2023-12-04 21:37:47 <ikke> avahi has a whole list of CVEs open, but no new release yet, so we'd have to apply a bunch of manual patches, fun. 
2023-12-14 17:30:27 <omni> https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests?label_name%5B%5D=tag%3Asecurity
2023-12-15 08:53:32 <ncopa> omni: thanks!
2023-12-16 13:48:15 <celie> https://forums.unrealircd.org/viewtopic.php?t=9339
2023-12-16 13:49:45 <celie> That's in about 2 hours, i'll be AFK then though, so if anyone is free to handle that, thanks in advance.
2023-12-16 13:50:51 <ikke> I'll probably won't be available either
2023-12-16 14:17:11 <omni> unreal
2023-12-16 16:09:06 <omni> !57396 !57397
2023-12-16 20:16:40 <ncopa> omni: thanks!
2023-12-18 09:39:53 <wOLfR91> Hi
2023-12-18 09:39:57 <wOLfR91> Which one is better Aipine or Artix?
2023-12-18 10:04:48 <ikke> That's a very subjective question. The answer is: it depends
2023-12-18 10:54:18 <Foxboron> Alpine. Definetly
2023-12-18 19:57:05 <ikke> https://terrapin-attack.com/
2023-12-18 19:58:05 <ikke> Allows an MiTM to drop ssh packets from the beginning of the secure channel without client or server noticing
2023-12-18 20:07:29 <ikke> https://security.alpinelinux.org/vuln/CVE-2023-48795 
2023-12-18 20:38:48 <ikke> https://gitlab.alpinelinux.org/alpine/aports/-/issues/15593
2023-12-18 23:55:52 <omni> uh, why does it fail on ppc64le? !57517
2023-12-19 01:07:59 <omni> I think I solved it
2023-12-19 01:13:41 <omni> should we backport https://github.com/openssh/openssh-portable/commit/0cb50eefdd29f0fec31d0e71cc4b004a5f704e67 to the other releases or upgrade?
2023-12-19 02:03:43 <omni> !57518 !57520 !57519 !57522 !57523
2023-12-19 02:04:12 <omni> !57521 !57524 (celies)
2023-12-19 02:58:16 <celie> I think putty on 3.18 and 3.17 can just be upgraded from 0.78 to 0.80, as according to https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html 0.79 also contains some bug fixes, not so sure about 3.16 though, which has putty 0.76
2023-12-19 03:00:03 <omni> maybe dropbear will drop a release, otherwise https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
2023-12-20 18:11:19 <omni> do these !57618 !57620 look ok or are we missing something?
2023-12-20 18:23:33 <ikke> Nice source of confusion, libssh != libssh2
2023-12-20 18:25:10 <ikke> omni: look okay to me
2023-12-20 18:35:28 <jvoisin> ikke: still better than pcre.
2023-12-20 18:36:21 <omni> ikke: one of the reasons why I split main/ and community/ in #15593
2023-12-20 18:36:36 <omni> and the list started to get long
2023-12-20 18:37:04 <ikke> Thanks btw for handling this
2023-12-20 18:39:06 <omni> it's quite fun, actually =)
2023-12-20 18:39:39 <omni> terrapin doesn't seem to be too bad a vuln but the practice is good
2023-12-20 18:41:27 <omni> wolfssl is built with --enable-wolfssh, I wonder if that too is affected, but I don't see anything related in the project issues/MRs or latest release !57641
2023-12-20 18:44:49 <ikke> And it seems that the security.a.o page is updating nicely with the new NVD feed
2023-12-20 18:49:42 <omni> hmm.. that seems like a reason to put CVE numbers even though they're implied by the release, because it didn't pick up py3-asyncssh where I left it out
2023-12-20 18:55:03 <ikke> Yes, in this case there is no CPE
2023-12-20 18:55:21 <ikke> So there is no way to know what packages are involved or what versions are vulnerable
2023-12-20 18:56:47 <ikke> I'm not sure if the NVD will CPE matches in this case, but it might take a bit
2023-12-20 19:04:14 <omni> in that case, would it make sense to add to the secfixes section?
2023-12-20 19:04:27 <ikke> yes
2023-12-20 19:04:40 <omni> 👍
2023-12-20 19:05:04 <omni> but pkgrel bump is not needed?
2023-12-20 19:05:08 <ikke> No
2023-12-20 19:05:19 <ikke> secdb updates on commits to aports
2023-12-20 19:23:15 <ncopa> will security.a.o also update on git push?
2023-12-20 19:23:33 <ncopa> or on secdb updates?
