2023-02-09 08:14:34 |
Jonathan |
bug |
|
|
added bug |
2023-02-14 14:14:25 |
Eduardo Barretto |
bug |
|
|
added subscriber Christian Ehrhardt |
2023-02-14 14:21:30 |
Christian Ehrhardt |
bug |
|
|
added subscriber Lucas Albuquerque Medeiros de Moura |
2023-02-14 14:21:37 |
Christian Ehrhardt |
bug |
|
|
added subscriber Renan Rodrigo |
2023-02-14 14:21:45 |
Christian Ehrhardt |
bug |
|
|
added subscriber Grant Orndorff |
2023-02-14 14:23:14 |
Christian Ehrhardt |
ubuntu-advantage-tools (Ubuntu): assignee |
|
Lucas Albuquerque Medeiros de Moura (lamoura) |
|
2023-02-14 20:18:06 |
Lucas Albuquerque Medeiros de Moura |
ubuntu-advantage-tools (Ubuntu): status |
New |
Confirmed |
|
2023-03-15 23:47:36 |
Grant Orndorff |
description |
pro version: 27.13.3-18.01.1
When running:
sudo pro fix CVE-2023-0286
CVE-2023-0286: OpenSSL vulnerabilities
https://ubuntu.com/security/CVE-2023-0286
2 affected source packages are installed: openssl, openssl1.0
(1/2, 2/2) openssl, openssl1.0:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y libssl1.0.0 libssl1.1 openssl }
✔ CVE-2023-0286 is resolved.
The last line states that the CVE is resolved, but when checking it via apt policy, it is still the old version
apt policy openssl
openssl:
Installed: 1.1.1-1ubuntu2.1~18.04.14
Candidate: 1.1.1-1ubuntu2.1~18.04.14
Version table:
*** 1.1.1-1ubuntu2.1~18.04.14 500
500 https://'an-outdated-ubuntu-mirror' bionic-updates/main amd64 Packages
(expected version is 1.1.1-1ubuntu2.1~18.04.21, from the http://security.ubuntu.com/ubuntu bionic-security/main repository)
Reason for the update not working is because the repositories the machine is subscribed to do not contain the fix.
The bug I want to file is the last line of the 'pro fix' command, being ' ✔ CVE-2023-0286 is resolved.'
This (presumably) is stated there because the apt install command successfully was able to run, but that does not mean the CVE is fixed (in this case, I had no repository in my sources.list offering the patch).
Suggestion to change that last line to: "❌ CVE-2023-0286 is not resolved."
Reason for reporting this as a security issue is the false claiming of a fixed security vulnerability. |
[Impact]
In some cases, a machine may not have access to the version of a package that we assume to be available in `pro fix`. The result is that `pro fix` says "CVE-1234 is resolved" after a successful `apt install` command, even though the version with the fix was not actually installed. This is a misleading message and may lead users to believe they are safe from the given CVE when they are not.
The fix is to check the local apt-cache before trying to install a version to make sure that the candidate version is the one with the fix applied. Only then do we proceed with the `apt install` and say that the CVE is resolved.
[Test Case]
This is will be covered by our full test run for u-a-t 27.14.
The specific test that covers this scenario can be inspected here:
https://github.com/canonical/ubuntu-pro-client/blob/27.14/features/fix.feature#L474
[Regression Potential]
The new code to prevent this situation is an additional check before attempting to install the update. If there is a mistake in the implementation, it could prevent `pro fix` from resolving CVEs that can be resolved.
[Original Description]
pro version: 27.13.3-18.01.1
When running:
sudo pro fix CVE-2023-0286
CVE-2023-0286: OpenSSL vulnerabilities
https://ubuntu.com/security/CVE-2023-0286
2 affected source packages are installed: openssl, openssl1.0
(1/2, 2/2) openssl, openssl1.0:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y libssl1.0.0 libssl1.1 openssl }
✔ CVE-2023-0286 is resolved.
The last line states that the CVE is resolved, but when checking it via apt policy, it is still the old version
apt policy openssl
openssl:
Installed: 1.1.1-1ubuntu2.1~18.04.14
Candidate: 1.1.1-1ubuntu2.1~18.04.14
Version table:
*** 1.1.1-1ubuntu2.1~18.04.14 500
500 https://'an-outdated-ubuntu-mirror' bionic-updates/main amd64 Packages
(expected version is 1.1.1-1ubuntu2.1~18.04.21, from the http://security.ubuntu.com/ubuntu bionic-security/main repository)
Reason for the update not working is because the repositories the machine is subscribed to do not contain the fix.
