be "None" or "Low", or entirely an argument as to why your upload is low risk. * This both shows the SRU team that the risks have been considered, and provides guidance to testers in regression-testing the SRU. [Other Info] * Anything else you think is useful to include * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board * and address these questions in advance [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code. [Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening [Test Plan] The test plan is to inspect the build logs and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[2] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 2. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.
2022-08-03 17:27:36 Andreas Hasenack description [Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening [Test Plan] The test plan is to inspect the build logs and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[2] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 2. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code. [Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening [Test Plan] The test plan is to inspect the build logs and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[2] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 2. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.
2022-08-03 17:27:49 Andreas Hasenack nominated for series Ubuntu Jammy
2022-08-03 17:27:49 Andreas Hasenack bug task added nfs-utils (Ubuntu Jammy)
2022-08-03 17:28:08 Andreas Hasenack nfs-utils (Ubuntu Jammy): status New In Progress
2022-08-03 17:28:10 Andreas Hasenack nfs-utils (Ubuntu Jammy): assignee Andreas Hasenack (ahasenack)
2022-08-03 17:32:47 Andreas Hasenack description [Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening [Test Plan] The test plan is to inspect the build logs and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[2] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 2. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code. [Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" [Test Plan] The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening 2. https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1 1ubuntu1/+build/23229868 3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.
2022-08-03 17:33:09 Andreas Hasenack description [Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" [Test Plan] The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening 2. https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1 1ubuntu1/+build/23229868 3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code. [Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" [Test Plan] The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/232298683. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.
2022-08-03 17:33:20 Andreas Hasenack description [Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" [Test Plan] The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/232298683. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code. [Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" [Test Plan] The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/23229868 3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.
2022-08-03 17:35:14 Andreas Hasenack description [Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" [Test Plan] The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/23229868 3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code. [Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" [Test Plan] The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before (Note: old jammy build logs do show this define being used already, unsure why lintian complained back then) - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/23229868 3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.
2022-08-03 18:02:31 Andreas Hasenack description [Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" [Test Plan] The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before (Note: old jammy build logs do show this define being used already, unsure why lintian complained back then) - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/23229868 3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code. [Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for "Built with BIND_NOW". [Test Plan] The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular: - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) Another way to check is to run hardening-check, from the ubuntu-dev-tools package, on each binary object from the package, and verify that "Immediate binding" changed from "no" (previous package) to "yes": $ for n in $(dpkg -L libnfsidmap1 | grep \\.so); do hardening-check $n > $(basename $n).txt; done $ for n in $(dpkg -L nfs-common|grep bin/); do hardening-check $n > $(basename $n).txt; done $ for n in $(dpkg -L nfs-kernel-server|grep bin/); do hardening-check $n > $(basename $n).txt; done $ grep Immediate *.txt blkmapd.txt: Immediate binding: yes exportfs.txt: Immediate binding: yes libnfsidmap.so.1.0.0.txt: Immediate binding: yes libnfsidmap.so.1.txt: Immediate binding: yes mount.nfs.txt: Immediate binding: yes mount.nfs4.txt: Immediate binding: yes nfsconf.txt: Immediate binding: yes nfsdcld.txt: Immediate binding: yes nfsdcltrack.txt: Immediate binding: yes nfsidmap.txt: Immediate binding: yes nfsstat.txt: Immediate binding: yes nsswitch.so.txt: Immediate binding: yes rpc.gssd.txt: Immediate binding: yes rpc.idmapd.txt: Immediate binding: yes rpc.mountd.txt: Immediate binding: yes rpc.nfsd.txt: Immediate binding: yes rpc.statd.txt: Immediate binding: yes rpc.svcgssd.txt: Immediate binding: yes rpcdebug.txt: Immediate binding: yes showmount.txt: Immediate binding: yes sm-notify.txt: Immediate binding: yes static.so.txt: Immediate binding: yes umich_ldap.so.txt: Immediate binding: yes umount.nfs.txt: Immediate binding: yes umount.nfs4.txt: Immediate binding: yes [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/23229868 3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.
2022-08-19 23:44:51 Steve Langasek nfs-utils (Ubuntu Jammy): status In Progress Incomplete
2022-08-20 14:37:55 Andreas Hasenack bug added subscriber Steve Beattie
2022-09-14 17:35:19 Launchpad Janitor merge proposal unlinked https://code.launchpad.net/~ahasenack/ubuntu/+source/nfs-utils/+git/nfs-utils/+merge/427771
2022-09-14 17:38:16 Andreas Hasenack nfs-utils (Ubuntu Jammy): status Incomplete Won't Fix
2023-02-19 19:20:53 Launchpad Janitor merge proposal linked https://code.launchpad.net/~ahasenack/ubuntu/+source/nfs-utils/+git/nfs-utils/+merge/437544
2023-02-20 00:03:00 Andreas Hasenack merge proposal unlinked https://code.launchpad.net/~ahasenack/ubuntu/+source/nfs-utils/+git/nfs-utils/+merge/437544