2021-09-01 03:07:50 working on them 2021-09-01 03:53:57 nodejs upgrade: https://git.alpinelinux.org/aports/commit/?id=323de7a70079 2021-09-01 03:54:48 yep, i merged it :P 2021-09-01 03:55:20 I had a suspicion 2021-09-03 12:45:32 Some new xen CVEs for XEN 2021-09-03 17:44:41 yep 2021-09-07 10:41:03 going to take a nap and then work through a fairly large CVE queue :) 2021-09-07 17:45:36 1 out of 9 hunks FAILED -- saving rejects to file xen/drivers/passthrough/vtd/iommu.c.rej 2021-09-07 17:45:41 -_-` 2021-09-07 17:53:19 XSA-378 is incomplete 2021-09-07 17:53:22 because, of course it is 2021-09-08 21:01:53 distroless seems interesting and something I'd like to use 2021-09-08 21:03:12 I've done similar with fbsd, and later hbsd, jails, but didn't have/build any good tooling so it was some manual labor where I also used ansible 2021-09-10 18:11:22 https://matrix.org/blog/2021/09/10/pre-disclosure-upcoming-critical-fix-for-several-popular-matrix-clients 2021-09-11 01:50:22 :D 2021-09-14 08:10:30 2 in-the-wild CVE's patched in chrome (and I assume chromium as well): CVE-2021-30632, CVE-2021-30633 2021-09-14 08:34:41 awesome 2021-09-14 08:43:22 im working on https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/24895 + update to .82 2021-09-14 08:44:22 alright 2021-09-14 08:44:25 i just woke up :) 2021-09-14 08:45:47 ncopa: those CVEs are not mentioned 2021-09-14 08:48:36 ah, yes, it's in .82, not in .63 2021-09-14 16:45:25 https://www.theregister.com/2021/09/14/expressvpn_bought_kape/ 2021-09-14 16:45:40 Kape seem to be collecting VPN conpanies - it apparently owns PIA 2021-09-14 16:56:10 that's not much of a surprise at all 2021-09-14 16:56:29 probably a better fit in #alpine-offtopic fwiw 2021-09-14 16:59:13 was thinking of the (in)security aspect of a single company buying up VPN providers... 2021-09-14 17:31:40 https://security.alpinelinux.org/vuln/CVE-2021-40528 !13008 2021-09-14 17:31:46 #13008 2021-09-14 17:39:51 Seems to be reslated to https://security.alpinelinux.org/vuln/CVE-2021-33560 2021-09-14 17:41:09 "For (2), by GnuPG Team, it is not handled as a security bug (while the authors claim that both as vulnerabilities). It is handled as an improvement of the implementation. 2021-09-14 17:41:11 " 2021-09-14 17:41:29 That refers to CVE-2021-40528 2021-09-14 18:28:40 !25347 2021-09-14 18:28:59 I backported the patch, if we want to go that way 2021-09-14 18:29:07 Can someone review? 2021-09-15 02:31:14 ikke: done, its fine 2021-09-16 07:39:03 1 kubernetes CVEs: 2021-09-16 07:39:08 2* 2021-09-16 07:39:13 CVE-2021-25741: Symlink Exchange Can Allow Host Filesystem Access 2021-09-16 07:39:18 CVE-2020-8561: Webhook redirect in kube-apiserver 2021-09-16 08:06:51 https://gitlab.alpinelinux.org/alpine/aports/-/issues/13013 2021-09-16 08:07:14 #13013 #13014 2021-09-16 08:14:18 #13015 2021-09-16 08:39:21 jfrog xray marking separate libraries while the CVE seems to just target chrome 2021-09-16 08:39:38 where do you see that those CVEs are for kubernetes? 2021-09-16 08:40:25 founc it 2021-09-16 08:40:27 https://www.openwall.com/lists/oss-security/2021/09/16/1 https://www.openwall.com/lists/oss-security/2021/09/16/2 2021-09-16 08:46:17 chromium in 3.14 needs to be upgraded to >= 92.0.4515.107 2021-09-16 09:47:18 will probably not have time to look at that this week 2021-09-16 09:48:11 I guess we could just backport the updates on edge? 2021-09-16 10:34:28 those chrome issues are in bundled libs though 2021-09-16 10:34:33 yes 2021-09-16 10:34:38 and the references are upstream commits 2021-09-16 10:42:20 But the CVEs explicitly refer to chrome 2021-09-16 10:43:06 So probably outdated bundled versions? 2021-09-16 10:47:23 possibly 2021-09-16 10:47:44 the xslt one i fixed already 2021-09-16 10:47:49 but it was a different CVE 2021-09-20 12:53:38 CVE-2021-30858 affecting WebkitGTK <2.23.4 (https://www.openwall.com/lists/oss-security/2021/09/20/1) 2021-09-20 12:53:46 Seems we already addressed it, but need to add secfixes 2021-09-20 12:54:02 And https://security.alpinelinux.org/vuln/CVE-2021-30858 lists old info 2021-09-23 00:53:38 hola+ 2021-09-23 00:53:38 + 2021-09-23 01:35:51 mmmkay 2021-09-27 14:05:57 Ariadne: Hi! hope you had a nice weekend. could you please help me review what I did here: https://gitlab.alpinelinux.org/alpine/aports/-/commit/ee7f451b3a1b1bdcf1de4303369a0b8a152f4d73 2021-09-27 14:06:12 just so I didn't do anything obviously stupid 2021-09-27 15:38:24 looks fine to me 2021-09-27 15:38:37 using an 8kb static buffer for the password might not be ideal though 2021-09-27 17:05:36 better suggestions? using the stack? 2021-09-27 17:07:30 also, why is it not ideal? 2021-09-27 17:15:27 the password data could be truncated 2021-09-27 17:15:50 (i don't think anyone has an 8192 byte password, but you never know ;)) 2021-09-27 17:16:13 solution would be to read in small chunks, and realloc() if needed 2021-09-27 17:16:37 right. i kinda thought of that, but .... 2021-09-27 17:17:01 it is probably good enough in reality :) 2021-09-27 17:17:19 i thought if 64 chars is good enough for suse, 8192 should probably be enough for the xfce4-screensaver dialog 2021-09-27 17:18:05 https://build.opensuse.org/package/view_file/openSUSE:11.4/pam-modules/unix2_chkpwd.c?expand=0 line 64 2021-09-27 17:18:37 and that is a general unix2_chkpwd for PAM. my small app is only for xfce4-screensaver 2021-09-27 17:19:23 yeah its fine :) 2021-09-27 17:19:44 some rust person will point and be like "omg! memory error!!!" though 2021-09-30 05:34:30 regex dos in py3-pillow: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13051 (CVE-2021-23437) 2021-09-30 13:45:11 I'm wondering if it was found by OSS-Fuzz