| sdeziel | Looking at https://ubuntu.com/security/CVE-2021-3618, I'm assuming that 22.04 security patching is still catching up, is that right? | 17:15 |
|---|---|---|
| ubottu | ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the auth... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3618> | 17:15 |
| mdeslaur | it's rated "low", which we don't fix unless something more important comes up | 17:21 |
| mdeslaur | that being said, I guess we should fix it since it's fixed in other releases | 17:22 |
| mdeslaur | I'll take care of it | 17:22 |
| sdeziel | mdeslaur: agreed, I'm not concerned by that specific CVE, I just happened to remember nginx receiving an update in other releases | 17:22 |
| mdeslaur | it wasn't showing up in our list because of the "low" priority | 17:22 |
| mdeslaur | I just pinged litios who did the updates for the stable releases | 17:24 |
| sdeziel | mdeslaur: I guess my question should have been: Is there someone going through https://ubuntu.com/security/cves?q=&package=&priority=&version=jammy&status=needed and https://ubuntu.com/security/cves?q=&package=&priority=&version=jammy&status=needs-triage ? | 17:26 |
| sdeziel | thanks for the nginx one though :) | 17:26 |
| teward | mdeslaur: if you have a backported patch for the nginx one let me take it too 'cause i can shove it into the Debian repos for nginx (I have maintainer on Salsa for nginx now) | 17:27 |
| teward | (and i'm up to my neck in patching servers recently so if you do the work then I don't have to xD) | 17:27 |
| teward | thouhg, actually, i put 1.20.2 already in salsa, so that's already got the CVE fix I believe. | 17:29 |
| mdeslaur | sdeziel: jammy is now in our "cves we need to fix" report, so yes. _but_ in that particular case, it was a low so not being reported | 17:31 |
| sdeziel | mdeslaur: excellent, thank you! | 17:32 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!