2022-03-02 14:21:42 https://github.com/BuGlessRB/procmail new release ! 2022-03-02 14:21:51 thankfully this piece of shit isn't shipped in alpine 2022-03-02 14:21:57 https://github.com/BuGlessRB/procmail/blob/master/src/regexp.c look at how glorious it is! 2022-03-02 14:28:31 adding it to the repos immediately 2022-03-02 14:29:01 :p 2022-03-02 14:45:31 jvoisin: it was 2022-03-02 14:45:34 jvoisin: i deleted it 2022-03-02 14:52:52 Ariadne: thank you ♥ 2022-03-07 11:14:13 oikjl 2022-03-07 11:15:21 same 2022-03-10 23:07:22 !30657 2022-03-11 05:50:56 thanks, merged 2022-03-11 05:52:06 there's also 5 libxml2 mr's 2022-03-11 05:52:45 also that intel-ucode needs all the backports, do you want me to do it 2022-03-11 05:53:52 please 2022-03-11 05:53:54 sure 2022-03-11 05:56:26 complete 2022-03-15 11:44:18 this is a false positive, for apache flex. I dont know what we need to do to make it go away for 3.15 and for future 3.16. https://security.alpinelinux.org/vuln/CVE-2015-1773 2022-03-15 11:44:51 https://gitlab.alpinelinux.org/ariadne/security-rejections? 2022-03-15 11:46:12 same with this https://security.alpinelinux.org/vuln/CVE-2019-14860 2022-03-15 11:47:18 looks like the https://gitlab.alpinelinux.org/ariadne/security-rejections is not applied to alpine 3.15 2022-03-15 11:48:11 Right, the setting is missing 2022-03-15 11:48:38 https://gitlab.alpinelinux.org/alpine/infra/docker/secfixes-tracker/-/blob/master/config/prod.settings.py#L31 2022-03-15 11:54:49 ncopa: https://gitlab.alpinelinux.org/alpine/infra/docker/secfixes-tracker/-/merge_requests/7/diffs?commit_id=0cd2dceb27f59a56181755ff0cd18433db4a20ee 2022-03-15 11:58:18 https://security.alpinelinux.org/srcpkg/tar the unresolved CVEs are for npm-tar, tno for GNU tar. wrong project 2022-03-15 11:58:32 yeah, i saw that one 2022-03-15 11:58:33 funny 2022-03-15 11:59:02 theres 5 mariadb cve mrs 2022-03-15 14:29:02 and a few xen related linux ones 2022-03-15 14:29:16 (edge is patched) 2022-03-16 13:14:27 \o/ 2022-03-18 06:14:59 4 bind CVEs: https://www.openwall.com/lists/oss-security/2022/03/16/2 2022-03-18 11:05:47 !32175 !32176 !32177 !32178 !32179 2022-03-18 11:06:01 2 of them are 9.18 only 2022-03-18 11:16:44 also note !31946 !31947 !31948 !31949 !31950 2022-03-18 12:29:36 psykose: done 2022-03-18 12:29:45 :) 2022-03-19 19:25:36 https://www.theregister.com/2022/03/18/protestware_javascript_node_ipc/ 2022-03-22 21:03:02 Ariadne: We got our canary CVE for alpine 3.15: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13623 :P 2022-03-22 21:04:03 yes 2022-03-22 21:04:10 3.15.2 release is needed to handle it 2022-03-22 21:04:26 yeah, pinged ncopa about it 2022-03-22 21:05:08 But now people cannot complain anymore that their security scanners are not working 2022-03-24 05:56:29 https://www.openwall.com/lists/oss-security/2022/03/24/1 memory corruption in zlib, but no CVE, patch is available since 2018, upstream didn't pick it up 2022-03-24 05:56:57 Linked patch: https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531 2022-03-24 09:21:46 lets pick it? 2022-03-24 15:02:59 maybe there's a reason upstream didn't? 2022-03-24 15:19:36 adler was CC'd on the post to oss-security but he's known for being unusual with development practices 2022-03-24 15:19:43 I see https://github.com/madler/zlib/pull/603 too 2022-03-24 15:20:13 that's from today lol, wtf 2022-03-24 15:20:19 how did everyone start talking about this suddenly 2022-03-24 15:25:59 because Travis is a celebrity and many keep an eye on what he does and says 2022-03-24 15:27:13 *Tavis 2022-03-24 15:29:10 :D 2022-03-24 17:03:16 i got an inquiry via twitter requesting an interview with somebody involved in alpine security, but the context is related to a whitepaper being published by my employer next week comparing number of CVEs in container base images and remediation times, so i need to recuse myself. is there anyone who wants to take this? maybe ikke? 2022-03-24 17:05:07 ACTION casts the light onto ikke 2022-03-24 17:05:43 I suppose I could.. 