Ubuntu
s390-tools package

Bug #1990520
Activity log

Activity log for bug #1990520

Date	Who	What changed	Old value	New value	Message
2022-09-22 11:39:18	bugproxy	bug			added bug
2022-09-22 11:39:20	bugproxy	tags		architecture-s39064 bugnameltc-197607 severity-high targetmilestone-inin---
2022-09-22 11:39:21	bugproxy	ubuntu: assignee		Skipper Bug Screeners (skipper-screen-team)
2022-09-22 11:39:25	bugproxy	affects	ubuntu	linux (Ubuntu)
2022-09-22 11:46:11	Frank Heimes	affects	linux (Ubuntu)	s390-tools (Ubuntu)
2022-09-22 11:46:21	Frank Heimes	bug task added		ubuntu-z-systems
2022-09-22 11:46:32	Frank Heimes	bug task added		s390-tools-signed (Ubuntu)
2022-09-22 11:46:52	Frank Heimes	ubuntu-z-systems: assignee		Skipper Bug Screeners (skipper-screen-team)
2022-09-22 11:46:59	Frank Heimes	ubuntu-z-systems: importance	Undecided	High
2022-09-23 19:33:01	Dan Bungert	tags	architecture-s39064 bugnameltc-197607 severity-high targetmilestone-inin---	architecture-s39064 bugnameltc-197607 foundations-triage-discuss severity-high targetmilestone-inin---
2022-09-27 14:39:30	Frank Heimes	attachment added		debdiffs.tgz https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/1990520/+attachment/5619462/+files/debdiffs.tgz
2022-09-27 14:39:44	Frank Heimes	s390-tools-signed (Ubuntu): status	New	In Progress
2022-09-27 14:39:49	Frank Heimes	s390-tools (Ubuntu): status	New	In Progress
2022-09-27 14:39:52	Frank Heimes	ubuntu-z-systems: status	New	In Progress
2022-09-27 16:25:51	Ubuntu Foundations Team Bug Bot	tags	architecture-s39064 bugnameltc-197607 foundations-triage-discuss severity-high targetmilestone-inin---	architecture-s39064 bugnameltc-197607 foundations-triage-discuss patch severity-high targetmilestone-inin---
2022-09-27 16:26:00	Ubuntu Foundations Team Bug Bot	bug			added subscriber Ubuntu Review Team
2022-09-27 16:37:12	Frank Heimes	description	Description: zkey: Fix re-enciphering of EP11 identity key of KMIP plugin Symptom: When re-enciphering the identity key and/or wrapping key of the zkey KMIP plugin via 'zkey kms reencipher', the operation completes without an error, but the secure keys are left un-reenciphered. A subsequent connection attempt with the KMIP server will fail because the identity key is no longer valid. Problem: The re-enciphered secure key is not copied back into the key token buffer. Also, the the public key part, i.e. the MACed SubjectPublicKeyInfo (SPKI) structure must also be re-enciphered (i.e. re-MACed), since the MAC is calculated with the EP11 master key. Solution: Copy the re-enciphered secure key back into the key token buffer, and also re-encipher the public key part. Reproduction: Perform a master key change on the EP11 APQNs used with the KMIP plugin. Problem-ID: 197605 Upstream-ID: 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397 Preventive: yes Date: 2022-04-08 Author: Ingo Franzki <ifranzki@linux.ibm.com> Component: s390-tools == Comment: #1 - Ingo Franzki <ifranzki@de.ibm.com> - 2022-04-08 09:57:45 == Upstream commit: https://github.com/ibm-s390-linux/s390-tools/commit/4e2ebe0370d9fb036b7554d5ac5df4418dbe0397	SRU Justification: ------------------ [ Impact ] * When re-enciphering the identity key and/or wrapping key of the zkey KMIP plugin via 'zkey kms reencipher', the operation completes without an error, but the secure keys are left un-reenciphered. * A subsequent connection attempt with the KMIP server will fail because the identity key is no longer valid. * The re-enciphered secure key is not copied back into the key token buffer. * Also, the the public key part, i.e. the MACed SubjectPublicKeyInfo (SPKI) structure must also be re-enciphered (i.e. re-MACed), since the MAC is calculated with the EP11 master key. [ Fix ] * 4e2ebe03 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397 "libseckey: Fix re-enciphering of EP11 secure key" [ Test Plan ] * An Ubuntu Server 22.04 for s390x installation with a CryptoExpress adapter in EP11 mode and at least one available/online domain is needed. * Perform a master key change on the EP11 APQNs used with the KMIP plugin. * The is done indirectly, via libkmipclient, a shared library that provides the KMIP client to communicate with an KMIP server. * Test will be done by IBM. [ Where problems could occur ] * The memcpy, at the beginning and/or at the end or the inserted code could be wrong, and copy wrong contents. * The newly introduced 're-encipher MACed SPKI' code can be erroneous, which may lead to a non working fix. * The calculation and handling of the length which could lead to a broken cmdblock. * Problems could occur in case the re-encryption is done with a different master key compared to the initial encryption, even though if this should be caught as 'CKR_IBM_WKID_MISMATCH'. [ Other Info ] * The s390-tools version v2.23 in kinetic already incl. this fix, hence it's not affected, nor versions for Ubuntu releases (in service) older than jammy are affected. __________ Description: zkey: Fix re-enciphering