2021-12-03 11:56:30 CVE-2021-3657, CVE-2021-44143: buffer and heap overflows in mbsync / isync https://www.openwall.com/lists/oss-security/2021/12/03/ 2021-12-03 14:45:27 nmeum patched ^ 2021-12-03 14:48:16 I think we can just cherry pick that to the 3.15 branch 2021-12-03 14:48:28 the commit upgrading to 1.4.4 that is 2021-12-07 09:16:26 hmm, is it known that security.a.o has not had 3.15 added yet 2021-12-07 10:32:30 i noticed it some time ago. what is needed to be done to add new branches to security.a.o? 2021-12-07 10:39:37 looks like there is a config 2021-12-07 10:39:44 https://gitlab.alpinelinux.org/ariadne/secfixes-tracker/-/blob/master/application.example.cfg 2021-12-07 10:42:51 https://gitlab.alpinelinux.org/alpine/infra/docker/secfixes-tracker/-/blob/master/config/prod.settings.py 2021-12-07 11:43:37 https://gitlab.alpinelinux.org/alpine/infra/docker/secfixes-tracker/-/merge_requests/6 looks good? 2021-12-07 12:06:26 ikke: secdb got updated by you? or its automatic? 2021-12-07 12:08:03 Automatically 2021-12-07 12:08:17 It uses releases.json 2021-12-07 17:18:15 Ariadne: fyi, 3.15 is now listed 2021-12-07 17:18:20 thx 2021-12-07 18:44:56 CVE-2021-44420: Potential bypass of an upstream access control based on URL paths (https://www.openwall.com/lists/oss-security/2021/12/07/1) 2021-12-07 18:45:07 django 2021-12-07 23:22:07 https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ 2021-12-07 23:59:56 !28327 2021-12-08 00:01:06 https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/28237 2021-12-08 05:26:11 merged 2021-12-10 09:21:52 !28305 !28306 !28002 2021-12-10 09:31:10 nice log4j rce: https://www.lunasec.io/docs/blog/log4j-zero-day/ 2021-12-10 09:31:38 CVE-2021-44228 / Log4Shell 2021-12-13 08:13:21 good morning. do we need to do anything re that log4j vulnerability? 2021-12-13 08:13:58 We don't have it as a package, but I don't know if there is software that has bundled it in 2021-12-13 12:12:38 is there any vulnerable infrastructure? 2021-12-13 12:12:54 i also got heads up that -Dlog4j2.formatMsgNoLookups=true is not sufficient in all cases 2021-12-13 12:13:02 specifically in the case of logstash but probably others as well 2021-12-13 12:15:04 We do not use anything that uses java 2021-12-13 12:16:14 Oh, big blue button is Java based? 2021-12-13 12:18:41 wat 2021-12-13 12:20:49 wat? 2021-12-13 12:22:28 lots of java and scala in the repo iirc 2021-12-13 12:22:42 according to wikipedia: Programming languages: Java, JavaScript, Scala, Grails 2021-12-13 16:41:32 ikke: parts of it are, yes 2021-12-13 16:41:59 i think the frontend is rails though 2021-12-14 12:05:16 https://security.alpinelinux.org/vuln/CVE-2021-43818 is not finding our py3-lxml package. https://github.com/advisories/GHSA-55x5-fj6c-h6m8 2021-12-14 13:08:19 ncopa, I've upgraded py3-lxml yesterday 5f1f9fe67533bde6ae424cfb85b523036783ce8b but I wasn't aware that there was a CVE 2021-12-14 14:27:52 ncopa: there are no CPE rules, as you can see. it cannot match a package without a CPE rule. 2021-12-14 14:28:07 none of the scanners can 2021-12-15 05:52:08 log4shell round 2: https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/ 2021-12-15 05:53:37 (The previous provided workarounds / mitigations can be ineffective in certain cases) 2021-12-15 05:54:53 And someone created a log4shell payload that patches it: https://github.com/Cybereason/Logout4Shell 2021-12-15 06:31:17 ah yes, the "vaccine" 2021-12-15 06:31:28 but yeah, basically everything between 2.0 and 2.16.0 is vulnerable 2021-12-18 04:02:21 !28585 !28586 !28587 !28588 2021-12-18 10:10:22 omni: merged, thanks 2021-12-18 12:23:12 ikke: cool! 2021-12-18 12:23:40 but not yet !28585, also !28589 