teward | mdeslaur: RE: CVE-2021-3618, for NGINX, it looks like only released mitigations for the mail proxy mechanisms. These are shipped as available by default, but the default nginx.conf does not include them anywhere. | 01:22 |
---|---|---|
ubottu | ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the auth... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3618> | 01:22 |
teward | just for you to make some notes on that CVE in the tracker | 01:22 |
teward | (if necessary) | 01:22 |
mdeslaur | teward: thanks, I added a note | 10:41 |
hallyn | hm, anyone here know where to find Balint (debian shadow maintainer) on irc? His email address is bouncing... | 16:14 |
sarnold | hallyn: I haven't seen him on irc in ages; there's a few email addresses on launchpad, and I'm 90% sure I saw him leave a comment on a bug report in the last week, so probably one of them still works ;) https://launchpad.net/~rbalint | 18:41 |
hallyn | sarnold: thanks. i have a feeling they all redirect to his gmail account :( | 19:34 |
hallyn | but i guess i'd misread - i thought that gmail account was gone, but i guess gmail is just not happy with the message. Maybe because it was forwarded? I can email my own gmail account from my personal email just fine. | 19:40 |
teward | hallyn: if you're sending from @ubuntu.com or @canonical.com redirects break hard | 19:41 |
teward | that's a known issue IS is working on trying to solve with some kind of SMTP server with auth for those of us using @ubuntu.com aliases | 19:41 |
teward | just an FYI ;) | 19:41 |
teward | (Google blocks emails from @ubuntu.com because there's zero authentication/authorization controls on it) | 19:41 |
hallyn | teward: no i sent it from my firstname at lastname dot com home account, and to his advertised .hu email. maybe google got angry at .hu? i dunno | 19:50 |
teward | *shrugs* they probably don't like any redirects that are blind redirects | 19:50 |
hallyn | what's great though is that i know most ppl would say that the obvious answer is for me to use a largecorp email like gmail, rather than for others to use non-largecorp-controlled emails :) | 19:51 |
hallyn | pretty sure he's had this mail fwd in place for a long time, so this is some kind of change over at gmail | 19:51 |
hallyn | i mean, for the better,of course. no doubt. | 19:52 |
jdstrand | a /win 12 | 21:35 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!