of EP11 identity key of KMIP plugin Symptom: When re-enciphering the identity key and/or wrapping key of the zkey KMIP plugin via 'zkey kms reencipher', the operation completes without an error, but the secure keys are left un-reenciphered. A subsequent connection attempt with the KMIP server will fail because the identity key is no longer valid. Problem: The re-enciphered secure key is not copied back into the key token buffer. Also, the the public key part, i.e. the MACed SubjectPublicKeyInfo (SPKI) structure must also be re-enciphered (i.e. re-MACed), since the MAC is calculated with the EP11 master key. Solution: Copy the re-enciphered secure key back into the key token buffer, and also re-encipher the public key part. Reproduction: Perform a master key change on the EP11 APQNs used with the KMIP plugin. Problem-ID: 197605 Upstream-ID: 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397 Preventive: yes Date: 2022-04-08 Author: Ingo Franzki <ifranzki@linux.ibm.com> Component: s390-tools == Comment: #1 - Ingo Franzki <ifranzki@de.ibm.com> - 2022-04-08 09:57:45 == Upstream commit: https://github.com/ibm-s390-linux/s390-tools/commit/4e2ebe0370d9fb036b7554d5ac5df4418dbe0397
2022-09-29 15:31:07	Julian Andres Klode	bug			added subscriber Ubuntu Foundations Bugs
2022-09-29 15:31:13	Julian Andres Klode	tags	architecture-s39064 bugnameltc-197607 foundations-triage-discuss patch severity-high targetmilestone-inin---	architecture-s39064 bugnameltc-197607 foundations-todo patch severity-high targetmilestone-inin---
2022-09-29 15:31:38	Julian Andres Klode	s390-tools (Ubuntu): importance	Undecided	High
2022-09-29 15:31:39	Julian Andres Klode	s390-tools-signed (Ubuntu): importance	Undecided	High
2022-10-11 13:21:49	Simon Chopin	nominated for series		Ubuntu Jammy
2022-10-11 13:21:49	Simon Chopin	bug task added		s390-tools (Ubuntu Jammy)
2022-10-11 13:21:49	Simon Chopin	bug task added		s390-tools-signed (Ubuntu Jammy)
2022-10-11 13:21:58	Simon Chopin	s390-tools (Ubuntu Jammy): status	New	Confirmed
2022-10-11 13:22:01	Simon Chopin	s390-tools-signed (Ubuntu Jammy): status	New	Confirmed
2022-10-11 13:22:06	Simon Chopin	s390-tools (Ubuntu Jammy): status	Confirmed	Triaged
2022-10-11 13:22:07	Simon Chopin	s390-tools-signed (Ubuntu Jammy): status	Confirmed	Triaged
2022-10-11 13:22:10	Simon Chopin	s390-tools (Ubuntu): status	In Progress	Fix Released
2022-10-11 13:22:12	Simon Chopin	s390-tools-signed (Ubuntu): status	In Progress	Fix Released
2022-10-11 13:22:16	Simon Chopin	s390-tools (Ubuntu Jammy): importance	Undecided	High
2022-10-11 13:22:18	Simon Chopin	s390-tools-signed (Ubuntu Jammy): importance	Undecided	High
2022-11-07 15:23:33	Julian Andres Klode	s390-tools-signed (Ubuntu): assignee		Skipper Bug Screeners (skipper-screen-team)
2022-12-02 00:45:59	Łukasz Zemczak	s390-tools (Ubuntu Jammy): status	Triaged	Fix Committed
2022-12-02 00:46:01	Łukasz Zemczak	bug			added subscriber Ubuntu Stable Release Updates Team
2022-12-02 00:46:02	Łukasz Zemczak	bug			added subscriber SRU Verification
2022-12-02 00:46:06	Łukasz Zemczak	tags	architecture-s39064 bugnameltc-197607 foundations-todo patch severity-high targetmilestone-inin---	architecture-s39064 bugnameltc-197607 foundations-todo patch severity-high targetmilestone-inin--- verification-needed verification-needed-jammy
2022-12-02 00:49:45	Łukasz Zemczak	s390-tools-signed (Ubuntu Jammy): status	Triaged	Fix Committed
2022-12-05 09:40:17	bugproxy	tags	architecture-s39064 bugnameltc-197607 foundations-todo patch severity-high targetmilestone-inin--- verification-needed verification-needed-jammy	architecture-s39064 bugnameltc-197607 foundations-todo patch severity-high targetmilestone-inin--- verification-done verification-done-jammy
2022-12-05 10:50:25	Frank Heimes	ubuntu-z-systems: status	In Progress	Fix Committed
2023-01-05 10:29:45	bugproxy	tags	architecture-s39064 bugnameltc-197607 foundations-todo patch severity-high targetmilestone-inin--- verification-done verification-done-jammy	architecture-s39064 bugnameltc-197607 foundations-todo patch severity-high targetmilestone-inin2204 verification-done verification-done-jammy
2023-01-10 19:46:41	Launchpad Janitor	s390-tools (Ubuntu Jammy): status	Fix Committed	Fix Released
2023-01-10 19:46:49	Launchpad Janitor	s390-tools-signed (Ubuntu Jammy): status	Fix Committed	Fix Released
2023-01-10 19:47:05	Brian Murray	removed subscriber Ubuntu Stable Release Updates Team
2023-01-10 20:22:42	Frank Heimes	ubuntu-z-systems: status	Fix Committed	Fix Released
2023-06-02 15:33:17	Benjamin Drung	tags	architecture-s39064 bugnameltc-197607 foundations-todo patch severity-high targetmilestone-inin2204 verification-done verification-done-jammy	architecture-s39064 bugnameltc-197607 patch severity-high targetmilestone-inin2204 verification-done verification-done-jammy
2024-01-02 10:35:14	Benjamin Drung	removed subscriber Ubuntu Foundations Bugs

Ubuntus390-tools package

Activity log for bug #1990520

Ubuntu
s390-tools package