is now ready 2021-12-18 14:30:15 !28607 !28608 2021-12-18 14:30:37 (the latter for 3.15-stable) 2021-12-20 18:27:25 New xen security advsiories: https://www.openwall.com/lists/oss-security/2021/12/20/ 2021-12-21 22:12:14 !28725 2021-12-21 22:18:00 !28729 2021-12-22 10:45:09 linux 5.15.11 is patched for XSA-391 and XSA-392 !28740 2021-12-23 21:03:41 https://tinyssh.org/ 2021-12-23 21:15:28 ikke: yeah I looked at it. Seems a good compromise between the small size of Dropbear and the feature set of OpenSSH 2021-12-23 22:51:34 we already package it don't we 2021-12-23 23:59:58 yes its packaged 2021-12-24 00:00:56 I started work on a patch for cloud-init to add tinyssh support a while ago 2021-12-24 00:10:43 Ariadne: looking at the contents of /etc/passwd (and /etc/group) in alpine-baselayout - I'm thinking of raising a MR to remove some of them as I do not see a purpose for them. I guess its not documented what the intended purposes are for these default user accounts 2021-12-24 00:11:20 I would have thought from a security perspective we'd want as few default users as possible 2021-12-24 00:22:02 yes 2021-12-24 00:22:05 please do :) 2021-12-24 00:27:02 Ariadne: also, do you know if anyone actually uses openrc-init, openrc-shutdown, and rc-sstat? They are not normally needed by Alpine as Busybox provides the init, I have an MR part written to remove these from openrc package - was wondering whether instead I should move then to a new openrc-init subpackage just in case someone somewhere is using them 2021-12-24 00:27:14 no i dont 2021-12-24 00:28:05 ok, I'll go with the "remove them" option and see if anyone objects (as we're using Busybox's init that's why I noticed the "halt" and "shutdown" default user accounts are not needed 2021-12-27 09:50:03 fyi https://github.com/shadow-maint/shadow/releases/tag/v4.10 shadow is deprecating their su and asking everybody to switch to util-linux su instead 2021-12-27 16:50:14 we are working on deprecating shadow entirely :p 2021-12-27 17:17:32 Ariadne: shadow package? 2021-12-27 17:18:14 yes 2021-12-27 17:18:24 in favor of the util-linux implementations 2021-12-27 17:20:49 I missed the start of this - so you're just referring to binaries like "login" rather than the shadow package in general being deprecated? 2021-12-27 17:23:34 ideally both :) 2021-12-27 17:25:00 util-linux does not provide things like useradd/usermod/userdel which do more than adduser/moduser/deluser 2021-12-27 17:26:22 yes, we will have to source those from somewhere else :) 2021-12-27 17:26:31 until then shadow will remain for those tools 2021-12-27 17:29:33 Ariadne: any specific reason for transitioning to shadow? I found the util-linux impls to have some issues 2021-12-27 17:30:01 they are both shit 2021-12-27 17:32:04 ericonr: isn't the transitioning to util-linux, not to shadow? 2021-12-27 17:32:24 Aridne: is this documented anywhere? I don't see anything on the TSC about it 2021-12-27 17:32:56 minimal: s/to/from/ :p apologies 2021-12-27 17:33:47 s/Aridne/Ariadne/ 2021-12-27 17:34:36 no 2021-12-27 17:37:02 if shadow is planned to go away I'll have a fair bit of work to modify/patch cloud-init for the shadow tools it is using where there's no equivalent tool provided by util-linux or other package 2021-12-27 17:38:46 shouldn't this intended change be discussed by TSC to make it visible to people? 2021-12-27 17:41:09 it’s not an intended change yet 2021-12-27 17:44:15 ok 2021-12-27 21:40:58 I certainly have more stuff that will break if that happens so I think I'll have to tinker with that 2021-12-31 23:21:01 Ariadne: what is your opinion of hashicorp vault? Thinking of deploying an instance for Alpine Linux infra