Bug 32294 - Update request: nftables-1.0.6-1.1.mga9
Summary: Update request: nftables-1.0.6-1.1.mga9
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-09-16 15:36 CEST by Thomas Backlund
Modified: 2023-10-17 16:07 CEST (History)
3 users (show)

See Also:
Source RPM: nftables
CVE:
Status comment:


Attachments

Description Thomas Backlund 2023-09-16 15:36:11 CEST
Bugfix for nftables

Userspace nftables v1.0.6 sometimes generates incorrect bytecode that hits a new
kernel check introduced in kernel-6.4.8 fix for CVE-2023-4147 that rejects adding rules to bound chains. This update fixes nftables to generate correct bytecode..


SRPMS:
nftables-1.0.6-1.1.mga9.src.rpm


i586:
libnftables1-1.0.6-1.1.mga9.i586.rpm
libnftables-devel-1.0.6-1.1.mga9.i586.rpm
nftables-1.0.6-1.1.mga9.i586.rpm
python3-nftables-1.0.6-1.1.mga9.noarch.rpm


x86_64:
lib64nftables1-1.0.6-1.1.mga9.x86_64.rpm
lib64nftables-devel-1.0.6-1.1.mga9.x86_64.rpm
nftables-1.0.6-1.1.mga9.x86_64.rpm
python3-nftables-1.0.6-1.1.mga9.noarch.rpm
Comment 1 Marja Van Waes 2023-10-12 19:22:29 CEST
Advisory from comment 0 added to SVN. 
Please remove the "advisory" keyword if it needs to be changed. 
It also helps when obsolete advisories are tagged as "obsolete".

Keywords: (none) => advisory
CC: (none) => marja11

Comment 2 Thomas Andrews 2023-10-17 03:15:55 CEST
MGA9-64 Plasma in VirtualBox. No installation issues.

I have no idea how to test the issue that generated this bug, so...

$ urpmq --whatrequires nftables
eddie
nftables
podman
python3-nftables
waydroid

Installing waydroid depends on another bug currently waiting for QA attention, so no help there.

Eddie is a UI for managing a VPN from Airvpn, but it is supposed to work with VPNs from other providers, as well. I installed it without issue, ran it under strace, looked around, couldn't easily determine how to get it working with a Surfshark VPN, and closed it again. Examining the strace file showed no reference to nftables, so apparently it's not invoked unless one actually activates a VPN. Again, no help.

So I installed podman, and attempted to run some of the commands from Bug 28885 comment 55:

[tom@localhost ~]$ podman images
ERRO[0000] cannot find UID/GID for user tom: no subuid ranges found for user "tom" in /etc/subuid - check rootless mode in man pages. 
WARN[0000] Using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding sub*ids if not using a network user 
REPOSITORY  TAG         IMAGE ID    CREATED     SIZE
[tom@localhost ~]$ podman search docker.io/library/mageia
[tom@localhost ~]$ podman run -dt -p 8080:80/tcp docker.io/library/mageia
Trying to pull docker.io/library/mageia:latest...
Getting image source signatures
Copying blob 2b7a6260b5e1 done  
Error: copying system image from manifest list: writing blob: adding layer with blob "sha256:2b7a6260b5e1024ee3e3aaea14424ae322182becf6d1593b6542c7e711e2c6bc": processing tar file(potentially insufficient UIDs or GIDs available in user namespace (requested 0:25 for /etc/gshadow): Check /etc/subuid and /etc/subgid if configured locally and run "podman system migrate": lchown /etc/gshadow: invalid argument): exit status 1
[tom@localhost ~]$ podman ps
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES
[tom@localhost ~]$ podman ps -a
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES

So, I didn't get very far, but the messages look to be from user error, rather than some fault of the application/libraries. To be fair, the test in bug 28885 wasn't exactly conclusive, either.

I'm going to OK this based mostly on a clean install. Validating.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 3 Mageia Robot 2023-10-17 16:07:29 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2023-0093.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.