[17:15] Looking at https://ubuntu.com/security/CVE-2021-3618, I'm assuming that 22.04 security patching is still catching up, is that right? [17:15] ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the auth... [17:21] it's rated "low", which we don't fix unless something more important comes up [17:22] that being said, I guess we should fix it since it's fixed in other releases [17:22] I'll take care of it [17:22] mdeslaur: agreed, I'm not concerned by that specific CVE, I just happened to remember nginx receiving an update in other releases [17:22] it wasn't showing up in our list because of the "low" priority [17:24] I just pinged litios who did the updates for the stable releases [17:26] mdeslaur: I guess my question should have been: Is there someone going through https://ubuntu.com/security/cves?q=&package=&priority=&version=jammy&status=needed and https://ubuntu.com/security/cves?q=&package=&priority=&version=jammy&status=needs-triage ? [17:26] thanks for the nginx one though :) [17:27] mdeslaur: if you have a backported patch for the nginx one let me take it too 'cause i can shove it into the Debian repos for nginx (I have maintainer on Salsa for nginx now) [17:27] (and i'm up to my neck in patching servers recently so if you do the work then I don't have to xD) [17:29] thouhg, actually, i put 1.20.2 already in salsa, so that's already got the CVE fix I believe. [17:31] sdeziel: jammy is now in our "cves we need to fix" report, so yes. _but_ in that particular case, it was a low so not being reported [17:32] mdeslaur: excellent, thank you!