=== Montresor is now known as Unit193
[14:14] <locsmif> Hi all. Does Ubuntu Hirsute ignore TLS minimum version settings in /etc/ssl/openssl.cnf because of the compile flag -DOPENSSL_TLS_SECURITY_LEVEL=2? This compile flag appears to have been added specifically in Ubuntu. However, the suggestion appears to be that it can be overridden in /etc/ssl/openssl.cnf
[14:15] <locsmif> I've tested that according to e.g. https://itectec.com/ubuntu/ubuntu-enable-tls-1-0-and-tls-1-1-on-ubuntu-20-04/  (although for 21.04, not 20.04) and it appears not to be the case. Running OpenSSL 1.1.1j here on 21.04
[14:15] <locsmif> I can't connect to a site I know supports TLS1.1 (through Qualys testing online) with e.g. s_client
[14:16] <locsmif> using e.g. -tls1_1
[14:17] <locsmif> The error is: 140544973608320:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1112:
[14:18] <locsmif> I am willing to build openssl myself, but I'd like to exhaust all other options (e.g. configuration tweaks instead of building myself) before going there
[14:19] <locsmif> ..because the changelog does suggest configurability: https://launchpad.net/ubuntu/+source/openssl/+changelog
=== ChanServ changed the topic of #ubuntu-security to: Twitter: @ubuntu_sec || https://usn.ubuntu.com || https://wiki.ubuntu.com/SecurityTeam || https://wiki.ubuntu.com/Security/Features || Community: pfsmorigo
[14:38] <hank> CVE-2020-15703 has an invalid date in the OVAL feeds
[14:38] <ubottu> There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivileged user can check for the existence of any files on the system as root. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15703>
[14:38] <hank> aka USN-4537-1
[14:39] <hank> `<public_date_at_usn>unknown</public_date_at_usn>`
[15:12] <sbeattie> hank: thanks, fixed.
[15:13] <hank> ty
[22:19] <sarnold> fungi: https://ubuntu.com/security/notices/USN-5121-2
[22:19] <fungi> thanks again sarnold!
[22:20] <sarnold> fungi: yw :)
[22:20] <fungi> i see the cve tracker's not updated yet for it though
[22:20] <fungi> i suppose that just lags behind a bit?
[22:21] <sarnold> it does, but maybe it was overlooked..