| === alan_g_ is now known as alan_g | ||
| ryanakca | Who should I prod about rather critical security vulnerabilities in universe packages? | 20:47 |
|---|---|---|
| ryanakca | I reported https://bugs.launchpad.net/debian/+source/opensmtpd/+bug/1861242 over a month ago and even commented with which commits to cherry-pick from Debian, but the bugs are still open. | 20:47 |
| ubottu | Launchpad bug 1861242 in opensmtpd (Ubuntu Eoan) "Major vulnerabilities in opensmtpd resulting in RCE and DOS" [Critical,Confirmed] | 20:47 |
| ryanakca | https://bugs.launchpad.net/debian/+source/opensmtpd/+bug/1864707 was fixed by your most recent sync, but also affects past supported Ubuntu releases. I'll comment when fixes make it to buster-security and stretch-security (you should then be able to sync for bionic and eoan). | 20:51 |
| ubottu | Launchpad bug 1864707 in opensmtpd (Ubuntu Eoan) "arbitrary command execution vulnerability" [Critical,Confirmed] | 20:51 |
| rbasak | ryanakca: thank you for getting in touch! The security team can sponsor security updates to universe - ask in #ubuntu-hardened please. There's some documentation on what they expect: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures | 21:14 |
| rbasak | ryanakca: also https://wiki.ubuntu.com/SponsorshipProcess | 21:15 |
| mdeslaur | ryanakca: FYI, CVE-2020-7247 got fixed on 2020-02-05 | 21:19 |
| ubottu | smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input valid... (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7247) | 21:19 |
| mdeslaur | ryanakca: someone is currently working on the more recent issues | 21:20 |
| ryanakca | mdeslaur: Thanks. If that someone would like, here are the debdiffs for the my uploads to buster- and stretch-security. https://people.debian.org/~rak/opensmtpd/buster.debdiff https://people.debian.org/~rak/opensmtpd/stretch.debdiff . Upstream's patches did not apply cleanly and required backporting to those versions. | 21:27 |
| mdeslaur | thanks ryanakca, I'll pass those along to msalvatore (who doesn't appear to be in this channel) | 21:28 |
| JackFrost | Now he does. | 21:31 |
| mdeslaur | hi msalvatore | 21:37 |
| mdeslaur | msalvatore: ryanakca filed https://bugs.launchpad.net/debian/+source/opensmtpd/+bug/1864707 | 21:37 |
| ubottu | Launchpad bug 1864707 in opensmtpd (Ubuntu Eoan) "arbitrary command execution vulnerability" [Critical,Confirmed] | 21:37 |
| msalvatore | thanks mdeslaur, ryanakca | 21:39 |
| ryanakca | msalvatore: here are the debdiffs for the my uploads to buster- and stretch-security if you want them: https://people.debian.org/~rak/opensmtpd/buster.debdiff https://people.debian.org/~rak/opensmtpd/stretch.debdiff | 21:42 |
| msalvatore | ryanakca: thanks. the xenial and trusty backports may present some difficulty. We'll see :) | 21:43 |
| ryanakca | msalvatore: I don't think trusty is affected. It has 5.4.1p1 from 2014. The LPE/RCE vulnerabilities only affect versions since December 2015: https://www.openwall.com/lists/oss-security/2020/02/24/5 | 21:46 |
| msalvatore | ryanakca: that seems correct. | 21:47 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!