[09:06] Has ubottu got a slight factoid problem, its just announced about TLS protocol which I'm assuming has come from the RFC query just before, but the end of the factoid is cut short, it stops at "attackers t" [09:06] That was in #ubuntu at 9:02 uk time [09:08] DJones, saw that. pretty bizarroid [09:09] I was assuming its part the feature just added for bug reports that it picked up the reference & replied [09:46] DJones: the message length is IRC protocol (implementation) limited, so it got cut off [09:46] Tm_T: ok, that would explain it [09:46] or I assume it is hitting the limit [10:04] yeah, it picks up RFC's also iirc. [10:05] Grabs them from an external site, much like the bug tracker - we probably want to turn off rfc's in #ubuntu. [10:05] DJones: if you have a sec, could you reply to the irc list and mention this? [10:06] jussi: yeah will do [10:06] DJones: thanks [10:07] Do you want it on the thread about the added feature [10:19] Done [10:42] CVE-2009-3555 [10:42] The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attacke [10:42] hehe [10:42] not sure what tracker it is .. [10:47] ah well, I was looking all over the bugtracker configs, but is actually hardcoded in cveSnarfer method, it grabbed http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 [10:47] The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attacke [10:47] right [10:47] how repetitive [11:00] looks like there's not config for disable the CVE snarfer, if you want it off I can comment it out (until somebody makes a nicer fix) [11:01] would it disable it everywhere? [11:01] yes [11:02] hmmm, I'm not sure if that desirable either [11:02] obliously, I could do it better and add a config option, but I'm sort of time and removing it is just a one line fix [11:03] we can wait for tsimpson and take a look too. [11:09] o.O [11:09] Cute. [11:10] thanks, must be my new haircut [11:10] * Tm_T hides [11:10] Oh, that's hair? I thought it was a dustpuppy. [11:11] tomeitos [11:21] m4v: I think we leave it untill the next ircc meeting - its not that often that people mention those numbers. Ill have a chat with tsimpson in the meantime [11:30] jussi: kk === lubotu3` is now known as lubotu3 [15:04] CVE-2009-3555 [15:04] The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation han... (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555) [15:05] DJones: ^ [15:08] jpds: new Bugtracker stuff committed, you'll need to set supybot.plugins.Bantracker.cveSnarfer to True where you want CVE's to be shown (if anywhere). setting supybot.plugins.Bantracker.bugSnarfer to False overrides cveSnarfer too [15:28] tsimpson: That was a quick change [15:30] everything required to do it already existed in the plugin, so I just had to modify the functions that parse the CVEs [19:51] heads up, saymin was flooding #ubuntu-es a few mins ago [19:52] he's now in #u [19:52] thanks m4v