2023-08-01 05:29:05 omni: merged 2023-08-01 11:06:40 <3 2023-08-01 17:57:44 https://www.theregister.com/2023/08/01/collide_power_cpu_attack/ 2023-08-01 20:26:21 minimal: fun times, they keep finding new side-channels 2023-08-01 20:26:44 New go version: https://github.com/golang/go/releases/tag/go1.19.12 vulnerabilities were pre-anounced 2023-08-01 20:26:53 CVE-2023-29409 2023-08-01 20:30:36 https://github.com/golang/go/releases/tag/go1.20.7 2023-08-01 20:40:00 https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI?pli=1 2023-08-02 06:23:11 print test 2023-08-02 06:23:23 print -buffer test 2023-08-02 17:50:17 WebKitGTK and WPE WebKit Security Advisory WSA-2023-0007 (https://www.openwall.com/lists/oss-security/2023/08/02/1) 2023-08-03 19:31:56 https://blog.rust-lang.org/2023/08/03/cve-2023-38497.html 2023-08-03 19:32:42 yes, I've already notified pj in #alpine-devel 2023-08-03 19:33:53 hehe, too many channels :D 2023-08-03 19:34:48 yeah, I've would've posted it here if pj was here 2023-08-03 19:34:59 I'm tho 2023-08-03 19:35:03 oh 2023-08-03 19:35:06 :P 2023-08-03 19:35:08 now you appear 2023-08-03 19:35:22 something something matrix 2023-08-03 19:35:32 tru, tru, I agree with your statement 2023-08-03 19:35:49 I will be on IRC once again at some point, just busy times lately 2023-08-04 00:51:58 https://github.com/rust-lang/rust/pull/114440 2023-08-04 00:52:16 can't even upgrade rust because it doesn't work 2023-08-04 04:09:53 Ouch 2023-08-04 08:32:09 "Unexpected rustc version: 1.71.0, we should use 1.70.x/1.71.1 to build source with 1.71.1" :P 2023-08-08 10:44:02 some CPE data is wrong 2023-08-08 10:44:07 this is wrong: https://nvd.nist.gov/vuln/detail/CVE-2022-41859#vulnConfigurationsArea 2023-08-08 10:44:58 the commit is not included for 3.0.25 2023-08-08 10:51:33 I'm working on https://gitlab.alpinelinux.org/alpine/aports/-/issues/15176 btw 2023-08-08 10:51:38 triaging 2023-08-08 10:51:48 It looks you as well 2023-08-08 10:53:19 ncopa: I started at the bottom, got to samba (libwdclient) 2023-08-08 10:55:29 i started from the top, got to samba just now 2023-08-08 10:55:39 I haven't done any fixes just yet, just triaging 2023-08-08 10:55:53 CVE-2023-0225 does not apply 2023-08-08 10:55:56 i have fixed freeradius 2023-08-08 10:56:02 Yeah, saw the commits 2023-08-08 10:57:42 https://security.alpinelinux.org/srcpkg/samba its sort of cumbersome without knowing which branches are unresolved 2023-08-08 10:58:59 Check the table I've added 2023-08-08 10:59:55 wow.. nice! 2023-08-08 11:05:23 working on libpng 2023-08-08 11:11:39 im working samba 2023-08-08 11:16:47 working on sudop 2023-08-08 11:18:00 libpng has a soname change apparently 2023-08-08 11:18:02 -usr/lib/libpng16.so.16.38.0 2023-08-08 11:18:04 +usr/lib/libpng16.so.16.39.0 2023-08-08 11:18:31 sorry, that's just the filename, not necesasily soname change 2023-08-08 11:43:45 only mariadb and samba still left open 2023-08-08 11:43:51 2 others that have no fix available yet 2023-08-08 12:16:43 upstream has not released any fix for CVE-2023-0922 for samba-4.15 2023-08-08 12:17:14 there are patches for 4.16.10 on https://www.samba.org/samba/history/security.html 2023-08-08 12:17:38 and I was able to apply them to v4-15-stable with a trivial conflict 2023-08-08 12:17:44 37 patches 2023-08-08 12:18:24 however, some of those are to ldb, and requries ldb 2.5.3 2023-08-08 12:18:57 which means