[02:48] <agrosant> keeping the system up to date is the key for peace of mind these days
[02:52] <Unit193> ...And keeping java off it. :>
[02:52] <sarnold> :)
[03:33] <agrosant> special situation with hacker group in greece
[03:46] <agrosant> hacker group from greece, the slightest sign of your evil existence near my close relatives and friends. watch your next steps dudes.
[22:58] <teward> mdeslaur: if you want to make a note, on CVE-2021-3618 and ALPACA, in Debian we're prepping 1.20.2-2 (I usually let my changes sit a few days before I upload) to include NGINX's mitigation of max_errors directive in the Mail module.  This adds a new argument for max_errors in the Mail module, but it's the only way to make this workaround work.  So consider it a security backport of a 'new function' necessary for security.
[22:58] <ubottu> ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the auth... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3618>
[22:58] <teward> Eventually the Server Team will be processing the nginx merge into Kinetic so it'd just need the security team to determine if a backport is worth being included that includes the new directive
[22:59] <teward> (Debian Unstable is a little more forgiving on this when it comes to 'new functionality' or such)
[23:07] <mdeslaur> teward: thanks
[23:32] <teward> mdeslaur: yep.  got an OpenSSL question if you know it
[23:32] <teward> got a question on Ask Ubuntu about OpenSSL doing a "sha-1 deprecated" problem with a SHA-1 signed cert on wifi with wpa_supplicant
[23:33] <teward> is that wpa-supplicant or openssl defaults in OPenSSL 3 in 22.04?
[23:34] <sarnold> openssl, "In particular, certificates using SHA1 or MD5 as hash algorithms are now invalid under the default security level."  from https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668
[23:38] <sarnold> I think this is the bit you're tripping on "X509 certificates signed using SHA1 are no longer allowed at security level 1 and above"  https://www.openssl.org/docs/manmaster/man7/migration_guide.html
[23:39] <sarnold> give this a read and see if it looks about right https://askubuntu.com/a/1233456/33812
=== tomreyn_ is now known as tomreyn