2024-02-08 19:24:54 https://appealforassistance.notion.site/Appeal-for-Assistance-abcca31346e944b38e09ebabb4208152 2024-02-08 19:44:49 I haven't followed that link but seen it or similar being spammed in other channels 2024-02-08 19:44:59 yes 2024-02-10 01:39:32 https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.4 2024-02-10 01:40:26 apparmor in 3.17-stable is at 3.1.2 2024-02-10 01:43:42 now I saw !60417 2024-02-13 12:14:37 We get a headsup that there will be a security update for dnssec validating dns recursors 2024-02-13 12:14:52 Habbie will make MRs for the Alpine Linux packages 2024-02-13 12:33:31 secfixes in APKBUILD mentions the release that -fixed- a CVE, right? 2024-02-13 12:34:33 yes 2024-02-13 12:37:07 do you want to do 3.18 for these CVEs too? 2024-02-13 12:39:04 For community it's officially no longer supported, but if you deem it severe enough to backport it to 3.18 as well and no other side affects, you could do it 2024-02-13 12:43:33 that was exactly my thinking 2024-02-13 12:44:55 i believe ISC (BIND) planned to announce at 15:00 UTC 2024-02-13 12:45:05 for the others, all I know is 'not before 12:00 UTC' 2024-02-13 12:54:34 unbound 1.19.1 is out 2024-02-13 12:54:52 https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ 2024-02-13 12:59:58 i'm working on the pdns-recursor MRs; happy to do others after that, but feel free to beat me to it 2024-02-13 13:19:10 ISC has published their releases 2024-02-13 13:23:29 9.16.48, 9.18.24, 9.19.21 - https://lists.isc.org/pipermail/bind-announce/2024-February/001246.html 2024-02-13 13:52:01 I can look at unbound 2024-02-13 14:20:12 powerdns MRs done (and two already merged by omni, thanks) 2024-02-13 14:20:59 I wonder if unbound in 3.18 and earlier should be upgraded or patched 2024-02-13 14:21:27 maybe the changes in https://github.com/NLnetLabs/unbound/compare/release-1.19.0...release-1.19.1 could apply to earlier releases too 2024-02-13 14:22:04 there are also some other things with unbound and py-unbound that perhaps should be py3-unbound instead 2024-02-13 14:22:14 i'll ask them 2024-02-13 14:22:31 👍 2024-02-13 14:22:45 I'll look at bind then 2024-02-13 14:25:43 cool 2024-02-13 14:25:53 i'll be over there PRing to openwrt for a while ;) 2024-02-13 14:44:01 omni, PMing you 2024-02-13 14:50:13 thans 2024-02-13 14:50:36 uhm... bind in 3.16-stable is at 9.16.44... 2024-02-13 14:50:54 ah, so upgrade to 9.16.48 then 2024-02-13 14:51:34 not too bad 2024-02-13 14:53:25 no 2024-02-13 14:55:17 lol, i looked for abump -s earlier today, but https://wiki.alpinelinux.org/wiki/Include:Abump doesn't mention it, so i missed it 2024-02-13 15:15:08 unbound for 3.18 MRed, i'll fix the whitespace after i test and MR 3.17 2024-02-13 15:21:02 both done 2024-02-13 15:21:46 the Knot Resolver release is delayed 2024-02-13 15:23:22 I was just thinking of that 2024-02-13 15:24:26 everybody is hurting, these are pretty big changes to have to suddenly drop onto the public 2024-02-13 15:24:40 one of our customers -immediately- found a bug we introduced with the fixes .. yesterday 2024-02-13 15:25:13 ISC apparently burned 3 version numbers on shipping broken things to customers over the last month 2024-02-13 15:25:55 fatal: unable to access 'https://gitlab.alpinelinux.org/Habbie/aports.git/': Failed to connect to gitlab.alpinelinux.org port 443 after 130185 ms: Couldn't connect to server 2024-02-13 15:25:59 unhappy gitlab pipelines 2024-02-13 15:26:57 oh, I have Retry powers 2024-02-13 15:35:06 Knot has no plans to ship fixes for 5.6 or older 2024-02-13 15:35:34 apparently 5.7.0 also had non-backported fixes 2024-02-13 15:36:40 but the patches might fit 2024-02-13 15:39:06 bbl 2024-02-13 15:46:55 thank you for your efforts so far 2024-02-13 15:49:38 you too :) 2024-02-13 16:00:07 ikke: I beat you to it !60766 2024-02-13 16:01:43 Oh, no worry 2024-02-13 16:01:55 Feel free to close mine 2024-02-13 16:04:38 did you have one open for 3.19-stable? 2024-02-13 16:05:28 libxml2 in 3.17-stable is at 2.10.4 and in 3.16-stable at 2.9.14, should those be upgraded to 2.11.7 too or be patched instead? 2024-02-13 16:07:03 omni: no, I did not open one yet 2024-02-13 16:07:28 ok 2024-02-13 16:19:36 new dnsmasq, i hear 2024-02-13 16:31:58 yes, 2.90 2024-02-13 16:36:13 !60767 2024-02-13 16:57:59 !60771 could benefit from some more review, since it's a jump from 2.87 instead upgrade from 2.89, perhaps it should be patched instead of upgraded? 2024-02-13 16:59:54 and I have barely looked at dnsmqsq in 3.16-stable, but it is at a very patched 2.86-r4 2024-02-13 17:00:22 I haven't looked if there are any breaking changes since 2024-02-13 17:20:24 I've opened !60774 & !60775 too 2024-02-16 11:51:57 last year, h2o had a CVE, which we (powerdns) fixed as upstream is unmaintained 2024-02-16 11:52:03 today i'll be MRing removal of h2o from aports 2024-02-16 11:52:29 the CVE fix was imported (statically) into community/netdata, which builds h2o inside its own port 2024-02-16 11:52:47 we (powerdns) may not fix future CVEs in h2o, so you might consider removing h2o from netdata too 2024-02-16 11:54:09 Habbie: Yes, thanks, I was aware h2o was used there statically. What would be the alternative? 