2026-05-05 16:03:54 https://cybersecuritynews.com/apache-http-server-rce/ there's a new remote code execution bug for apache web server, in case this didn't reach alpine packaging yet 2026-05-05 16:08:07 it has been patched on all branches except 3.20-stable 2026-05-05 16:08:11 yeah 2026-05-06 11:30:07 https://eissing.org/icing/posts/responsible-disclosure/ 2026-05-06 11:35:17 > One developed an RCE which required an unguarded lib 2026-05-06 11:35:21 what is an "unguarded libc"? 2026-05-07 06:26:51 lol 2026-05-07 06:26:55 i'd missed that 2026-05-07 06:27:12 (much of the rest of it wasn't something I agreed with so.>) 2026-05-07 06:27:13 *.. 2026-05-07 06:51:46 sam_: you mean the premise that responsible disclosure is no longer feasible? 2026-05-07 06:51:55 hm 2026-05-07 06:57:56 ikke: yes, and that somehow just releasing it whenever and relying on distros to notice is useful, and more scalable than making a release or informing distros together 2026-05-07 06:58:11 ikke: you don't even *have* to make a release if you don't want to, but put out some advisory 2026-05-07 10:16:36 I think I've always leaned towards full disclosure being the responsible one 2026-05-07 10:23:59 (the right way to spell "responsible disclosure" is "coordinated disclosure". Iirc it was Microsoft who branded it responsible) 2026-05-07 10:25:46 right 2026-05-07 10:31:39 regardless of opinions on it being embargoed or not, it should be clearly communicated in a timely manner with some decent advisory and information 2026-05-07 10:31:47 not LLM generated garbage or with references strippe dout 2026-05-07 10:32:11 ^ 2026-05-07 10:33:07 what about obfuscated proof of concept code? 2026-05-07 10:33:23 security through obscurity? 2026-05-07 10:34:03 it's a joke about the copy.fail PoC being obfuscated 2026-05-07 10:34:08 was it? 2026-05-07 10:34:14 it was a tad minified for fun 2026-05-07 10:34:17 i think more golfed is a better way of putting it 2026-05-07 10:34:20 I wouldn't call that obfuscation 2026-05-07 10:34:22 sure 2026-05-07 10:34:30 (I still found it funny :)) 2026-05-07 10:37:12 in some sense, yes, but not for people in a stressful situation who would've liked something more easy to digest 2026-05-07 10:40:14 i meant what you said, not what they did 2026-05-07 10:40:31 i found their disclosure shitty in a few ways (ignoring ethics and timing and blah blah 2026-05-07 10:40:32 ) 2026-05-07 10:40:36 the focus on byte code, python, and also suid 2026-05-07 10:40:41 *byte count 2026-05-07 10:40:51 it meant a lot of confused people 2026-05-07 10:48:33 a case of irresponsible disclosure, perhaps 2026-05-07 10:48:48 uncoordinated disclosure* :P 2026-05-07 10:54:33 CARROT DISCLOSURE! 2026-05-07 10:54:37 (ok, never again, ok) 2026-05-07 10:55:04 i resisted even referencing it out of concern for your mental health 2026-05-07 10:55:47 24h without having received hate mail, it's ok, we can now all laugh about it :D 2026-05-07 15:41:21 https://forum.torproject.org/t/security-release-0-4-8-24-and-0-4-9-7/21551 2026-05-07 19:07:28 Another linux LPE? https://www.openwall.com/lists/oss-security/2026/05/07/8 (Dirty Frag) 2026-05-07 19:08:22 lol what 2026-05-07 19:10:00 No patches or anything 2026-05-07 19:11:16 https://github.com/V4bel/dirtyfrag 2026-05-07 19:11:24 yeah looking at it right now 2026-05-07 19:11:26 interesting 2026-05-07 19:15:29 Mitigation is disabling a couple of modules 2026-05-07 19:16:27 hm are you able to reproduce it? 2026-05-07 19:16:41 I haven't tried yet 2026-05-07 19:17:38 doesnt work for me, might need some further adjustments to alpine 2026-05-07 19:20:02 but the embargo being "broken" so that there is no patch is surely intersting 2026-05-07 19:23:16 not sure if there is something we as a distro should do, disabling the module in the kernels? idk 2026-05-07 19:25:07 Funny, if I search for esp6, most pages are about exploits 2026-05-07 19:26:25 I don't think we should start disabling modules. 2026-05-07 19:26:30 yeah 2026-05-07 19:26:57 INET_ESP is again some ipsec thingy lol 2026-05-07 19:27:06 We use esp4 2026-05-07 19:27:10 but apparently not esp6 2026-05-07 19:27:13 (our dmvpn uses it) 2026-05-07 19:27:19 ah i see 2026-05-07 19:27:31 It's used by strongswan 2026-05-07 19:27:42 https://docs.strongswan.org/docs/latest/install/kernelModules.html 2026-05-07 19:28:28 yeah then sounds like a more broader used module 2026-05-07 19:56:05 maybe it's time to do a pass on Alpine's modules 2026-05-07 20:08:21 https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4 2026-05-07 20:08:56 at least there's a patch, but still 2026-05-07 20:09:03 what a shitshow 2026-05-07 20:10:11 I suppose we should get used to it 2026-05-08 01:03:48 Can I please have both !102078 and its backport !102079 merged? This version was released today and includes 2 new security fixes with CVE pending. 2026-05-08 08:48:13 dirtyfrag assigned CVE-2026-43284: https://www.cve.org/CVERecord?id=CVE-2026-43284 2026-05-08 08:48:47 fixed in kernels 6.18.28, 6.12.87, 6.6.138 2026-05-08 08:52:26 dne: thanks! 2026-05-08 08:53:08 and unaffected before 6.5… 2026-05-08 08:53:25 Ok, also good to know 2026-05-08 08:53:44 So >=6.6.0? 2026-05-08 08:54:09 seems so 2026-05-08 08:54:17 Sorry, >=6.5.0 2026-05-08 08:56:06 hm right, must be 2026-05-08 08:57:11 fwiw, the recent stable releases does not have all the fixes. They are working on the last patch 2026-05-08 09:29:12 https://afflicted.sh/blog/posts/copy-fail-2.html 2026-05-08 10:24:55 https://www.openwall.com/lists/oss-security/2026/05/08/8 2026-05-08 10:25:38 ugh 2026-05-08 10:48:37 ugh indeed