agrosant | keeping the system up to date is the key for peace of mind these days | 02:48 |
---|---|---|
Unit193 | ...And keeping java off it. :> | 02:52 |
sarnold | :) | 02:52 |
agrosant | special situation with hacker group in greece | 03:33 |
agrosant | hacker group from greece, the slightest sign of your evil existence near my close relatives and friends. watch your next steps dudes. | 03:46 |
teward | mdeslaur: if you want to make a note, on CVE-2021-3618 and ALPACA, in Debian we're prepping 1.20.2-2 (I usually let my changes sit a few days before I upload) to include NGINX's mitigation of max_errors directive in the Mail module. This adds a new argument for max_errors in the Mail module, but it's the only way to make this workaround work. So consider it a security backport of a 'new function' necessary for security. | 22:58 |
ubottu | ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the auth... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3618> | 22:58 |
teward | Eventually the Server Team will be processing the nginx merge into Kinetic so it'd just need the security team to determine if a backport is worth being included that includes the new directive | 22:58 |
teward | (Debian Unstable is a little more forgiving on this when it comes to 'new functionality' or such) | 22:59 |
mdeslaur | teward: thanks | 23:07 |
teward | mdeslaur: yep. got an OpenSSL question if you know it | 23:32 |
teward | got a question on Ask Ubuntu about OpenSSL doing a "sha-1 deprecated" problem with a SHA-1 signed cert on wifi with wpa_supplicant | 23:32 |
teward | is that wpa-supplicant or openssl defaults in OPenSSL 3 in 22.04? | 23:33 |
sarnold | openssl, "In particular, certificates using SHA1 or MD5 as hash algorithms are now invalid under the default security level." from https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668 | 23:34 |
sarnold | I think this is the bit you're tripping on "X509 certificates signed using SHA1 are no longer allowed at security level 1 and above" https://www.openssl.org/docs/manmaster/man7/migration_guide.html | 23:38 |
sarnold | give this a read and see if it looks about right https://askubuntu.com/a/1233456/33812 | 23:39 |
=== tomreyn_ is now known as tomreyn |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!