2024-09-03 17:05:17 openssl CVE-2024-6119 (possible DoS, moderate severity): https://openssl-library.org/news/secadv/20240903.txt 2024-09-03 17:48:20 !71373 2024-09-21 14:11:32 asterisk should probably receive security patches/upgrades for 3.17 through 3.19 stable branches too 2024-09-23 14:37:10 https://x.com/evilsocket/status/1838169889330135132 2024-09-23 14:37:24 ncopa: clandmeter: ikke: did we get anything about this at all? 2024-09-23 14:38:29 No 2024-09-23 14:39:58 ah 2024-09-23 14:40:06 apparently it's gonna get sent to distros ml on 30th 2024-09-23 14:40:54 buuuut we're not on there..? 2024-09-23 14:48:51 No 2024-09-23 14:51:56 did we ever try to get on there? 2024-09-23 14:52:47 if not, i guess i could try sending an application - afaict we are eligible 2024-09-23 14:53:00 though 2024-09-23 14:53:09 > Have a publicly verifiable track record, dating back at least 1 year and continuing to present day, of fixing security issues [...] and releasing the fixes within 10 days 2024-09-23 14:53:28 we usually fix critical security issues in less than 10 days, right? 2024-09-23 14:59:31 from what I can tell, if possible, yes 2024-09-23 15:00:35 ah, and we'd also need someone to vouch for us 2024-09-23 15:05:25 don't include me, I think full disclosure == responsible disclosure 2024-09-23 15:08:04 eeh, personally i think it's better to have a while, even if just a day, to be able to properly analyze whether an issue actually affects us ( glibc-related issues don't, etc. ) and prepare to patch/upgrade stuff if necessary 2024-09-23 15:09:13 It also requires participants to perform some tasks for distros 2024-09-23 15:11:42 yeah, i'm also not sure about that one; most of alpine developers are already often too busy to do alpine work, not even mentioning external stuff on behalf of alpine 2024-09-23 15:12:03 and the question is how much benefit it will bring us 2024-09-23 15:13:59 i think it would be useful in the case of critical stuff, like openssh or openssl vulns, which would be nice to have patched on disclosure day 2024-09-23 15:14:58 or in some cases if it's an inconspicuous patch that fixes a security issue 2024-09-23 15:15:21 but effort vs reward is a valid point 2024-09-23 15:16:50 maybe i should just open a tsc ticket about it and we'll have a consensus in.. *checks notes* a month or two? 2024-09-23 17:42:07 i don't think alpine should participate on distros list 2024-09-23 17:42:31 i also think the distros list does more harm than good 2024-09-23 17:43:52 distros list exists to give incumbent distributions an edge over new distributions on security. this is bullshit 2024-09-23 17:44:38 and besides, anything of interest usually falls off the back of the truck and into some alpine dev's (usually mine) inbox 2024-09-23 17:45:14 i also think that taking the claims of someone who has been demonstrated to be a domestic abusing charlatan in the past seriously is probably not worth it :p 2024-09-23 17:47:25 based on "all GNU/Linux systems" there's a good chance this is about glibc and doesn't apply to Alpine 2024-09-23 17:48:00 i think the TSC also has better things to do than debate whether participating on a private disclosure list is valuable to alpine 2024-09-23 17:48:37 kpcyrd: they also mentioned BSDs, so maybe not 2024-09-23 17:48:57 if it goes to distros on the 30th 2024-09-23 17:49:02 it will be in my inbox by october 1 2024-09-23 17:49:05 i guarantee you that 2024-09-23 17:49:09 if it is real 2024-09-23 17:49:15 which given it's evilsocket, it's probably bullshit 2024-09-23 17:49:50 he is just trying to repair his reputation through some hyped up nonsense 2024-09-23 17:50:32 Ariadne: oh huh, did he post some bullshit before? 