2024-01-08 12:48:21 https://mastodon.social/@bagder/111719876376557656 alpine 2024-01-08 12:48:45 Alpine curl is built without PSL support 2024-01-08 14:40:22 why is this even an option, and not an on-by-default-one :< 2024-01-08 14:42:18 Requires libpsl to be present 2024-01-08 14:48:30 thanks <3 2024-01-08 14:57:09 "you're silently missing features based on installed libraries" is so silly 2024-01-08 14:58:07 I'd rather have the build fail until I either provide the correct libraries, or I opt-out of this feature 2024-01-08 15:03:10 no no kpcyrd, it's all your fault. 2024-01-08 15:17:48 🥲 2024-01-08 16:11:48 The problem is that libpsl is in community in Alpine, it would need to be moved to main 2024-01-08 16:41:42 lets move it 2024-01-08 19:16:45 https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/58596 2024-01-08 19:18:28 typo in second commit message, s/main$/community/ 2024-01-08 19:19:46 fluix: thanks, fixed 2024-01-08 19:59:37 https://gitlab.alpinelinux.org/alpine/aports/-/issues/15655 security-relatedd suggestion 2024-01-08 20:05:40 jvoisin: I'd expect some of those programs would have a use in some containers, i.e. LXC containers 2024-01-08 20:06:47 indeed why would it be expected that a Docker container should never be able to run traceroute/traceroute6? i.e. someone might wish to use those in a network-diagnostics related Docker container 2024-01-08 20:08:43 minimal: then they can install busybox-setuid :) 2024-01-08 20:08:57 I don't advocate for removing it, simply to be able to 2024-01-08 20:09:27 jvoisin: apk add -t busybox-suid :P 2024-01-08 20:10:36 ACTION sighs 2024-01-14 13:25:55 WhyNotHugo asked about CVE-2023-45866, https://github.com/advisories/GHSA-qjcj-xg77-6c32 2024-01-14 13:26:55 the patch that archlinux uses https://gitlab.archlinux.org/archlinux/packaging/packages/bluez/-/commit/47e9592b1b322c54bdb094238f52fa20513c624b seem to be in by 5.71 https://github.com/bluez/bluez/commit/25a471a83e02e1effb15d5a488b3f0085eaeb675 2024-01-14 13:27:24 in stable releases we package 5.70 and earlier so it could be an idea to patch 2024-01-14 13:28:25 but archlinux and ubuntu users have reported issues since it was patched for those distros https://github.com/bluez/bluez/issues/673#issuecomment-1854599254 2024-01-14 13:40:09 patched as in the default setting was changed 2024-01-16 13:03:41 new and old https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests?label_name%5B%5D=tag%3Asecurity 2024-01-17 22:18:50 XSA-448 will be public on tuesday https://xenbits.xen.org/xsa/ 2024-01-18 06:38:09 Fun, bunch of CVE reports where the reported did not verify whether they are actually relevant :/ 2024-01-18 06:38:17 reporter* 2024-01-18 12:06:27 Can someone review this? I've backported it from the commit that was reported in the NVD CVE report: https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/59159 2024-01-18 13:05:29 the patch applied cleanly? 2024-01-18 13:06:50 Yes, only the filenames and offsets had to be changed 2024-01-18 13:07:14 And I skipped testdata hunk, since that's not present 2024-01-18 13:07:44 But the pre-image matched exactly 2024-01-18 13:08:08 then I'd assume its good 2024-01-18 13:09:12 I'll try to backport it further as well 2024-01-18 13:09:28 👍 2024-01-19 03:36:26 is #15688 about that issue where "all" the aports would need to be rebuilt for aarch64? 2024-01-19 03:36:51 so that 3.19 is the only stable release where that is the case 2024-01-19 07:02:44 I dont think we bother rebuild all. 2024-01-19 09:43:52 but gcc isn't patched either, right? 2024-01-19 09:44:48 for releases prior to 3.19-stable 2024-01-19 11:29:59 CVE-2024-0684 heap overflow in gnu coreutils split 2024-01-19 11:30:18 https://github.com/coreutils/coreutils/commit/c4c5ed8f4e9cd55a12966d4f520e3a13101637d9 2024-01-23 12:07:38 ah, XSA-448 was disclosed yesterday and the issue was in linux 2024-01-23 12:07:42 https://xenbits.xen.org/xsa/advisory-448.html 2024-01-23 12:08:14 "The embargo was intended to be 2024-01-23 12:00 UTC, but a downstream had a mixup of days and published early." 2024-01-23 12:09:17 "All systems using a Linux based network backend with kernel 4.14 and newer are vulnerable. Earlier versions may also be vulnerable. Systems using other network backends are not known to be vulnerable." 2024-01-23 12:09:53 omni: sounds like work to do 2024-01-23 12:10:20 https://xenbits.xen.org/xsa/xsa448-linux.patch 2024-01-23 12:11:31 yes 2024-01-23 13:07:27 !59461 2024-01-23 13:07:58 the patch also aplies cleanly to linux-5.15.y 2024-01-23 13:08:18 if no-one beats me to it, I may create MRs for stable releases later 2024-01-23 13:09:05 for 3.19 this could be done at the same time as upgrading linux to 6.6.13 2024-01-23 13:10:03 at the same time _rel could be reset to 0 for some of the -lts aports as I've done in the MR above 2024-01-25 21:44:44 openssl & mariadb https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests?label_name%5B%5D=tag%3Asecurity 2024-01-26 00:35:59 ..and now also others 2024-01-26 00:39:24 > Thres a tyop in teh comit mesag ehre adn en 2024-01-26 00:39:25 lol 2024-01-26 00:39:52 tldr 2024-01-27 00:19:58 ouch, I just noticed this https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.7 2024-01-27 00:20:52 !59686 !59687 !59688 !59689 !59690 2024-01-27 00:45:47 I think I'll get them in in a bit 2024-01-27 07:37:27 Fun, a whole lot of possible CVEs dumped, but many of them appear to be bogus: https://www.openwall.com/lists/oss-security/2024/01/26/2 2024-01-30 13:46:05 0: under secfixes is where you nack, right? 2024-01-30 13:58:26 Yes 2024-01-30 13:58:33 Curl? 2024-01-30 14:03:05 no, xen, XSA-450 2024-01-30 14:03:30 !59920 !59921 !59927 2024-01-30 14:11:20 !59930 !59932 2024-01-31 22:50:27 omni: 0: means we were never ever affected. (aka "fixed" since version 0) 2024-01-31 22:57:48 ah, thanks