=== alan_g_ is now known as alan_g
[20:47] <ryanakca> Who should I prod about rather critical security vulnerabilities in universe packages?
[20:47] <ryanakca> I reported https://bugs.launchpad.net/debian/+source/opensmtpd/+bug/1861242 over a month ago and even commented with which commits to cherry-pick from Debian, but the bugs are still open.
[20:47] <ubottu> Launchpad bug 1861242 in opensmtpd (Ubuntu Eoan) "Major vulnerabilities in opensmtpd resulting in RCE and DOS" [Critical,Confirmed]
[20:51] <ryanakca> https://bugs.launchpad.net/debian/+source/opensmtpd/+bug/1864707 was fixed by your most recent sync, but also affects past supported Ubuntu releases. I'll comment when fixes make it to buster-security and stretch-security (you should then be able to sync for bionic and eoan).
[20:51] <ubottu> Launchpad bug 1864707 in opensmtpd (Ubuntu Eoan) "arbitrary command execution vulnerability" [Critical,Confirmed]
[21:14] <rbasak> ryanakca: thank you for getting in touch! The security team can sponsor security updates to universe - ask in #ubuntu-hardened please. There's some documentation on what they expect: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures
[21:15] <rbasak> ryanakca: also https://wiki.ubuntu.com/SponsorshipProcess
[21:19] <mdeslaur> ryanakca: FYI, CVE-2020-7247 got fixed on 2020-02-05
[21:19] <ubottu> smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input valid... (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7247)
[21:20] <mdeslaur> ryanakca: someone is currently working on the more recent issues
[21:27] <ryanakca> mdeslaur: Thanks. If that someone would like, here are the debdiffs for the my uploads to buster- and stretch-security. https://people.debian.org/~rak/opensmtpd/buster.debdiff https://people.debian.org/~rak/opensmtpd/stretch.debdiff . Upstream's patches did not apply cleanly and required backporting to those versions.
[21:28] <mdeslaur> thanks ryanakca, I'll pass those along to msalvatore (who doesn't appear to be in this channel)
[21:31] <JackFrost> Now he does.
[21:37] <mdeslaur> hi msalvatore
[21:37] <mdeslaur> msalvatore: ryanakca filed https://bugs.launchpad.net/debian/+source/opensmtpd/+bug/1864707
[21:37] <ubottu> Launchpad bug 1864707 in opensmtpd (Ubuntu Eoan) "arbitrary command execution vulnerability" [Critical,Confirmed]
[21:39] <msalvatore> thanks mdeslaur, ryanakca
[21:42] <ryanakca> msalvatore: here are the debdiffs for the my uploads to buster- and stretch-security if you want them: https://people.debian.org/~rak/opensmtpd/buster.debdiff https://people.debian.org/~rak/opensmtpd/stretch.debdiff
[21:43] <msalvatore> ryanakca: thanks. the xenial and trusty backports may present some difficulty. We'll see :)
[21:46] <ryanakca> msalvatore: I don't think trusty is affected. It has 5.4.1p1 from 2014. The LPE/RCE vulnerabilities only affect versions since December 2015: https://www.openwall.com/lists/oss-security/2020/02/24/5
[21:47] <msalvatore> ryanakca: that seems correct.