2024-09-23 17:50:39 only all the time 2024-09-23 17:50:45 he claims he invented WAFs for example 2024-09-23 17:50:54 lmao 2024-09-23 17:51:00 okay fair 2024-09-23 17:51:23 and i am quite serious about the DV accusations, there was a whole thing on twitter involving him being accused by multiple people of DV 2024-09-23 17:51:34 like this guy should not be taken seriously unless he actually shows proof 2024-09-23 17:51:56 and if there were proof, it would have already fallen off the truck if it is really an "omg 9.9 CVSS everyone is affected" bug 2024-09-23 17:52:18 like seriously, the distros list is *not as good as they claim to be* with their information security hygeine 2024-09-23 17:52:22 i mean, given all the context, it's either something in openssh, or indeed a made up vuln 2024-09-23 17:52:33 it's probably some nothingburger OpenSSH bug 2024-09-23 17:52:37 i can ask damien 2024-09-23 17:52:39 he'll tell me 2024-09-23 18:03:57 okay 2024-09-23 18:03:59 got the deets 2024-09-23 18:04:16 it's a nothingburger 2024-09-23 18:04:49 that's all i can say publicly 2024-09-23 18:05:23 alrighty 2024-09-23 18:05:27 so nothing to worry about 2024-09-24 20:59:50 tempted to merge the ghostscript security upgrades, but worried about breaking anything 2024-09-24 20:59:58 at least for older stable branches 2024-09-24 21:00:06 https://ghostscript.readthedocs.io/en/gs10.04.0/News.html 2024-09-24 21:06:35 there also seems to already be some ghostscript{,-fonts} issues - #16376 #1682 #16465 2024-09-24 21:09:46 uhm, should be #16376 #16382 2024-09-25 12:48:27 https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f 2024-09-25 19:32:09 jvoisin: such CVSS 9.9, wow 2024-09-25 22:17:12 amaze 2024-09-25 22:21:57 > There is an assumption for exploitation that /etc/cups/cupsd.conf can be successfully edited (this has been omitted here as it is believed to be out of scope). 2024-09-25 22:22:22 interesting claim there 2024-09-25 22:34:32 ACTION thoughts this was the evilsocket CVE, it's not 2024-09-27 00:18:38 very cups 2024-09-27 04:50:10 "jvoisin: such CVSS 9.9, wow" <- It's sad how right you were about this lol 2024-09-27 13:08:00 I'm filling in a form to get alpine linux listed in rpi-imager. there is a question there: 2024-09-27 13:08:08 Does your OS come with an unattended update mechanism? 2024-09-27 13:08:34 `apk-cron` 2024-09-27 13:09:38 So I suppose I can answer: Yes, via an established OS package repository (eg, Debian, Ubuntu, Fedora) 2024-09-27 13:09:41 but 2024-09-27 13:10:00 apk-cron is not shipped with the OS image 2024-09-27 13:10:34 so it is not entirely true 2024-09-27 13:11:15 so I guess the answer is no 2024-09-27 13:11:27 the OS, as you download it, doesn't come with an unattended update mechanism 2024-09-27 13:12:25 I have those options: 2024-09-27 13:12:28 Yes, via a privately-managed package repository 2024-09-27 13:12:40 Yes, via an established OS package repository (eg, Debian, Ubuntu, Fedora) 2024-09-27 13:12:48 Yes, via a privately-managed proprietary update mechanism 2024-09-27 13:13:01 My OS does not provide an update mechanism because it never uses Networking functionality 2024-09-27 13:13:20 Other: I would like to discuss this question with the Raspberry Pi Imager team 2024-09-27 13:13:39 the "other" option may take up to 20 work days 2024-09-27 13:33:08 maybe we just add apk-cron to the base images 2024-09-27 13:33:31 its just 20k 2024-09-27 13:34:02 no. 4k compressed 2024-09-27 13:35:31 I think it's a good idea, but do people want auto-updating base images? 2024-09-27 13:37:29 i think not :) 2024-09-27 22:54:46 i think that we can say "yes" and argue "you have to turn it on via apk-cron if you want that" 2024-09-29 07:13:20 "I think it's a good idea, but do..." <- Yes 2024-09-29 12:34:04 no 2024-09-29 14:02:05 contentious topic 2024-09-29 18:44:20 "no" <- Clearly that isn't true since I said yes 2024-09-29 18:44:38 I don't care 2024-09-29 18:44:54 Didn't ask if you cared 2024-09-29 18:45:14 you pinged me so clearly you did 2024-09-29 18:45:40 There was no question :)