that we'd need to do a ldb release, 2.4.5, which upstream has not done 2023-08-08 12:19:06 or we need to bundle ldb with samba 2023-08-08 12:19:38 or we just drop it, saying that upstream has no fix for it for samba 4.15 2023-08-08 13:08:04 this looks buggy https://security.alpinelinux.org/vuln/CVE-2022-47015 2023-08-08 13:08:55 3.16-stable is fixed but not 3.15-stable or 3.17-stable, even if they have the exact same version 2023-08-08 13:10:09 due to 921d89b7e69f531fd2d96b00aeaf22dee3c94e0f 2023-08-08 13:11:20 updated those 2023-08-08 13:39:21 i would like to run secfixes-tracker locally, in docker 2023-08-08 13:39:41 do we have a docker image for our production site? 2023-08-08 15:08:22 alpinelinux/secfixes-tracker 2023-08-08 15:08:41 https://gitlab.alpinelinux.org/alpine/infra/docker/secfixes-tracker 2023-08-08 15:08:50 together with a docker-compose file 2023-08-08 15:09:04 thats the one I was looking for. thanks! 2023-08-09 00:43:52 3 2023-08-09 00:44:45 <3 (probably) 2023-08-09 12:46:44 im working on making it possible to update secfixes-tracker on branch/repo upload events 2023-08-09 12:51:24 what is creating https://secdb.alpinelinux.org/edge/community.json 2023-08-09 12:51:28 and how and when 2023-08-09 12:55:51 https://gitlab.alpinelinux.org/alpine/security/secdb 2023-08-09 12:56:15 It listens to mqtt messages 2023-08-09 12:56:54 https://gitlab.alpinelinux.org/alpine/security/secdb/-/blob/master/src/cmd/generate.go 2023-08-09 12:57:27 https://gitlab.alpinelinux.org/alpine/security/secdb/-/blob/master/scripts/generate_secdb.sh 2023-08-09 13:01:56 it is git push messages? 2023-08-09 13:02:33 yup, git aports 2023-08-09 13:02:35 excellent 2023-08-09 13:14:06 One challenge might be race conditions 2023-08-09 13:14:51 Where the sexfixes-tracker tries to update before secdb has updated 2023-08-09 13:15:12 Maybe secdb should send its own message after update? 2023-08-09 13:39:42 possibly 2023-08-09 13:39:50 but i dont think it is that critical 2023-08-09 13:40:21 the thinking here is that we update the secfixes-tracker on upload 2023-08-09 13:40:36 we need the APKINDEX, so it needs to happen after package is built and repo is uploaded 2023-08-09 13:41:04 Ah ok, yea 2023-08-09 13:41:36 there is a theoretical possiblity that secdb is slower, but even if that happens, the problem will be "fixed" on next git push 2023-08-09 13:41:42 Yup 2023-08-09 13:41:47 and we can keep the cron job as well 2023-08-09 13:42:20 im doing some significant performance changes 2023-08-09 13:42:31 the imports now happens in seconds in stead of minutes 2023-08-09 13:42:49 by only committing to db once per repo instead of once per package 2023-08-09 13:45:58 Oof, yeah, that should save a lot 2023-08-09 13:50:57 "downside" is that if gets interrupted it does not commit anything 2023-08-09 13:51:02 which may be a good thing 2023-08-09 13:51:31 Yeah, don't see that as a huge downside 2023-08-09 14:30:11 ok, I think I have updated all relevant flask cli commands now. they are now much faster, and they can take a `repo` arg so we can call them on MQTT messages by branch/repo 2023-08-09 14:30:33 i also tested the other open MR: https://gitlab.alpinelinux.org/alpine/security/secfixes-tracker/-/merge_requests/7 2023-08-09 14:30:39 looks good to me 2023-08-09 14:31:08 i wonder if someone should review the changes? 