DuckCorp Projects: Issueshttps://projects.duckcorp.org/https://projects.duckcorp.org/favicon.ico?16699090422022-07-10T10:42:55ZDuckCorp Projects
Redmine DuckCorp Infrastructure - Bug #776 (Resolved): Users are unable to register to projects.duckcorp.orghttps://projects.duckcorp.org/issues/7762022-07-10T10:42:55ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>There is an issue related to the captcha:<br /><pre>
Oops, we failed to validate your reCAPTCHA response. Please try again.
</pre><br />I tried with firefox and chromium.</p>
<p><code>/var/log/redmine/dc/production.log</code> from the <code>redmine</code> LXC container:<br /><pre>
Started POST "/account/register" for 185.238.6.46 at 2022-07-10 12:53:52 +0000
Processing by AccountController#register as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"[REDACTED]", "user"=>{"login"=>"pilou_test", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "firstname"=>"pilou", "lastname"=>"pilou_test", "mail"=>"pilou_test@ir5.eu", "language"=>"fr"}, "g-recaptcha-response"=>"[REDACTED]", "commit"=>"Soumettre"}
Current user: anonymous
Rendering plugins/recaptcha/app/views/account/register.html.erb within layouts/base
Rendered plugins/recaptcha/app/views/account/register.html.erb within layouts/base (8.8ms)
Completed 200 OK in 3022ms (Views: 14.7ms | ActiveRecord: 1.4ms)
</pre></p> Bip - Bug #481 (In Progress): Fix log level for erroneous messageshttps://projects.duckcorp.org/issues/4812015-10-13T12:54:28ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Bip should display IRC <a href="https://tools.ietf.org/html/rfc1459#section-6" class="external">errors</a> sent by IRC servers using <code>error</code> log level.</p>
<p>The current behaviour is:<br /><pre>
13-10-2015 14:48:14 DEBUG: ":irc.server.local 432 * Pilou :Nickname too long, max. 9 characters
</pre></p> Bip - Bug #477 (Resolved): error in 'channel_name_list' functionhttps://projects.duckcorp.org/issues/4772015-09-03T03:45:20ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Trou reported an error:</p>
<pre>
#0 0x00007ffff739d107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff739e4e8 in __GI_abort () at abort.c:89
#2 0x00007ffff73db214 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff74ce000 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff73e09ee in malloc_printerr (action=1, str=0x7ffff74ca13f "malloc(): memory corruption", ptr=<optimized out>) at malloc.c:4996
#4 0x00007ffff73e2669 in _int_malloc (av=av@entry=0x7ffff770b620 <main_arena>, bytes=bytes@entry=257) at malloc.c:3447
#5 0x00007ffff73e4080 in __GI___libc_malloc (bytes=bytes@entry=257) at malloc.c:2891
#6 0x000055555556ff62 in bip_malloc (size=size@entry=257) at src/util.c:50
#7 0x0000555555565d01 in channel_name_list (server=0x555555806010, c=c@entry=0x5555559f3ba0) at src/irc.c:129
#8 0x0000555555565f04 in irc_send_join (chan=0x5555559f3ba0, ic=<optimized out>, ic=<optimized out>) at src/irc.c:548
#9 0x0000555555568386 in irc_cli_make_join (ic=0x555555aafe60) at src/irc.c:664
#10 irc_cli_startup (bip=bip@entry=0x7fffffffb000, ic=ic@entry=0x555555aafe60, line=<optimized out>) at src/irc.c:824
#11 0x0000555555568914 in irc_cli_pass (line=<optimized out>, ic=<optimized out>, bip=<optimized out>) at src/irc.c:884
#12 irc_dispatch_loging_client (line=0x555555abcad0, ic=0x555555aafe60, bip=0x7fffffffb000) at src/irc.c:1251
#13 irc_dispatch (bip=bip@entry=0x7fffffffb000, l=l@entry=0x555555aafe60, line=line@entry=0x555555abcad0) at src/irc.c:1266
#14 0x000055555556a70f in bip_on_event (bip=bip@entry=0x7fffffffb000, conn=0x555555ab45a0) at src/irc.c:2488
#15 0x000055555556a943 in irc_main (bip=0x7fffffffb000) at src/irc.c:2563
#16 0x000055555555b3e0 in main (argc=<optimized out>, argv=<optimized out>) at src/bip.c:1323
</pre>
<p>Reporter uses revision <a class="changeset" title="Allow to configure the delay before a reconnection Initial patch submitted by Romain Gayon, than..." href="https://projects.duckcorp.org/projects/bip/repository/bip/revisions/4eec0844521fd52b6dec8edd67bf5ea3a5082092">4eec0844</a>.</p> DuckCorp Infrastructure - Enhancement #460 (Resolved): SSL/TLS: check ciphershttps://projects.duckcorp.org/issues/4602015-07-09T00:02:15ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
Checks:
<ul>
<li>NULL,EXPORT,LOW,3DES,aNULL must be disabled</li>
<li>RC4 must be disabled</li>
<li>SSLv2,SSLv3 must be disabled</li>
<li>TLSv1.1,TLSv1.2 must be enabled</li>
<li>PFS must be enabled</li>
</ul>
<ul>
<li>SSL Compression must be disabled</li>
</ul>
Configuration updates needed:
<ul>
