2022-06-03 21:10:40 #13902 2022-06-06 15:17:44 Ariadne: how do we deal with disputed CVEs? Add it to our rejection feed? 2022-06-06 15:18:00 if we agree with the dispute sure 2022-06-06 15:18:32 https://lore.kernel.org/git/DM6PR01MB597862CFD285C837EA61E690F9A29@DM6PR01MB5978.prod.exchangelabs.com/T/#m85d11c77b46faf780679d63954ad419d619da093 for example 2022-06-06 15:18:40 Functionality that works as intended 2022-06-06 15:18:52 I certainly agree with that dispute 2022-06-06 15:23:28 https://gitlab.alpinelinux.org/ariadne/security-rejections/-/merge_requests/2 2022-06-06 15:23:56 what does the 'availability of deleted content' mean 2022-06-06 15:24:32 psykose: If you rewrite history, objects might no longer be reachable 2022-06-06 15:24:40 right 2022-06-06 15:24:51 git by default does not allow you to get content that is not advertised through some ref 2022-06-06 15:25:33 The CVE author assumed that --mirror allowed you to get the contents, but apparently these contents were reachable through non-branch non-tag refs 2022-06-06 15:28:36 The blog post has not been updated yet 2022-06-06 15:30:17 psykose: last run _was_ 2am UTC tonight, so yes, it's no longer updating 2022-06-06 15:30:20 not sure why it stopped there 2022-06-06 15:31:14 Oops, wrong chat :) 2022-06-06 15:35:56 ah, for a moment i assumed it did clone unreachable content 2022-06-06 19:03:54 Ariadne: another one: https://gitlab.alpinelinux.org/ariadne/security-rejections/-/merge_requests/3 2022-06-06 19:08:53 ikke: you should now be able to modify the repo without pinging me 2022-06-06 19:09:23 Ariadne: ok, ftr, I've always have been, but I typically don't without explicit permission out of courtesy 2022-06-06 19:10:41 And at least in the beginning as a confirmation I'm doing it right :) 2022-06-06 19:10:57 well, right, you are gitlab admin afterall 2022-06-07 19:58:49 nmeum_:fyi. i just sent a possible fix to busybox mailing list for CVE-2022-30065 https://bugs.busybox.net/show_bug.cgi?id=14781 2022-06-09 18:01:57 FYI "Multiple GRUB2 vulnerabilities - 2022/06/07 round": https://lists.gnu.org/archive/html/grub-devel/2022-06/msg00035.html 2022-06-10 12:46:53 !35248 !35252 !35253 !35254 !35255 2022-06-11 10:50:04 ncopa: https://www.openwall.com/lists/oss-security/2022/06/10/1 kubernetes nginx-ingress path sanitation bypass 2022-06-18 10:07:06 https://lists.alpinelinux.org/~alpine/devel/%3C22948c2fba2f4882ac4646501fd6ef3f%40tower-net.de%3E 2022-06-18 13:45:49 !35462 !35463 2022-06-18 21:18:39 ikke: the person has a point if the user already exists and a -u is issued on it, but i think they misread what i said without checking anything as there are only two things in all of aports that call `passwd -u` in a post-install that could be vulnerable to this, and merely adding things that already exist don't pose any issue 2022-06-19 10:53:02 !35472 !35473 2022-06-19 12:09:12 the xsa patches do not apply cleanly for xen 4.15.2 (packaged in our v3.14 and v3.15 branches) 2022-06-19 12:10:16 I am to understand that we, instead of using the provided release tarrballs, are adviced to base on the tip of their stable branches and apply xsa patches where needed 2022-06-19 12:13:46 I guess I could do something like this again !e5a8c3fe 2022-06-19 12:14:13 (ok, that's not how algitbot works) 2022-06-19 12:14:29 https://gitlab.alpinelinux.org/alpine/aports/-/commit/e5a8c3fe7051ee091719ddc4d39feb0c3bb53abb#663fedc897e9b6ff71d28596de6731f3e37932bb 2022-06-19 12:15:09 !35482 2022-06-19 12:16:30 what did you edit there 2022-06-19 12:19:45 what do you mean? 2022-06-19 12:20:20 misread 2022-06-19 12:20:50 phew! 2022-06-19 12:21:13 I re-read what I wrote a couple of times :D 2022-06-19 12:33:49 https://github.com/xen-project/xen/commit/fdd61d3c059f5da4c447c4c3de93202f3ff86f56 https://github.com/xen-project/xen/commit/d5d7a8f7e6a6cc459fb3d0bad1d3fe1b05debe54.patch make them apply (sans one reformatted comment).. but idk 2022-06-19 12:34:19 why do they have stable branches with 'releases' if they don't make releases for xsa's but throw patches out that don't even apply onto the releasE? 2022-06-19 12:35:57 if their encouragement is to 'update to the tip of the branch' then why not just tag it? 2022-06-19 12:38:25 right? 2022-06-19 14:01:05 !35474 !35476 2022-06-20 11:20:47 bump 2022-06-20 11:21:01 ncopa: what do you think of the above :) 2022-06-20 12:56:01 SGTM 2022-06-20 12:57:46 annoying. they coudl just have tagged a new release. woudl been so much simpler 2022-06-20 13:31:16 aye 2022-06-27 10:31:09 4 new curl CVEs anounced: https://www.openwall.com/lists/oss-security/2022/06/27/ 2022-06-28 13:58:31 FYI: https://www.theregister.com/2022/06/27/openssl_304_memory_corruption_bug/ 2022-06-28 13:59:23 I see the MR !35568 for upgrade to 3.0.4 is still pending 2022-06-30 12:04:16 minimal: yes have not accepted it due to avx512 regression 2022-06-30 12:06:40 ok, I was more pointing out that 3.0.5 in theory is likely coming out soon (by whatever defiintion of "soon" they use) 2022-06-30 17:20:16 probably not 2022-06-30 17:20:27 they will fire another project manager 2022-06-30 17:20:30 and then the new guy 2022-06-30 17:20:36 will think "maybe we should release 3.0.5" 2022-06-30 17:20:46 and then they will fire that manager at the next CVE 2022-06-30 17:23:27 great to see that they inspire so much confidence in you ;-) 2022-06-30 17:24:48 i am just going by their past performance