The bug I want to file is the last line of the 'pro fix' command, being ' ✔ CVE-2023-0286 is resolved.'
This (presumably) is stated there because the apt install command successfully was able to run, but that does not mean the CVE is fixed (in this case, I had no repository in my sources.list offering the patch).
Suggestion to change that last line to: "❌ CVE-2023-0286 is not resolved."
Reason for reporting this as a security issue is the false claiming of a fixed security vulnerability. |
|
2023-03-15 23:59:07 |
Grant Orndorff |
description |
[Impact]
In some cases, a machine may not have access to the version of a package that we assume to be available in `pro fix`. The result is that `pro fix` says "CVE-1234 is resolved" after a successful `apt install` command, even though the version with the fix was not actually installed. This is a misleading message and may lead users to believe they are safe from the given CVE when they are not.
The fix is to check the local apt-cache before trying to install a version to make sure that the candidate version is the one with the fix applied. Only then do we proceed with the `apt install` and say that the CVE is resolved.
[Test Case]
This is will be covered by our full test run for u-a-t 27.14.
The specific test that covers this scenario can be inspected here:
https://github.com/canonical/ubuntu-pro-client/blob/27.14/features/fix.feature#L474
[Regression Potential]
The new code to prevent this situation is an additional check before attempting to install the update. If there is a mistake in the implementation, it could prevent `pro fix` from resolving CVEs that can be resolved.
[Original Description]
pro version: 27.13.3-18.01.1
When running:
sudo pro fix CVE-2023-0286
CVE-2023-0286: OpenSSL vulnerabilities
https://ubuntu.com/security/CVE-2023-0286
2 affected source packages are installed: openssl, openssl1.0
(1/2, 2/2) openssl, openssl1.0:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y libssl1.0.0 libssl1.1 openssl }
✔ CVE-2023-0286 is resolved.
The last line states that the CVE is resolved, but when checking it via apt policy, it is still the old version
apt policy openssl
openssl:
Installed: 1.1.1-1ubuntu2.1~18.04.14
Candidate: 1.1.1-1ubuntu2.1~18.04.14
Version table:
*** 1.1.1-1ubuntu2.1~18.04.14 500
500 https://'an-outdated-ubuntu-mirror' bionic-updates/main amd64 Packages
(expected version is 1.1.1-1ubuntu2.1~18.04.21, from the http://security.ubuntu.com/ubuntu bionic-security/main repository)
Reason for the update not working is because the repositories the machine is subscribed to do not contain the fix.
The bug I want to file is the last line of the 'pro fix' command, being ' ✔ CVE-2023-0286 is resolved.'
This (presumably) is stated there because the apt install command successfully was able to run, but that does not mean the CVE is fixed (in this case, I had no repository in my sources.list offering the patch).
Suggestion to change that last line to: "❌ CVE-2023-0286 is not resolved."
Reason for reporting this as a security issue is the false claiming of a fixed security vulnerability. |
[Impact]
In some cases, a machine may not have access to the version of a package that we assume to be available in `pro fix`. The result is that `pro fix` says "CVE-1234 is resolved" after a successful `apt install` command, even though the version with the fix was not actually installed. This is a misleading message and may lead users to believe they are safe from the given CVE when they are not.
The fix is to check the local apt-cache before trying to install a version to make sure that the candidate version is the one with the fix applied. Only then do we proceed with the `apt install` and say that the CVE is resolved.
[Test Case]
This will be covered by our full test run for u-a-t 27.14.
The specific test that covers this scenario can be inspected here:
https://github.com/canonical/ubuntu-pro-client/blob/27.14/features/fix.feature#L474
[Regression Potential]
The new code to prevent this situation is an additional check before attempting to install the update. If there is a mistake in the implementation, it could prevent `pro fix` from resolving CVEs that can be resolved.
[Original Description]
pro version: 27.13.3-18.01.1
When running:
sudo pro fix CVE-2023-0286
CVE-2023-0286: OpenSSL vulnerabilities
https://ubuntu.com/security/CVE-2023-0286
2 affected source packages are installed: openssl, openssl1.0
(1/2, 2/2) openssl, openssl1.0:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y libssl1.0.0 libssl1.1 openssl }
✔ CVE-2023-0286 is resolved.
The last line states that the CVE is resolved, but when checking it via apt policy, it is still the old version
apt policy openssl
openssl:
Installed: 1.1.1-1ubuntu2.1~18.04.14
Candidate: 1.1.1-1ubuntu2.1~18.04.14
Version table:
*** 1.1.1-1ubuntu2.1~18.04.14 500
500 https://'an-outdated-ubuntu-mirror' bionic-updates/main amd64 Packages
(expected version is 1.1.1-1ubuntu2.1~18.04.21, from the http://security.ubuntu.com/ubuntu bionic-security/main repository)
Reason for the update not working is because the repositories the machine is subscribed to do not contain the fix.