2023-08-09 14:31:46 maybe I should merge the MRs into a single one. they do same thing for the different cli commands, so we could join them into a single MR 2023-08-09 14:31:51 not sure what makes most senase 2023-08-09 14:32:32 I suppose we could tag 0.4.0 after that 2023-08-09 14:32:57 next project is to add a testsuite for it, and set up CI 2023-08-09 14:33:08 but I don't know how, tbh 2023-08-09 14:43:24 I can review them 2023-08-09 14:43:42 Feel free to add me as reviewer 2023-08-09 14:53:04 do you want separate MRs or a singe one? 2023-08-09 14:55:41 I can handle either 2023-08-10 13:41:44 ikke: i have updated the secfixes-tracker MRs. do you mind if I merge them? 2023-08-10 13:41:56 ncopa: I was just looking at it / merging 2023-08-10 13:42:01 👍 2023-08-10 13:50:11 ncopa: I don't follow the fix for https://gitlab.alpinelinux.org/alpine/security/secfixes-tracker/-/merge_requests/7. How does adding 2 additional routes (branch, branch/) fix being able to request json+ld on /? 2023-08-10 13:51:53 the current show_index (the index page) is currently accessible with json+ld anywhere 2023-08-10 13:52:07 is currently *not* accessible with json 2023-08-10 13:52:37 the patch makes it available under /branch and /branch/ 2023-08-10 13:53:58 It's neither available for application/json nor application/json+ld 2023-08-10 13:54:08 ld+json* 2023-08-10 14:35:25 hum 2023-08-10 14:36:13 seems like application/json is available under / 2023-08-10 14:36:33 $ curl --silent -H "Accept: application/json" http://172.18.0.2:5000 | jq | tpaste 2023-08-10 14:36:33 https://tpaste.us/WxnB 2023-08-10 14:37:58 I was talking about `curl -H 'Accept: application/json' https://security.alpinelinux.org/` 2023-08-10 14:38:32 The fix may be working, but it would supprise me that that change had such an effect 2023-08-10 14:40:12 right 2023-08-10 14:40:31 so maybe its fixed in current git master 2023-08-10 14:41:36 yeah 2023-08-10 14:42:18 this is the fix: https://gitlab.alpinelinux.org/alpine/security/secfixes-tracker/-/commit/875717c9d8667274ea5e256ff72de92ce91cd805 2023-08-10 14:42:33 right, that would make a lot more sense 2023-08-10 14:43:04 so what that MR maybe tries to do is have that work for /branch/ as well? 2023-08-10 14:43:23 but then showing the same content as / 2023-08-10 14:43:30 i closed it 2023-08-10 14:43:32 ok 2023-08-10 14:43:57 only this left: https://gitlab.alpinelinux.org/alpine/security/secfixes-tracker/-/merge_requests/13 2023-08-10 14:44:14 i suppose we use apk-tools 2 in prod? 2023-08-10 14:44:30 Yeah, I think so 2023-08-10 14:44:46 and I think that python module should be implemented in C and shipped with apk-tools 2023-08-10 14:45:20 its an issue for apk-tools i guess 2023-08-10 14:46:21 i will try figure out how to add a test suite with pytest, so we can set up a ci for it 2023-08-10 14:51:33 ncopa: so we should probably tag a new version and deploy that, right? 2023-08-10 14:52:26 i found another unmerged branch locally 2023-08-10 14:52:29 import-nvd 2023-08-10 14:52:45 https://gitlab.alpinelinux.org/alpine/security/secfixes-tracker/-/merge_requests/14 2023-08-10 14:53:04 oh.. hang on a sec 2023-08-10 14:53:33 https://gitlab.alpinelinux.org/alpine/security/secfixes-tracker/-/merge_requests/14/diffs#diff-content-c5fbfccc57a13ef159db7d88f6d98a5c0aa29d23 snugged in 2023-08-10 14:54:02 yeah i fixed it 2023-08-10 14:54:09 should be ok now 2023-08-10 14:54:42 yes, would be nice with a 0.4.0 release 