=== cpaelzer_ is now known as cpaelzer
[07:13] <sudhackar> I am looking for some clarifications on what packages are affected with a USN. I see that some USNs mentions both binary and source packages like USN-5333-2 mentions both apache2 and apache2-bin.
[07:14] <sudhackar> Some just mention the vulnerabilities apply to a single package like systemd in https://ubuntu.com/security/notices/USN-5013-1
[07:16] <sudhackar> I like that idea that all vulnerabilities apply to all the binary packages compiled from the source. But as a means of upgrading packages - irrelevant packages need not be upgraded if the vulnerability was applicable to a select few
[07:17] <sudhackar> If the vulnerability applied to just the source - the advisories should mention just the source not the binary packages no?
[07:17] <sudhackar> I also saw that official OVALs check for all applicable binary packages built from that source.
[07:17] <sudhackar> Please advise
[11:26] <mdeslaur> sudhackar: USN-5333-2 lists the apache2 binary package, not the apache2 source package
[11:27] <mdeslaur> sudhackar: the section that lists some binary packages is just a subset so that an admin can quickly tell if an update is installed or not. The USN applies to the whole source package, and all it's binary packages.
[11:27] <mdeslaur> s/it's/its/
=== ChanServ changed the topic of #ubuntu-security to: Twitter: @ubuntu_sec || https://usn.ubuntu.com || https://wiki.ubuntu.com/SecurityTeam || https://wiki.ubuntu.com/Security/Features || Community: pfsmorigo
[13:38] <teward> fyi while I know this is a foundations item they filed, I think Security should have a say?  https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1965141
[13:38] <ubottu> Launchpad bug 1965141 in openssl (Ubuntu) "openssl: package the new bugfix release 3.0.2" [Undecided, New]
[13:38] <teward> at least this late in the cycle I mean
[13:39] <teward> since this targets Jammy and it's OpenSSL which I know has a Security component to it, thought I'd ask if Security saw that
[13:40] <mdeslaur> teward: yes, I am aware of it
[13:40] <mdeslaur> thanks
[13:40] <teward> mdeslaur: check, thanks.  just checking since this is one of the things I start saying "eeh, security chaos"
[13:40] <teward> :P
[13:42]  * mdeslaur adds comment
[14:16] <schopin> teward: I was actually planing on asking here for sponsorship today :D
[14:17] <teward> heheh, makes sense.  :P
[14:17] <teward> mdeslaur: i've got some spare cycles @ lunchtime here, if you don't mind me using my coredev to sponsor the openssl upload to jammy.  Unless you want to take it since Security.
[14:17] <teward> schopin: hehe, well openssl is one of the things i keep on my radar 'cause it's so important to everything.
[14:22] <mdeslaur> teward: oh, please take it if you have some time, thanks!
[14:22] <teward> mdeslaur: yep yep.  it's not git-ubuntu'd or anything special is it?  I'm still a stickler for the old school "pull package, apply debdiff, test build, upload" approach :p
[14:23] <mdeslaur> I don't think so
[14:23] <teward> perfect, yeah most stuff isn't :P
[15:00] <schopin> teward: AFAIK pretty much no Foundation package uses git-ubuntu as its main contribution "mode". And TIA for the sponsoring :)
[15:00] <teward> schopin: i believe it.  you never know though ;)
[15:00] <teward> i'll do my usual build testing locally BEFORE I upload though, 'cause OpenSSL is its own form of chaos. :P
[15:01] <teward> hm, just... one question
[15:01] <teward> is this going to need a rebuild of everything in Jammy first with it?
[15:01] <teward> 'cause... that's going to be a large transition task
[15:01] <teward> (if so)
[15:04] <schopin> teward: no, no ABI bump. The autopkgtests runners will run hot though
[15:04] <teward> check, never hurts to be thorough :p
[15:04] <teward> autopkgtests always run hot during releases thoug h:P
[15:04] <teward> just hope they don't explode ;P
[15:06] <mdeslaur> need more autopkgtest hamsters
[15:07] <teward> hey if i had the server space i'd happily help but I think Canonical has all the autopkgtest envs it needs xD
[15:14] <teward> schopin: i'm building (again) in my junk drawer which has risc enabled - https://launchpad.net/~teward/+archive/ubuntu/junk-drawer - so we'll be able to make sure that arch builds right too.  If all looks good I'll upload direct to jammy
[15:14] <teward> (and yes i call it the 'junk drawer' because it's where i upload buildtests now xD)
[15:15] <teward> (and it's as close as I can get to the main distro builders :P)
[15:15] <teward> i had to pull the tar.gz and the sig off your ppa upload you did though 'cause i'm a lazy SOB :P
[15:15] <teward> mdeslaur: ^^ for your awareness as well
[17:57] <teward> schopin: mdeslaur: 3.0.2-0ubuntu1 uploaded ([ubuntu/jammy-proposed] openssl 3.0.2-0ubuntu1 (Accepted))
[17:57] <teward> expect autopkgtests to run hot for a while :P
[17:58] <schopin> ACK
[18:01] <mdeslaur> awesome, thanks schopin, teward 
[18:02] <teward> yep yep!
=== hank_ is now known as hank
[23:05] <shalocin[m]> Really enjoying the lively and fun coverage by @ccdm_94 about hardening your Ubuntu server on the @amurray Ubuntu Security Podcast. Lots of things to consider... I wonder if I could suggest a follow up for a future episode (yes, yes, greedy I am!)... (full message at https://libera.ems.host/_matrix/media/r0/download/libera.chat/02b4c40e08cf4e4bf38c13a098530dde8e48390b)
[23:08] <sarnold> woo, thanks :)
[23:17] <amurray> thanks shalocin[m] - I've always wanted to try and do more 'discussion' type content on the podcast but finding times when everyone is available is challenging - but I think that is a great idea nonetheless and will see what we can do
[23:18] <shalocin[m]> s/doing/dropping/