<li>Postgresql (default conf used <code>HIGH:MEDIUM:+3DES:!aNULL</code>)</li>
<li>Apache (<code>RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW</code>)</li>
</ul>
<ul>
<li>References
<ul>
<li><a class="external" href="https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher">https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher</a></li>
<li><a class="external" href="https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/">https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/</a></li>
<li><a class="external" href="http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html">http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html</a></li>
<li><a class="external" href="https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations">https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations</a></li>
<li><a class="external" href="https://github.com/ioerror/duraconf">https://github.com/ioerror/duraconf</a></li>
</ul>
</li>
<li>Tools:
<ul>
<li><a class="external" href="https://github.com/jvehent/tlsnames/blob/master/convert_openssl_to_gnutls.sh">https://github.com/jvehent/tlsnames/blob/master/convert_openssl_to_gnutls.sh</a></li>
</ul></li>
</ul> Bip - Bug #432 (Resolved): authenticated bip users could stop bip daemonhttps://projects.duckcorp.org/issues/4322015-01-15T03:56:50ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Fran found that these commands allow an authenticated bip user to stop bip daemon:<br /><pre>
{ echo PASS bipnick:mysecretpassword:freenode; echo NICK Pilou; echo USER Pilou 0 Pilou :blah; sleep 2; } | telnet 127.0.0.1 7778 | read
</pre></p>
<pre>
15-01-2015 04:26:44 DEBUG: Trying to accept new client on 0
15-01-2015 04:26:44 DEBUG: New client on socket 41 !
15-01-2015 04:26:44 DEBUG: fd:41 Connection established !
15-01-2015 04:26:44 DEBUG: "PASS bipnick:mysecretpassword:freenode"
15-01-2015 04:26:44 DEBUG: "NICK Pilou"
15-01-2015 04:26:44 DEBUG: "USER Pilou 0 Pilou :blah"
15-01-2015 04:26:44 DEBUG: Connection close asked. FD:41
15-01-2015 04:26:44 DEBUG: A client connected
15-01-2015 04:26:44 FATAL: select(): Bad file descriptor
</pre> Bip - Bug #431 (New): bip is leaking file descriptorshttps://projects.duckcorp.org/issues/4312015-01-15T02:01:19ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>fran wrote:</p>
<blockquote>
<p>bip is leaking file descriptors on my server, and the fix is pretty easy: on connection.c, on read_socket, whenever read returns <1 and errno is different to EAGAIN and EINTR, the socket MUST be closed <br />because read will not return 0 on the following iterations of select (cause it's not added to the read fd_set after that), plus after read failing with fatal error it keeps returning -1</p>
</blockquote> UFWI - Bug #418 (Resolved): Erreur configure - makehttps://projects.duckcorp.org/issues/4182014-11-25T22:46:46ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Bonjour,<br />lors de l'installation du module ufwi-base, le make génére un src/MakeFile contenant une erreur : l'installation avec make install appelle deux fois successivement le script security.h ce qui retourne un message d'erreur. Il faut donc éditer le MakeFile généré et supprimé le deuxième security.h pour que l'installation fonctionne correctement :</p>
<p>src/MakeFile<br />ligne 223 : <br />include_HEADERS = linuxlist.h config-table.h ipv6.h log.h ufwibase.h packet_par$<br /> <strong>security.h</strong> debug.h documentation.h jhash.h ufwi_source.h proto.$<br /> proto_v3.h proto_v4.h proto_v5.h <strong>security.h</strong></p>
<p>Hello,<br />when installing the module ufwi-base, make generates a src/Makefile with an error: install with make install call the script security.h twice successively which returns an error message. Therefore edit the generated Makefile and removed the second security.h for the installation to work properly:<br />src/MakeFile<br />line 223:<br />include_HEADERS = linuxlist.h config-table.h ipv6.h log.h ufwibase.h packet_par$<br /> <strong>security.h</strong> debug.h documentation.h jhash.h ufwi_source.h proto.$<br /> proto_v3.h proto_v4.h proto_v5.h <strong>security.h</strong></p>
<p>sorry for my bad english</p>
<p>Test on Linux Mint Debian 3.0.0-1-amd64</p>
<p>Added by Cyril PIERRÉ</p> UFWI - Bug #416 (New): Missing "Exit" menu entryhttps://projects.duckcorp.org/issues/4162014-11-25T22:41:46ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>In stand-alone mode, the main menu is missing a "Quit" or "Exit" entry.</p>
