2023-02-01 12:50:31 <ikke> openssl security release anouncement, highest severiy is High: https://mta.openssl.org/pipermail/openssl-announce/2023-January/000248.html
2023-02-01 12:54:21 <psykose> indeed
2023-02-01 12:54:23 <psykose> quite some ways off
2023-02-01 12:54:46 <ikke> release is on the 7th
2023-02-01 20:43:08 <sam_> put it in your diaries!
2023-02-02 13:50:16 <jvoisin> https://www.openwall.com/lists/oss-security/2023/02/02/2 + https://www.openwall.com/lists/oss-security/2023/02/02/3
2023-02-02 13:50:23 <jvoisin> pre-auth memory corruption in openssh.
2023-02-02 14:05:19 <ikke> "sshd(8): fix a pre-authentication double-free memory fault introduced in OpenSSH 9.1. This is not believed to be exploitable, and it occurs in the unprivileged pre-auth process that is subject to chroot(2) and is further sandboxed on most major platforms."
2023-02-02 16:03:41 <psykose> backported anyway
2023-02-07 16:06:13 <minimal> A new OpenSSL release just announced: https://mta.openssl.org/pipermail/openssl-announce/2023-February/000250.html
2023-02-08 15:41:51 <ncopa> I got an email re https://security.alpinelinux.org/vuln/CVE-2022-24975
2023-02-08 15:42:06 <ncopa> it claims that alpine 3.15-stable has it fixed
2023-02-08 15:43:11 <ncopa> but CVE-2022-24975 is not mentioned anywhere in any commit
2023-02-08 15:44:36 <ncopa> the CVE data says Max Version <= 2.35.1
2023-02-08 15:45:32 <ncopa> but alpine 3.15 has git 2.34.6 which to my understanding is <= 2.35.1, so it should be vulnerable?
2023-02-08 15:45:47 <ncopa> why does https://security.alpinelinux.org/vuln/CVE-2022-24975 say it is fixed?
2023-02-08 16:48:04 <ptrc> if i understand correctly, 2.34.6 is a security release for the 2.34 git branch - https://github.com/git/git/blob/master/Documentation/RelNotes/2.34.6.txt
2023-02-08 16:49:06 <ptrc> oh, wait, no
2023-02-08 16:49:15 <ptrc> CVE-2022-24975 is not mentioned there
2023-02-08 16:51:12 <ptrc> Ubuntu security tracker says that "--mirror appears to work as intended" and that vendor disputes the CVE
2023-02-08 16:51:41 <ptrc> so that's probably why 
2023-02-08 18:37:45 <ncopa> where is that configured in security.alpinelinux.org?
2023-02-08 18:40:16 <ncopa> https://gitlab.alpinelinux.org/ariadne/security-rejections/-/blob/master/main.yaml#L40
2023-02-14 18:26:22 <jvoisin> https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh another cool git vuln
2023-02-14 18:53:26 <ikke> jvoisin: thanks
2023-02-14 23:02:34 <Garb0> hello
2023-02-14 23:03:02 <Garb0> any logic behind repo mirrors being plain http by default instead of https?
2023-02-14 23:05:11 <ptrc> you mean, not force-redirecting to https?
2023-02-14 23:05:26 <ptrc> or being hardcoded to http in some places
2023-02-14 23:05:33 <Garb0> uhm, both i guess
2023-02-14 23:05:43 <ptrc> in short, it doesn't matter, as all artifacts (indexes and apk files themselves) are signed
2023-02-14 23:06:05 <Garb0> well yeah, but there are issues outside package poisoning 
2023-02-14 23:06:28 <ptrc> but not having a redirect to https is also useful in cases where you don't want TLS (no certificate store, etc.)
2023-02-14 23:07:23 <ptrc> as for the latter.. dunno, if there's no good reason to keep it as http (in that specific place), it should probably be changed to https
2023-02-14 23:39:10 <pj> <Garb0> "well yeah, but there are..." <- such as?
2023-02-15 01:05:47 <Garb0> pj: one scenario would be faking the http server + dns spoofing and replying with whatever package the user wants and sending him a 99999GB package wrecking his stuff
2023-02-15 01:06:14 <pj> that would fail signature
2023-02-15 01:07:17 <Garb0> but sig check happens after DLing, right?
