Ubuntu
nfs-utils package

Bug #1980095
Activity log

Activity log for bug #1980095

Date	Who	What changed	Old value	New value	Message
2022-06-28 13:55:22	Andreas Hasenack	bug			added bug
2022-06-28 14:14:15	Launchpad Janitor	merge proposal linked		https://code.launchpad.net/~ahasenack/ubuntu/+source/nfs-utils/+git/nfs-utils/+merge/425667
2022-06-30 10:04:31	Launchpad Janitor	nfs-utils (Ubuntu): status	In Progress	Fix Released
2022-08-03 16:56:00	Launchpad Janitor	merge proposal linked		https://code.launchpad.net/~ahasenack/ubuntu/+source/nfs-utils/+git/nfs-utils/+merge/427771
2022-08-03 17:12:10	Andreas Hasenack	description	$ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.	[Impact] * An explanation of the effects of the bug on users and * justification for backporting the fix to the stable release. * In addition, it is helpful, but not required, to include an explanation of how the upload fixes this bug. [Test Plan] * detailed instructions how to reproduce the bug * these should allow someone who is not familiar with the affected package to reproduce the bug and verify that the updated package fixes the problem. * if other testing is appropriate to perform before landing this update, this should also be described here. [Where problems could occur] * Think about what the upload changes in the software. Imagine the change is wrong or breaks something else: how would this show up? * It is assumed that any SRU candidate patch is well-tested before upload and has a low overall risk of regression, but it's important to make the effort to think about what ''could'' happen in the event of a regression. * This must '''never''' be "None" or "Low", or entirely an argument as to why your upload is low risk. * This both shows the SRU team that the risks have been considered, and provides guidance to testers in regression-testing the SRU. [Other Info] * Anything else you think is useful to include * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board * and address these questions in advance [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.
2022-08-03 17:27:17	Andreas Hasenack	description	[Impact] * An explanation of the effects of the bug on users and * justification for backporting the fix to the stable release. * In addition, it is helpful, but not required, to include an explanation of how the upload fixes this bug. [Test Plan] * detailed instructions how to reproduce the bug * these should allow someone who is not familiar with the affected package to reproduce the bug and verify that the updated package fixes the problem. * if other testing is appropriate to perform before landing this update, this should also be described here. [Where problems could occur] * Think about what the upload changes in the software. Imagine the change is wrong or breaks something else: how would this show up? * It is assumed that any SRU candidate patch is well-tested before upload and has a low overall risk of regression, but it's important to make the effort to think about what ''could'' happen in the event of a regression. * This must '''never''' be "None" or "Low", or entirely an argument as to why your upload is low risk. * This both shows the SRU team that the risks have been considered, and provides guidance to testers in regression-testing the SRU. [Other Info] * Anything else you think is useful to include * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board * and address these questions in advance [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.	[Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening [Test Plan] The test plan is to inspect the build logs and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[2] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 2. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.
2022-08-03 17:27:36	Andreas Hasenack	description	[Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening [Test Plan] The test plan is to inspect the build logs and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[2] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 2. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.	[Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening [Test Plan] The test plan is to inspect the build logs and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[2] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 2. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.
2022-08-03 17:27:49	Andreas Hasenack	nominated for series		Ubuntu Jammy
2022-08-03 17:27:49	Andreas Hasenack	bug task added		nfs-utils (Ubuntu Jammy)
2022-08-03 17:28:08	Andreas Hasenack	nfs-utils (Ubuntu Jammy): status	New	In Progress
2022-08-03 17:28:10	Andreas Hasenack	nfs-utils (Ubuntu Jammy): assignee		Andreas Hasenack (ahasenack)
2022-08-03 17:32:47	Andreas Hasenack	description	[Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening [Test Plan] The test plan is to inspect the build logs and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[2] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 2. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.	[Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" [Test Plan] The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening 2. https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1 1ubuntu1/+build/23229868 3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.