<p>Added by Laurent Defert</p> UFWI - Bug #415 (New): Remove runtime dependency to ntp modulehttps://projects.duckcorp.org/issues/4152014-11-25T22:41:20ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Added by Laurent Defert</p> UFWI - Bug #414 (New): Remove dependency to ufwi_confhttps://projects.duckcorp.org/issues/4142014-11-25T22:40:57ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.euUFWI - Bug #413 (New): Remove dependency to networkhttps://projects.duckcorp.org/issues/4132014-11-25T22:40:15ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Creating a ruleset only shows :<br /><pre>
Firewall error
Error #1201001: No component registered with this name ('network')
</pre></p>
<p>Added by Laurent Defert</p> UFWI - Bug #412 (New): Remove references to minimalModehttps://projects.duckcorp.org/issues/4122014-11-25T22:40:02ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Added by Laurent Defert</p> Bip - Enhancement #270 (Resolved): GIT: use signed taghttps://projects.duckcorp.org/issues/2702012-01-10T01:53:49ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Signed tags must be used.</p> Bip - Bug #269 (Resolved): buffer overflow when number of open file descriptors >= FD_SETSIZEhttps://projects.duckcorp.org/issues/2692012-01-07T10:28:05ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Reported by Julien Tinnes, thanks to him!</p>
<p>Bip doesn't check if fd is equal or larger than FD_SETSIZE.</p>
<p>From select man page:</p>
<blockquote>
<p>Executing FD_CLR() or FD_SET() with a value of fd that is negative or is equal to or larger than FD_SETSIZE will result in undefined behavior.</p>
</blockquote> Bip - Bug #186 (New): Bip crash after using "/QUOTE BIP TRUST OK" on a new connectionhttps://projects.duckcorp.org/issues/1862011-01-18T02:29:38ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<a name="How-to-reproduce"></a>
<h1 >How to reproduce:<a href="#How-to-reproduce" class="wiki-anchor">¶</a></h1>
<ol>
<li>/etc/bip.conf: add a new ssl connection </li>
<li>restart bip (Debian: <em>/etc/init.d/bip restart</em>)</li>
<li>use <em>/QUOTE BIP TRUST OK</em><br /> # all client connections are disconnected</li>
</ol>
<a name="Logs"></a>
<h1 >Logs<a href="#Logs" class="wiki-anchor">¶</a></h1>
<a name="Client-logs"></a>
<h2 >Client logs:<a href="#Client-logs" class="wiki-anchor">¶</a></h2>
<blockquote>
<p>03:12:08 oftc | irc: connecting to server irc-bouncer/7778...<br />03:12:08 oftc | irc: connected to irc-bouncer<br />03:12:08 oftc -- | b.i.p (b.i.p): This server SSL certificate was not accepted because it is not in your store of trusted certificates:<br />03:12:08 oftc -- | b.i.p (b.i.p): Subject: /C=US/ST=Indiana/L=Indianapolis/O=Software in the Public Interest/OU=hostmaster/CN=Certificate Authority/emailAddress=<a class="email" href="mailto:hostmaster@spi-inc.org">hostmaster@spi-inc.org</a><br />03:12:08 oftc -- | b.i.p (b.i.p): Issuer: /C=US/ST=Indiana/L=Indianapolis/O=Software in the Public Interest/OU=hostmaster/CN=Certificate Authority/emailAddress=<a class="email" href="mailto:hostmaster@spi-inc.org">hostmaster@spi-inc.org</a><br />03:12:08 oftc -- | b.i.p (b.i.p): MD5 fingerprint: 2A:47:9F:60:BB:83:74:6F:01:03:D7:0B:0D:F6:0D:78<br />03:12:08 oftc -- | b.i.p (b.i.p): WARNING: if you've already trusted a certificate for this server before, that probably means it has changed.<br />03:12:08 oftc -- | b.i.p (b.i.p): If so, YOU MAY BE SUBJECT OF A MAN-IN-THE-MIDDLE ATTACK! PLEASE DON'T TRUST THIS CERTIFICATE IF YOU'RE NOT SURE THIS IS NOT THE CASE.<br />03:12:08 oftc -- | b.i.p (b.i.p): Type /QUOTE BIP TRUST OK to trust this certificate, /QUOTE BIP TRUST NO to discard it.<br />03:12:20 oftc -- | irc.bip.net (irc.bip.net): ==== Certificate now trusted.<br />03:12:20 oftc -- | irc.bip.net (irc.bip.net): No more certificates waiting awaiting user trust, thanks!<br />03:12:20 oftc -- | irc.bip.net (irc.bip.net): If the certificate is trusted, bip should be able to connect to the server on the next retry. Please wait a while and try connecting your client again.</p>
</blockquote>
<a name="Bip-logs"></a>
<h2 >Bip logs:<a href="#Bip-logs" class="wiki-anchor">¶</a></h2>
<blockquote>
<p>18-01-2011 03:12:12 ERROR: No certificate in SSL write_socket<br />18-01-2011 03:12:12 ERROR: SSL cert check failed at depth=3: certificate rejected (28)<br />18-01-2011 03:12:12 ERROR: Certificate check failed: certificate rejected (28)!<br />18-01-2011 03:12:12 ERROR: Error on fd 31 (state 9)<br />18-01-2011 03:12:12 ERROR: [oftc] read_lines error, closing...<br />18-01-2011 03:12:12 ERROR: [oftc] reconnecting in 240 seconds<br />18-01-2011 03:12:54 ERROR: No certificate in SSL write_socket</p>
</blockquote>