2023-08-10 14:56:48 Readme should be updated with the new args 2023-08-10 14:56:58 aha 2023-08-10 14:57:11 I can do it, or will you? 2023-08-10 15:00:02 https://gitlab.alpinelinux.org/alpine/security/secfixes-tracker/-/merge_requests/15 2023-08-10 15:00:13 not sure if its enough 2023-08-10 15:20:12 ncopa: https://gitlab.alpinelinux.org/alpine/security/secfixes-tracker/-/tags/v0.4.0 2023-08-10 15:36:00 ncopa: https://gitlab.alpinelinux.org/alpine/infra/docker/secfixes-tracker/-/merge_requests/10 2023-08-10 15:37:14 LGTM 2023-08-20 14:20:00 https://gitlab.alpinelinux.org/alpine/tsc/-/issues/64 how do we feel about enabling a couple of macros for libcxx? 2023-08-20 14:35:40 jvoisin: what would the impact of enabling those are? 2023-08-20 14:35:45 s/are/be 2023-08-20 14:37:20 _LIBCPP_ENABLE_THREAD_SAFETY_ANNOTATIONS doesn't have any impact, beside a tad more noisy compiler output in case of findings 2023-08-20 14:37:33 and for _LIBCPP_ENABLE_HARDENED_MODE, below 2% performance impact 2023-08-20 14:37:47 (since internally at Google, it was the requirement the enable it) 2023-08-20 15:18:40 Could you maybe make a merge request that enables these? 2023-08-20 15:52:04 absolutely 2023-08-20 15:52:09 I wanted to ask here before :) 2023-08-20 15:53:01 I think it's in line with the other changes, general alpine policy / history 2023-08-20 15:59:45 also, shouldn't those flags be put somewhere else? 2023-08-20 16:00:01 like in the glibc/libcxx/… packages, instead of the global file? 2023-08-20 16:01:15 I didn't find an explicit libcxx packag 2023-08-20 16:02:33 https://pkgs.alpinelinux.org/package/edge/main/aarch64/wasi-libcxx maybe? 2023-08-20 16:02:47 nevermind, it's there: https://pkgs.alpinelinux.org/packages?name=libc%2B%2B&branch=edge&repo=&arch=&maintainer= 2023-08-21 11:35:20 ikke: https://gitlab.alpinelinux.org/alpine/abuild/-/merge_requests/221 2023-08-25 16:48:38 ncopa: I set !50549 to automerge when pipelines succeed 2023-08-25 17:00:08 µheads-up, hope that was in order 2023-08-28 05:31:51 absolutely! thanks! 2023-08-29 21:39:25 if someone would like to verify secfixes !50706 2023-08-30 00:32:32 friendly ping on https://gitlab.alpinelinux.org/alpine/abuild/-/merge_requests/221 :) 2023-08-30 18:11:47 https://gcc.gnu.org/pipermail/gcc-patches/2023-August/628748.html that's nice 2023-08-30 18:12:45 They mention a few glibc specific things, what does it do in case of musl? 2023-08-30 18:21:01 only D_FORTIFY_SOURCE is glibc-specific 2023-08-30 18:21:13 and D_GLIBCXX_ASSERTIONS is already enabled in Alpine 2023-08-30 18:21:24 I'm happy that the hardening options are all coming under a single flag 2023-08-30 18:21:36 instead of having to bikeshed all of them one by one :) 2023-08-30 18:32:51 hehe 2023-08-31 07:44:30 https://github.com/borgbackup/borg/releases/tag/1.2.5 2023-08-31 07:45:09 I've downloaded all the borgbackup apks for all architectures for v3.18 and edge if a user would need them 2023-08-31 07:45:48 !50779 !50780 2023-08-31 07:45:50 omni: good to know 2023-08-31 07:46:26 because we generally don't keep them lying around, right? 2023-08-31 07:46:33 no, we don't 2023-08-31 07:46:45 we tried before, but but ran out of space rather quickly 2023-08-31 07:47:18 I can totally see that happening 2023-08-31 23:43:06 https://security-tracker.debian.org/tracker/CVE-2023-4016 2023-08-31 23:43:57 alpine 3.15-3.17 procps needs patch or upgrade