/srv/irclogs.ubuntu.com/2022/02/12/#ubuntu-devel.txt

=== piz is now known as pizza
=== genii is now known as genii-core
ahasenack'morning13:49
LaibschHello, I just noticed that focal has a more recent package for samba than jammy.  The reason for the newer package in focal is among others CVE-2021-43566 to which jammy is still vulnerable.  That left me wondering what the security policy is for ubuntu+1.  No security support or would this be considered a bug?  I was just wondering if I should open a ticket.  Obviously, I didn't think I'd open myself up to security pro13:51
Laibschting out ubuntu+1 before it's release.13:51
ubottuAll versions of Samba prior to 4.13.16 are vulnerable to a malicious client using an SMB1 or NFS race to allow a directory to be created in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available via NFS in order for this attack to succeed. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43566>13:51
ahasenackLaibsch: we try to keep devel up-to-date, but sometimes fail13:54
Laibschso it is a "bug"? should I file a ticket?13:55
ahasenackLaibsch: this is the bug requesting the update: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/194683913:55
ubottuLaunchpad bug 1946839 in samba (Ubuntu) "Merge samba from Debian unstable for 22.04" [Undecided, New]13:55
LaibschOK, it's already done. Even better.13:55
ahasenackit doesn't mention the cves specifically, it's a generic one to update samba in the devel release, and is how we keep track of it13:55
ahasenackin fact, it's on my plate to handle that, I think next week13:56
ahasenackit's a big change, because we will have to go ahead of debian again, in debian samba is asking for a new maintainer13:56
ahasenackor help, in general13:56
ahasenackI'm even working on smaller stuff this weekend so I have time for the big problems next week ;)13:56
Laibschawesome. thank you for your work!13:57
ahasenackcheers13:58
=== jdstrand_ is now known as jdstrand
dima5Hi. I'm looking at the Jammy release schedule. It says that the Debian import freeze is on Feb 24. I'm looking at a package that made it into Debian/sid around two weeks ago (mrcal), and it's not in jammy yet (as reported by packages.ubuntu.com). Is this just a matter of time, or does something need to happen to make sure that package is included? Thanks20:14
Eickmeyer[m]dima5: It's there: https://launchpad.net/ubuntu/+source/mrcal20:25
Eickmeyer[m]Of course, they left before I could respond. >.<20:26
EickmeyerMeer seconds at that.20:26
ahasenackit's in proposed still, though20:49
ahasenackit failed to build20:50
ahasenacknot sure what this error is: "Couldn't parse out argument kind at mrbuild/make-pod-from-help.pl line 94."20:50
Eickmeyerdima5: ^21:18
Eickmeyerahasenack: Yeah, I let them know in a query.21:18
dima5ahasenack: it builds just fine in Debian. I'll look with a jammy chroot23:19
dima5How did you see that it failed to build? Did you just try it, or is there a status page somewhere?23:19

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!