2023-02-15 01:08:03 <Garb0> also an edge case would be accessing said http via browser for whatever reason and the obvious routine of the guy injecting a jsminer for a couple of secs but that's a non issue 
2023-02-15 01:08:23 <Garb0> it's not really that big of a deal i agree but it just feels off
2023-02-15 01:19:06 <pj> browsers have https-only option
2023-02-15 01:22:14 <Garb0> delegating security to the client is usually a bad idea, esp since that feature is disabled by dfault
2023-02-15 01:45:03 <pj> breaking clients behaviour is always bad idea
2023-02-15 01:45:41 <pj> (current) browsers will connect to https first anyway
2023-02-15 01:59:29 <Garb0> fair point
2023-02-16 16:41:50 <idkrn[m]> <ptrc> "in short, it doesn't matter..." <- Signature verification has been bypasses before with vulnerabilities in the checking process
2023-02-16 16:43:38 <idkrn[m]> https://www.qubes-os.org/news/2021/03/19/qsb-067/
2023-02-16 16:46:06 <idkrn[m]> <pj> "(current) browsers will connect..." <- Some still don't enforce this by default. Edge requires you to enable it in developer options
2023-02-16 17:20:31 <pj> <idkrn[m]> "Signature verification has..." <- both are hosted in same place, moot point
2023-02-16 18:37:58 <idkrn[m]> <pj> "both are hosted in same place..." <- What
2023-02-16 19:04:29 <idkrn[m]> https mirrors are better
2023-02-16 19:11:26 <pj> no one argued that they are not better
2023-02-17 03:23:45 <psykose> it's a simple case
2023-02-17 03:23:49 <psykose> you use http -> it's fast
2023-02-17 03:23:56 <psykose> you use https -> it's slower
2023-02-17 03:24:02 <psykose> case closed
2023-02-17 06:07:38 <idkrn[m]> <pj> "no one argued that they are..." <- I don't understand what your point was
2023-02-17 06:08:04 <idkrn[m]> <psykose> "you use https -> it's slower" <- I've never seen a noticeable difference
2023-02-17 14:09:43 <pj> I recommend reading first
2023-02-17 14:20:35 <chereskata> hi there, noticed that multiple services run as root. For example iwd
2023-02-17 14:20:44 <chereskata> here is a grepped together ps -A:
2023-02-17 14:20:48 <chereskata> https://paste.gnome.org/dOPmAj5Xl
2023-02-17 14:21:59 <chereskata> is it possible to run iwd as non root user?
2023-02-17 14:24:53 <psykose> no
2023-02-17 14:25:35 <chereskata> thanks :)
2023-02-17 17:02:42 <idkrn[m]> <pj> "I recommend reading first" <- Reading what
2023-02-17 17:03:11 <idkrn[m]> <chereskata> "hi there, noticed that multiple..." <- If it bothers you, try sandboxing them
2023-02-20 23:53:25 <jalberti> Hi! Quick question re https://security.alpinelinux.org/vuln/CVE-2022-48303
2023-02-20 23:54:02 <jalberti> there seems to be no fix yet consumed, and the CVE is not matching to any packages. Is this on the table?
2023-02-20 23:54:31 <jalberti> Latest tar https://pkgs.alpinelinux.org/package/v3.17/main/x86_64/tar does not contain any patch, from what I can tell?
2023-02-20 23:55:01 <psykose> it does not
2023-02-20 23:57:20 <jalberti> Quick question regarding 3.16 vs 3.17 ... e.g. https://security.alpinelinux.org/vuln/CVE-2022-46663, 3.17 contains a later version of less, with the patch for this CVE consumed, 3.16 does not have this patch. Is 3.16 EOL for security patches, or is 3.16 not receiving the patch, because also here, there is no match?
2023-02-21 00:01:11 <jalberti> https://endoflife.date/alpine, if this info is accurate, I assume the reason is the later? But why consume the patch explicitly in 3.17, and then not add it to 3.16, was that an oversight?
2023-02-21 00:01:26 <psykose> 3.16 does have it fixed
2023-02-21 00:01:31 <psykose> same for 3.15 and 3.14
2023-02-21 00:01:32 <psykose> 3.13 is eol
2023-02-21 00:01:40 <psykose> i fixed it before a cve was assigned so i had nothing to fill out
2023-02-21 00:02:04 <psykose> i had it fixed like 10 minutes after the report was published or something
2023-02-21 00:02:35 <jalberti> my bad, sorry
2023-02-21 00:03:38 <psykose> fixed the tar one
2023-02-21 00:03:40 <psykose> happy untarring
2023-02-21 00:04:03 <jalberti> with pleasure
2023-02-22 06:14:58 <idkrn[m]> Always bwrap archives