2022-03-24 17:13:31 (the whitepaper is a positive thing for alpine, we actually do much better than a Prominent North American Enterprise Linux Vendor™️) 2022-03-24 18:46:56 Ariadne: you can direct them to me, I'll see what I can do 2022-03-25 04:58:04 Ariadne: https://github.com/OpenRC/openrc/pull/507 (https://github.com/OpenRC/openrc/issues/506) 2022-03-25 06:40:04 oh joy 2022-03-25 06:44:50 that is triple cool 2022-03-25 09:26:39 must say that I have respect for Jason. Instead of just complaining he actually fixes it, even if he doesnt use openrc himself 2022-03-25 09:33:28 I think we can apply https://github.com/OpenRC/openrc/pull/507 to our edge repo and report back that we have tested it? WDYT Ariadne? 2022-03-25 09:41:14 sounds good to me 2022-03-25 09:56:53 ncopa: He has also been coordinating some cross-distro linux config changes as well :p 2022-03-25 09:56:57 productive fellow 2022-03-25 10:00:28 Foxboron: i saw a copy of the email thread (not sure why I was not there since I do the official linux-lts for alpine). I also read some of his stuff in kernel threads. Impressive work 2022-03-25 10:00:51 ncopa: Hmm, I'd email him and get in the loop maybe 2022-03-25 10:00:51 I specifically was happy to see this: https://lkml.org/lkml/2022/3/24/9 2022-03-25 10:02:53 I'm not in the loop myself, just seen some tweets and internal talk in Arch 2022-03-25 17:40:20 ncopa: absolutely 2022-03-26 20:24:24 CVE-2022-1096 Chrome zero-day that is apparently actively exploited 2022-03-26 21:46:07 unlucky 2022-03-26 21:46:13 is there a new version for it yet 2022-03-27 00:08:04 ah, there was, 99.0.4844.84 2022-03-27 00:08:05 merged 2022-03-27 11:33:04 thank you for tkaing care of it so quick! 2022-03-27 11:34:45 it was boomanaiden actually :) 2022-03-27 11:35:06 you should give him the formal chromium maintenership 2022-03-27 11:35:24 https://git.alpinelinux.org/aports/commit/?id=d60ca1bc10cc 2022-03-27 11:35:50 it does make me a wonder a little though 2022-03-27 11:36:00 currently 3.15 chromium is in kinda the same boat as 3.15 firefox 2022-03-27 11:36:10 unupgraded and uhh.. well, without all these fixes 2022-03-27 11:36:21 it might be possible to upgrade chromium specifically, should ask him about that 2022-03-27 11:36:42 firefox is a lost cause and should be in testing (unless all of you feel like doing a full-vendored build without system deps for stable) 2022-03-27 11:38:54 we have firefox-esr for the actual browser, but firefox specifically bumps its deps quite frequently and usually is impossible to upgrade 2022-03-27 11:40:50 The only issue is that the prevailing idea is that we don't really want packages to remain in testing (even though that defacto happens now) 2022-03-27 11:41:53 aye, that does keep coming up a bunch 2022-03-27 11:42:02 but yes, defacto it's... just how it is 2022-03-27 11:42:22 i think we all just know that in the back of our head, so maybe we should slightly formalise it 2022-03-27 11:42:42 or make a fourth repo (not the biggest fan of this one) 2022-03-27 11:43:02 https://gitlab.alpinelinux.org/alpine/tsc/-/issues/2 2022-03-27 11:45:15 there is a slight piece of extra for that 2022-03-27 11:45:23 which is that packages in community/ also bitrot all the same 2022-03-27 11:45:42 maybe to a slightly lesser extent 2022-03-27 11:46:16 i guess the usual release branch builds catch them a little :) 2022-03-27 11:49:35 yes 2022-03-27 11:50:25 the wasteful person in me thinks sometimes bumping everything in testing would not be such a terrible idea 2022-03-28 03:17:27 ~>