2024-02-16 11:54:20 that is an excellent question, but i don't know anything about netdata 2024-02-16 11:54:44 the answer may be "nothing" in which case we should hope netdata takes responsibility 2024-02-16 11:54:56 "H2O is a new generation HTTP server that provides quicker response to users with less CPU utilization when compared to older generation of web servers." 2024-02-16 11:54:59 lol 2024-02-16 11:55:24 my coworker reports that he still likes h2o better than nghttp2 (which we put in its place) 2024-02-16 11:55:27 but unmaintained is unmaintained 2024-02-16 11:56:55 I think it's an optional dependency since initially netdata was built without it, so I may just remove it 2024-02-16 11:58:43 the openwrt netdata port doesn't have h2o 2024-02-16 12:15:18 time to move to freenginx! 2024-02-18 05:13:36 ncopa 2024-02-18 12:48:16 I'm curious, what the malware would be 2024-02-18 12:53:07 Yeah, me too, but they left without providing any details 2024-02-18 16:45:11 maybe in a DM... 2024-02-19 04:33:53 for 3.16 & 3.17 https://github.com/python/cpython/pull/114145 2024-02-19 15:09:51 hi 2024-02-19 15:11:46 anybody can enlighten what malware is spread? 2024-02-19 16:08:35 I was hoping urgentTipper had given you more information in a DM 2024-02-19 16:08:45 So far, nothing concrete has been mentioned, so all we could do is guess 2024-02-19 16:09:14 perhaps it's just part of that "making PMOS and related projects look bad" 2024-02-19 16:14:14 has not got anything useful really 2024-02-19 16:15:08 and it did smell scam. "urgent! you need to do blah blah ASAP" 2024-02-19 16:16:31 the critical info that would be required to actually do anything was missing. (eg exact packages and commits) 2024-02-19 16:59:49 what happened? guessing I'm missing context from other channels 2024-02-19 19:02:47 fluix: there is a person claiming someone is spreading malware through alpine packages 2024-02-19 19:03:15 That they are a victim and that we should ban this person 2024-02-19 19:03:34 and at the same time not providing any info, huh 2024-02-19 19:03:50 But nothing concrete, just some accusations and that we must take immediate action 2024-02-19 19:04:40 ACTION nods 2024-02-20 11:43:57 we cannot ban people based on anonymous tips without having anything at all to investigate 2024-02-20 11:45:30 reminds me of that time I got death threats. someone claimed I had hacked their phone. the "evidence" was my copyright and email address in busybox udhcpc script. apparently the script was found on the persons phone 2024-02-20 14:07:03 I think I remember you mentioning that 2024-02-20 14:07:16 or maybe I'm thinking of this https://daniel.haxx.se/blog/2021/02/19/i-will-slaughter-you/ 2024-02-20 21:05:12 has the maintainer in question been informed? 2024-02-21 07:34:39 no, not yet 2024-02-22 16:35:20 https://www.securityweek.com/threat-actors-quick-to-abuse-ssh-snake-worm-like-tool/ 2024-02-22 16:35:43 Alpine is not (by default) affected as the tool is written for Bash, not POSIX sh 2024-02-23 03:25:08 hmm.. https://github.com/openzfs/zfs/pull/15847 2024-02-23 03:25:38 does that make zfs 2.2.3 a security upgrade then 2024-02-23 03:25:58 and should our luas be patched? 2024-02-23 05:43:43 wow that's old 2024-02-29 08:21:54 Be weary of aports using forked projects https://infosec.exchange/@dangoodin/112011545147468493 2024-02-29 11:47:16 thankfully modern™ languages like go and rust don't tend to use a bazillion of dependencies from github 2024-02-29 12:22:59 anybody know where I can find the ubuntu patches for openssh 9.0? https://security.snyk.io/vuln/SNYK-UBUNTU2304-OPENSSH-6130586 2024-02-29 12:30:06 https://launchpad.net/ubuntu/+source/openssh/1:9.0p1-1ubuntu8.6 2024-02-29 12:30:12 https://launchpadlibrarian.net/704036022/openssh_1%3A9.0p1-1ubuntu8.5_1%3A9.0p1-1ubuntu8.6.diff.gz 2024-02-29 15:56:48 thanks! 2024-02-29 15:56:55 Can we close https://gitlab.alpinelinux.org/alpine/aports/-/issues/15593 now? 2024-02-29 15:57:05 or do anybody want follow up the rust crates? 2024-02-29 17:15:59 jvoisin: but rust has crates.io, so... 2024-02-29 17:16:36 and go specifically requires full namespace paths 2024-02-29 18:39:23 ncopa: I'm fine with closing it. I assume rust crates and what may still be left will catch up eventually and, as I understood it, the vulnerability wasn't that critical anyway 2024-02-29 18:40:00 it doesn't hurt to reference it even if it is closed, though, if we see MRs with upgrades and fixes related to it 2024-02-29 20:55:58 👍 2024-02-29 20:56:19 Yeah, agreed