2023-12-20 19:23:54 <ncopa> omni: thanks alot for following up the ssh issues. really appreciated
2023-12-20 19:25:59 <ikke> ncopa: not yet, only on hourly updates
2023-12-20 19:31:26 <omni> ncopa: (*^___^*)
2023-12-20 19:37:29 <ncopa> 👍
2023-12-20 19:37:53 <ncopa> i wish there was a way to list all cve's that affects a given branch
2023-12-20 19:44:10 <ncopa> https://security.alpinelinux.org/vuln/CVE-2023-40019 still lists 3.15-stable
2023-12-20 19:47:06 <ikke> Yeah, once it's marked vulnerable, it will remain 
2023-12-20 19:48:33 <ikke> We need to rethink it a bit 
2023-12-20 19:49:09 <ikke> Because it's also not easy to apply rewrites or rejections after the fact 
2023-12-20 20:06:26 <ncopa> i have an idea
2023-12-20 20:06:42 <ncopa> have icons for the state
2023-12-20 20:06:57 <ncopa> green "V" for ok/fixed
2023-12-20 20:07:07 <ncopa> red X for vunlerable
2023-12-20 20:07:22 <ncopa> use grey "V" or "X" icon for EOL
2023-12-20 20:11:21 <jvoisin> V as in "Vulnerable" ? :P
2023-12-20 20:11:36 <jvoisin> FIX/VUL/EOL instead?
2023-12-20 20:12:23 <jvoisin> with a konami code to change VUL to SAD :D
2023-12-20 20:36:21 <ncopa> https://icon-icons.com/icon/ok/103757
2023-12-20 20:37:16 <ncopa> something like this: https://www.istockphoto.com/vector/check-mark-icons-vector-line-icons-and-flat-icons-set-green-tick-and-red-cross-gm1410698514-460804344
2023-12-20 20:37:38 <ncopa> with the EOL branches as grey instead of red/green
2023-12-21 13:29:21 <omni> I figured libssh2 1.11.0 adds one and a half years of fixes over 1.10.0 so perhaps not a bad idea to upgrade before patch?
2023-12-21 13:29:40 <ikke> Depends on whether there are breaking changes?
2023-12-21 13:29:49 <omni> !57700 !57701 !57704
2023-12-21 13:30:06 <omni> sure
2023-12-21 13:30:31 <omni> no soname differences at least
2023-12-21 13:30:38 <ikke> indeed
2023-12-21 13:31:49 <omni> should I try and enable tests maybe?
2023-12-21 13:33:07 <ikke> Why are they not enabled?
2023-12-21 13:34:01 <omni> 78e15fb84e2e93c9ed25845f767cdf94955b6301
2023-12-21 13:34:15 <omni> 2021-10-16
2023-12-21 13:34:27 <ikke> Maybe first try on edge?
2023-12-21 13:34:59 <omni> sure
2023-12-21 13:35:31 <omni> "Improvements to unit tests" is in the 1.11.0 release notes https://github.com/libssh2/libssh2/releases/tag/libssh2-1.11.0
2023-12-21 13:36:26 <celie> Should !57696 and !57705 have security upgrade in their commit message, and what about secfixes?
2023-12-21 13:41:08 <celie> That is a lot of failures (!57706)
2023-12-21 13:42:26 <omni> uhh.. yes
2023-12-21 13:43:53 <celie> Add `make check || cat tests/test-suite.log`?
2023-12-21 13:49:10 <celie> It wants docker :-O
2023-12-21 13:49:29 <ikke> 🤨
2023-12-21 13:55:09 <celie> https://github.com/libssh2/libssh2/pull/762
2023-12-21 13:57:56 <ikke> But it wants an ssh server running, so not sure if it'll help
2023-12-21 13:59:35 <celie> There's also https://github.com/libssh2/libssh2/pull/557
2023-12-21 14:03:58 <omni> with --disable-docker-tests it runs only two tests but successfully
2023-12-21 14:05:16 <celie> but one of those tests is "mansyntax.sh"
2023-12-21 14:05:34 <omni> yes
2023-12-21 14:05:36 <celie> so i doubt those 2 tests are really sufficient
2023-12-21 14:06:06 <omni> I think test_simple at least does something interesting
2023-12-21 14:06:49 <omni> and the other tests require a running sshd?
2023-12-21 14:07:20 <celie> https://github.com/libssh2/libssh2/blob/master/tests/test_simple.c
2023-12-21 14:07:41 <celie> Seems to be just a base64 decode test?
2023-12-21 14:14:27 <omni> yes, it is very simple
2023-12-21 14:33:09 <omni> celie: wrt gitea and nebula I, personally, think that security upgrades should say "security upgrde to", if it is known that it is, so that they are easier to track and harder to miss to backport to stable releases
2023-12-21 14:35:00 <celie> I'll update the commit message
2023-12-21 14:35:02 <celie> What about secfixes?
