2024-10-02 18:16:26 <tohka> hello i was wondering do the musl patches for chromium effect the sandbox negatively?
2024-10-02 23:27:10 <idkrnx[m]> <tohka> "hello i was wondering do the..." <- I mean chromium isn't officially supported on musl anyway
2024-10-02 23:29:34 <idkrnx[m]> The core features of the sandbox should work independently of the libc though
2024-10-02 23:30:15 <idkrnx[m]> It's mostly namespaces and seccomp
2024-10-03 04:48:34 <ikke> We had a chromium dev who tried to upstream the patches that we have
2024-10-04 16:50:34 <guizmo34> mmm
2024-10-06 13:53:59 <omni> https://github.com/python/cpython/issues/122792
2024-10-06 13:54:04 <omni> found via !73056
2024-10-06 16:47:02 <dne> https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg
2024-10-09 08:53:58 <Ariadne> related to #alpine-security, there is now #alpine-hardened which is the opposite of what #alpine-security is intended for
2024-10-09 08:54:32 <Ariadne> (e.g. proactive anti-exploitation hardening verses fixing security problems)
2024-10-10 10:51:12 <nick123> Hey there, I'm currently doing SBOM scans for an alpine based setup. Our scanning tool 'grype' reports the current linux-lts kernel (Alpine 3.19) as vulnerable for CVE-2022-1462. I can't find any information about this CVE being fixed or being worked on. Additionally https://security.alpinelinux.org/vuln/CVE-2022-1462 does not show any vulnerable packages. Since this CVE is fixed in most other distros I was wondering what's 
2024-10-10 10:51:12 <nick123> the best way to deal with this. Maybe someone of you can have a brief look into this or give me a hint on where to report this. Thanks in advance!
2024-10-10 10:56:26 <ikke> Seems like it has not been addressed upstream yet?
2024-10-10 10:59:45 <ikke> https://lore.kernel.org/lkml/20220601183426.GD2168@kadam/
2024-10-10 11:00:55 <omni> ncopa: can !73114 and !73115 go in now or is there something I haven't thought of?
2024-10-10 11:02:46 <ikke> nick123: ">The reporter proposed a fix, but it won't work." "> Any news here? I'm not sure if I missed the followup submission but
2024-10-10 11:02:48 <ikke> was not able to find it."
2024-10-10 11:03:08 <ncopa> omni: i dont know if it is a good idea to push any ABI breaking update to libraries. It will break custom built stuff for users, if any
2024-10-10 11:03:31 <ncopa> that said, i doubt there are any custom built stuff with botan3, but who knows
2024-10-10 11:03:51 <ncopa> in this game it is usually: "if things can go wrong the *will* go wrong"
2024-10-10 11:04:35 <ncopa> omni: do you know if it doable to backport the security fix, so we dont need to bump the ABI version?
2024-10-10 11:13:42 <nick123> ikke: Thanks! That explains a lot to me. However, shouldn't the Alpine security tracker show the linux kernel packages as vulnerable for this CVE then? No offense, just trying to solve some missing parts in my brain
2024-10-10 11:28:49 <ncopa> maybe there is a mapping missing for "linux" -> "linux-lts"
2024-10-10 11:38:37 <omni> ncopa: ah, I thought we mostly cared about our own aports
2024-10-10 11:39:16 <omni> it's probably doable to backport, but I'm not sure I have time to look at it until in a week or two
2024-10-10 11:40:23 <ncopa> omni: we can do exception for this, if it is too much work backporting
2024-10-10 11:40:37 <omni> related to this, I think we should drop Botan2 (main/botan) before 3.21 release, since it's EoL by the end of this year
2024-10-10 11:41:21 <omni> ncopa: I don't know if it's too much work, just that I'll be quite busy with other stuff from today and at least a week from now
2024-10-10 11:41:54 <ncopa> i have meeting rest of the day
2024-10-10 11:41:59 <ncopa> meetings*
2024-10-10 11:42:44 <ncopa> and llvm19 and abuild and fortify-headers and hyper-v driver for linux-virt
2024-10-10 11:42:54 <ncopa> and 3.21 builders needs to be up this week
2024-10-10 11:42:59 <ncopa> and tomorrow i need to take off
2024-10-10 11:43:09 <ncopa> so... sorry i cannot help you more
2024-10-10 11:43:52 <omni> that's fine, I don't depend on it myself
2024-10-10 11:44:23 <omni> just often keen on getting security related fixes in
2024-10-10 11:45:09 <omni> and we're also discussing it publicly here, so... if anyone else is up for it? =)
2024-10-10 11:58:46 <nick123> ncopa: "maybe there is a mapping missing for "linux" -> "linux-lts" -> Yes, seems like it. Looking at other fixed CVEs (e. g. https://security.alpinelinux.org/vuln/CVE-2022-42719 ) the vulnerable/fixed package isn't displayed as well.
2024-10-10 21:24:58 <jvoisin> https://github.com/nodejs/node/issues/33425 fun issue of the day.
2024-10-10 21:25:16 <jvoisin> (PIE disabled by default on the official nodejs' linux binary, because of performances.)
2024-10-10 22:47:38 <idkrnx[m]> Ok we live in 2002?
2024-10-10 23:15:51 <sam_> jvoisin: makes me think of a conversation we had a while ago about looking for forced-off mitigations
2024-10-10 23:15:53 <sam_> really sad
2024-10-11 05:35:59 <ikke> libarchive security release: https://github.com/libarchive/libarchive/releases/tag/v3.7.5 
2024-10-11 06:22:51 <dne> ikke: !72127 and !73145
2024-10-11 06:51:31 <ikke> Nice, thanks