2023-03-07 13:22:58 <jvoisin> https://eprint.iacr.org/2023/331.pdf grmbl
2023-03-07 13:23:07 <jvoisin> ^ A Vulnerability in Implementations of SHA-3, SHAKE, EdDSA, and Other NIST-Approved Algorithm
2023-03-07 13:23:34 <jvoisin> arbitrary write in (at least) Python and PHP when some values are hashed.
2023-03-07 13:23:44 <jvoisin> it's CVE-2022-37454
2023-03-16 07:31:33 <JohannesJ[m]> does alpine has its own cve list?
2023-03-16 07:37:03 <ptrc> there's https://security.alpinelinux.org, if that's what you mean
2023-03-16 07:47:26 <JohannesJ[m]> slightly :) thanks somehow i missed that site!
2023-03-16 07:49:17 <JohannesJ[m]> currently i get daily mail from opencve.io, i havent checked if they have Alpine listed too :)
2023-03-16 07:50:55 <JohannesJ[m]> it is :) https://www.opencve.io/cve?vendor=alpinelinux&product=alpine_linux should anyone wonder
2023-03-16 08:02:42 <ncopa> this is reported on wrong product: https://security.alpinelinux.org/vuln/CVE-2023-27482 homeassistant != supervisord
2023-03-16 08:07:38 <ikke> The package is called supervisor, which is why it matches 
2023-03-16 08:07:47 <ikke> We need to add a custom remap 
2023-03-16 08:10:50 <ikke> https://gitlab.alpinelinux.org/alpine/infra/docker/secfixes-tracker/-/blob/master/config/prod.settings.py#L44
2023-03-16 12:06:00 <ikke> https://www.openssh.com/txt/release-9.3
2023-03-16 12:20:44 <jvoisin> on the bright side: https://github.com/openssh/openssh-portable/commit/195313dfe10a23c82e9d56d5fdd2f59beee1bdcf
2023-03-16 12:56:52 <psykose> not again
2023-03-16 12:57:41 <psykose> time to have a fun debugging session in 3 weeks when someone can't reach their machine on some non-x86_64 device that fails to accept ssh connections because it crashes instantly due to seccomp that nobody tested vs musl syscalls
2023-03-16 12:58:18 <psykose> in more exciting news https://github.com/Duncaen/OpenDoas/issues/106#issuecomment-1470921596
2023-03-16 13:14:57 <jvoisin> psykose: come on, the seccomp policy looks trivial, absolutely readable and maintainable. No chance in Hell this will break in catastrophic ways :D
2023-03-16 13:17:12 <ikke> Hmm, why is my sarcasm indicator lighting up
2023-03-16 13:19:36 <psykose> must be a fluke
2023-03-16 13:22:47 <ncopa> i think we should backport disable ioctl TIOCSTI in our kernel
2023-03-16 13:23:14 <psykose> yeah
2023-03-16 13:23:25 <psykose> i was about to propose it
2023-03-16 13:24:16 <psykose> not sure if it will fix the TIOCLINUX issues though
2023-03-16 13:27:39 <jvoisin> it doesn't :/
2023-03-16 13:49:17 <ncopa> what are the TIOCLINUX issues?
2023-03-16 13:49:47 <ncopa> also disabling TIOCSTI in kernel will break screen readers apparently
2023-03-16 13:50:01 <ikke> hartwork mentions it but no details
2023-03-16 13:52:02 <ikke>   the CVE only mentions TIOCSTI
2023-03-16 13:54:45 <psykose> details are in https://github.com/jwilk/ttyjack
2023-03-16 14:27:45 <ncopa> looks like they inject things using "paste" with TIOCLINUX
2023-03-22 00:54:42 <omni> there are a few new XSAs https://xenbits.xen.org/xsa/
2023-03-22 00:55:56 <omni> not sure I'll be able to look into these anytime soon
2023-03-22 00:56:40 <omni> haven't looked at !44430 either, since the patch didn't apply cleanly to the stable release