2023-12-21 14:36:39 <ikke> If they are related to terrapin, they need secfixes
2023-12-21 14:37:45 <celie> Does that mean everything that uses golang.org/x/crypto will need secfixes?
2023-12-21 14:39:41 <omni> yes, and russh and trussh crates
2023-12-21 14:40:19 <celie> That will be a lot of secfixes
2023-12-21 14:40:37 <omni> it's so that we can have a very long and nice green block at the bottom of this page https://security.alpinelinux.org/vuln/CVE-2023-48795
2023-12-21 15:43:33 <omni> I noticed that I had stopped thinking and gave up trying to run ssh tests in !57706
2023-12-21 15:46:13 <omni> but enabled the basic tests in !57700 !57701 !57704
2023-12-21 16:23:33 <omni> and what to do with openssh in 3.16-3.18? upgrade or is someone up for looking at patching the older versions?
2023-12-21 21:27:13 <ncopa> i don't know how intrusive those patches are
2023-12-21 21:27:34 <ncopa> might be an idea to look what debian does. they often backport patches. we could probably reuse those
2023-12-22 01:38:30 <celie> I think OpenBSD 7.3 comes with OpenSSH 9.3 (the version Alpine 3.18 uses), so maybe the patch at https://www.openbsd.org/errata73.html could help if there aren't too many differences between the OpenSSH in OpenBSD and the portable version
2023-12-22 01:50:52 <minimal> another issue for the festive season... https://www.postfix.org/smtp-smuggling.html
2023-12-22 01:59:54 <omni> spammers gonna spate
2023-12-22 02:01:34 <omni> celie: a slightly adjusted https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/024_ssh.patch.sig did nott fail to patch portable openssh-9.3p2 so that could work for 3.18
2023-12-22 06:58:20 <celie> That's good to know
2023-12-22 07:00:42 <celie> Regarding Debian, they are patching OpenSSH 8.4 for Debian 11: https://salsa.debian.org/ssh-team/openssh/-/blob/bullseye/debian/changelog
2023-12-22 07:01:51 <celie> and OpenSSH 9.2 for Debian 12: https://salsa.debian.org/ssh-team/openssh/-/blob/bookworm/debian/changelog
2023-12-22 13:26:00 <omni> sorry, not everything that uses golang.org/x/crypto, everything that uses golang.org/x/crypto/ssh
2023-12-22 14:17:21 <omni> why is libssh2 not listed for edge-main at https://security.alpinelinux.org/vuln/CVE-2023-48795 ?
2023-12-22 16:37:28 <ikke> omni: not sure why yet, but it's marked as not published in the db
2023-12-22 16:37:57 <ikke> I can manually fix it, but want to see what should mark it is being published
2023-12-22 16:39:51 <ikke> ah, it wants to find it in the index
2023-12-22 17:04:36 <omni> !57754
2023-12-22 18:01:12 <omni> ikke: packge index?
2023-12-22 19:27:57 <ikke> omni: yes
2023-12-22 19:28:19 <ikke> omni: the problem is that -r0 is no longer there
2023-12-22 20:35:28 <omni> ah, so asterisk won't be marked as fixed in 20.5.1-r0 because I quickly pushed the 20.5.2-r0 regression fix upgrade?
2023-12-22 20:55:32 <ikke> Yeah, I think so
2023-12-22 20:55:39 <ikke> I mean, I can manually fix it now
2023-12-22 20:57:25 <omni> is it looking at the x86_64 package index then?
2023-12-22 20:57:43 <omni> I had assumed it looked at git history somehow
2023-12-22 20:58:11 <ikke> It's doing both
2023-12-22 20:59:50 <ikke> Basically, it only shows a vulnerability as fixed once the package is available in the index
2023-12-22 20:59:55 <ikke> not as soon as a commit is made
2023-12-22 21:00:30 <ikke> but in this case, it's the commit (secdb) which lets the security tracker associate the vuln to the  package
2023-12-22 21:07:30 <ikke> hmm, specific versions appear multiple times
2023-12-22 21:08:08 <ikke> https://tpaste.us/gg9d 
2023-12-22 21:14:36 <ikke> false alarm, I forgot the repo column
2023-12-22 21:24:44 <ikke> omni: I marked them as published now
2023-12-22 21:25:30 <ikke> https://security.alpinelinux.org/vuln/CVE-2023-37457
2023-12-22 21:26:15 <omni> thanks
2023-12-24 11:41:17 <ikke> hmm, something is causing the published flag to be disabled again :/
2023-12-24 11:42:50 <zcrayfish> Christmas gremlins
2023-12-25 10:18:55 <omni> yes, merry christmas my fellow gremlins