The bug I want to file is the last line of the 'pro fix' command, being ' ✔ CVE-2023-0286 is resolved.'
This (presumably) is stated there because the apt install command successfully was able to run, but that does not mean the CVE is fixed (in this case, I had no repository in my sources.list offering the patch).
Suggestion to change that last line to: "❌ CVE-2023-0286 is not resolved."
Reason for reporting this as a security issue is the false claiming of a fixed security vulnerability. |
|
2023-03-23 02:23:12 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu): status |
Confirmed |
Fix Released |
|
2023-03-23 12:04:49 |
Christian Ehrhardt |
information type |
Private Security |
Public Security |
|
2023-04-06 21:31:00 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Kinetic): status |
New |
Fix Committed |
|
2023-04-06 21:31:02 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2023-04-06 21:31:05 |
Andreas Hasenack |
bug |
|
|
added subscriber SRU Verification |
2023-04-06 21:31:10 |
Andreas Hasenack |
tags |
|
verification-needed verification-needed-kinetic |
|
2023-04-06 21:35:41 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Jammy): status |
New |
Fix Committed |
|
2023-04-06 21:35:49 |
Andreas Hasenack |
tags |
verification-needed verification-needed-kinetic |
verification-needed verification-needed-jammy verification-needed-kinetic |
|
2023-04-06 21:40:26 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Focal): status |
New |
Fix Committed |
|
2023-04-06 21:40:35 |
Andreas Hasenack |
tags |
verification-needed verification-needed-jammy verification-needed-kinetic |
verification-needed verification-needed-focal verification-needed-jammy verification-needed-kinetic |
|
2023-04-06 21:46:24 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Bionic): status |
New |
Fix Committed |
|
2023-04-06 21:46:33 |
Andreas Hasenack |
tags |
verification-needed verification-needed-focal verification-needed-jammy verification-needed-kinetic |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-kinetic |
|
2023-04-06 21:52:01 |
Andreas Hasenack |
ubuntu-advantage-tools (Ubuntu Xenial): status |
New |
Fix Committed |
|
2023-04-06 21:52:10 |
Andreas Hasenack |
tags |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-kinetic |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-kinetic verification-needed-xenial |
|
2023-04-10 17:49:17 |
Lucas Albuquerque Medeiros de Moura |
attachment added |
|
bionic-fix-result https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2006705/+attachment/5662776/+files/bionic-fix-result |
|
2023-04-10 17:49:54 |
Lucas Albuquerque Medeiros de Moura |
tags |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-kinetic verification-needed-xenial |
verification-done verification-done-bionic verification-done-focal verification-done-jammy verification-done-kinetic verification-done-xenial |
|
2023-04-13 21:45:05 |
Andreas Hasenack |
tags |
verification-done verification-done-bionic verification-done-focal verification-done-jammy verification-done-kinetic verification-done-xenial |
verification-done verification-done-bionic verification-needed-focal verification-needed-jammy verification-needed-kinetic verification-needed-xenial |
|
2023-04-14 17:50:17 |
Lucas Albuquerque Medeiros de Moura |
cve linked |
|
2020-26262 |
|
2023-04-14 17:50:17 |
Lucas Albuquerque Medeiros de Moura |
cve linked |
|
2023-1326 |
|
2023-04-14 17:50:17 |
Lucas Albuquerque Medeiros de Moura |
attachment added |
|
test-2006705.tar.xz https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2006705/+attachment/5664093/+files/test-2006705.tar.xz |
|
2023-04-18 14:33:23 |
Grant Orndorff |
attachment added |
|
verification-2006705.tar.gz https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2006705/+attachment/5665028/+files/verification-2006705.tar.gz |
|
2023-04-18 14:33:38 |
Grant Orndorff |
tags |
verification-done verification-done-bionic verification-needed-focal verification-needed-jammy verification-needed-kinetic verification-needed-xenial |
verification-done verification-done-bionic verification-done-focal verification-done-jammy verification-done-kinetic verification-done-xenial |
|
2023-04-19 01:31:25 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2023-04-19 01:32:08 |
Chris Halse Rogers |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2023-04-19 01:32:48 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2023-04-19 01:33:17 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2023-04-19 01:33:44 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2023-04-19 01:34:12 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Kinetic): status |
Fix Committed |
Fix Released |
|