2022-08-03 17:33:09	Andreas Hasenack	description	[Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" [Test Plan] The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening 2. https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1 1ubuntu1/+build/23229868 3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.	[Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" [Test Plan] The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/232298683. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.
2022-08-03 17:33:20	Andreas Hasenack	description	[Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" [Test Plan] The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/232298683. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.	[Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" [Test Plan] The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/23229868 3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.
2022-08-03 17:35:14	Andreas Hasenack	description	[Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" [Test Plan] The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/23229868 3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.	[Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" [Test Plan] The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before (Note: old jammy build logs do show this define being used already, unsure why lintian complained back then) - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/23229868 3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.
2022-08-03 18:02:31	Andreas Hasenack	description	[Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for: - "Built with Fortify Source" - "Built with BIND_NOW" [Test Plan] The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular: - verify that -D_FORTIFY_SOURCE=2 is being used now, and it wasn't before (Note: old jammy build logs do show this define being used already, unsure why lintian complained back then) - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/23229868 3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.	[Impact] Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle. Check that link[1] for "Built with BIND_NOW". [Test Plan] The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular: - verify that -Wl,-z,now is being used now, and it wasn't before (linker stage) Another way to check is to run hardening-check, from the ubuntu-dev-tools package, on each binary object from the package, and verify that "Immediate binding" changed from "no" (previous package) to "yes": $ for n in $(dpkg -L libnfsidmap1 \| grep \\.so); do hardening-check $n > $(basename $n).txt; done $ for n in $(dpkg -L nfs-common\|grep bin/); do hardening-check $n > $(basename $n).txt; done $ for n in $(dpkg -L nfs-kernel-server\|grep bin/); do hardening-check $n > $(basename $n).txt; done $ grep Immediate *.txt blkmapd.txt: Immediate binding: yes exportfs.txt: Immediate binding: yes libnfsidmap.so.1.0.0.txt: Immediate binding: yes libnfsidmap.so.1.txt: Immediate binding: yes mount.nfs.txt: Immediate binding: yes mount.nfs4.txt: Immediate binding: yes nfsconf.txt: Immediate binding: yes nfsdcld.txt: Immediate binding: yes nfsdcltrack.txt: Immediate binding: yes nfsidmap.txt: Immediate binding: yes nfsstat.txt: Immediate binding: yes nsswitch.so.txt: Immediate binding: yes rpc.gssd.txt: Immediate binding: yes rpc.idmapd.txt: Immediate binding: yes rpc.mountd.txt: Immediate binding: yes rpc.nfsd.txt: Immediate binding: yes rpc.statd.txt: Immediate binding: yes rpc.svcgssd.txt: Immediate binding: yes rpcdebug.txt: Immediate binding: yes showmount.txt: Immediate binding: yes sm-notify.txt: Immediate binding: yes static.so.txt: Immediate binding: yes umich_ldap.so.txt: Immediate binding: yes umount.nfs.txt: Immediate binding: yes umount.nfs4.txt: Immediate binding: yes [Where problems could occur] This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data. [Other Info] I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745. 1. https://wiki.ubuntu.com/Security/Features#Userspace_Hardening https://launchpad.net/ubuntu/+source/nfs-utils/1:2.6.1-1ubuntu1/+build/23229868 3. https://irclogs.ubuntu.com/2022/08/03/%23ubuntu-security.html#t14:39 [Original Description] $ grep hardening ../lintian.log I: libnfsidmap-regex: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap.so.1.0.0] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/static.so] I: libnfsidmap1: hardening-no-bindnow [usr/lib/x86_64-linux-gnu/libnfsidmap/umich_ldap.so] I: libnfsidmap-regex: hardening-no-fortify-functions [usr/lib/x86_64-linux-gnu/libnfsidmap/regex.so] It was there before when we had src:libnfsidmap: https://git.launchpad.net/ubuntu/+source/libnfsidmap/tree/debian/rules#n10 But we lost it when src:nfs-utils incorporated the libnfsidmap code.
2022-08-19 23:44:51	Steve Langasek	nfs-utils (Ubuntu Jammy): status	In Progress	Incomplete
2022-08-20 14:37:55	Andreas Hasenack	bug			added subscriber Steve Beattie
2022-09-14 17:35:19	Launchpad Janitor	merge proposal unlinked	https://code.launchpad.net/~ahasenack/ubuntu/+source/nfs-utils/+git/nfs-utils/+merge/427771
2022-09-14 17:38:16	Andreas Hasenack	nfs-utils (Ubuntu Jammy): status	Incomplete	Won't Fix
2023-02-19 19:20:53	Launchpad Janitor	merge proposal linked		https://code.launchpad.net/~ahasenack/ubuntu/+source/nfs-utils/+git/nfs-utils/+merge/437544
2023-02-20 00:03:00	Andreas Hasenack	merge proposal unlinked	https://code.launchpad.net/~ahasenack/ubuntu/+source/nfs-utils/+git/nfs-utils/+merge/437544

Ubuntunfs-utils package

Activity log for bug #1980095

Ubuntu
nfs-utils package