[06:36] <Guest39> does upgrading the ubuntu OS fix all the security vulnerabilities?
[06:38] <konstruktoid> `apt-get upgrade`? it installs the latest versions which is hopefully patched
[09:02] <jjohansen> Guest39: yes and no. It will fix all vulnerabilities that have been patched. There are a couple caveats,  known vulnerabilities are prioritized so low priority might not be fixed as critical, highs, mediums have priority when being fixed. The other caveat is the security team only updates the main archive, universe is community supported and whether it a vulnerability gets fixed there is very much dependent on the package mainta
[09:02] <jjohansen> iner
[09:04] <jjohansen> Canonical does offer a paid tier (ESM) that provides additional security benefits
[09:04] <jjohansen> well paid commercial its free for personal but it doesn't come setup out of the box
[09:17] <Unit193> Well, universe doesn't specifically have a package maintainer so much, so in part it's if someone has interest and if Canonical also takes interest in their interest. :P  ESM also has no possibility that I'm aware of to fix security issues in universe.
[09:56] <jjohansen> Unit193: Ubuntu Advantage (new name for ESM) does cover universe https://ubuntu.com/support
[09:57] <Unit193> But ESM is provided only by Canonical, and Canonical doesn't maintain universe for the most part?
[09:57] <jjohansen> yes ESM is only provided by Canonical
[09:58] <jjohansen> for Ubuntu advantage they are patching universe for security issues similar to main, to have access to the repo you have sign-up for ubuntu advantage
[13:28] <ahasenack> hi security, this command is failing on kinetic, but works on jammy:
[13:28] <ahasenack> echo -ne "test" | openssl rc4 -k test -base64
[13:29] <ahasenack> I'm troubleshooting a cyrus-sasl2/ldap/openssl segfault and still trying to pinpoint the culprit, but that combination seems to be using rc4
[13:29] <ahasenack> and I'm wondering if rc4 is broken in kinetic
[13:29] <ahasenack> or just disabled/deprecated for real
[13:30] <ahasenack> I get the deprecated warning in both cases, but in kinetic it fails with
[13:30] <ahasenack> $ echo -ne "test" | openssl rc4 -k test -base64
[13:30] <ahasenack> *** WARNING : deprecated key derivation used.
[13:30] <ahasenack> Using -iter or -pbkdf2 would be better.
[13:30] <ahasenack> Error setting cipher RC4
[13:30] <ahasenack> 40D7F39F917F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC4 : 37), Properties ()
[13:43] <mdeslaur> the one in kinetic proposed?
[13:44] <ahasenack> I just checked release, same thiing
[13:44] <ahasenack> and checking jammy, I checked impish actually
[13:48] <mdeslaur> oh, yeah, that's disabled in openssl 3.0
[13:51] <mdeslaur> it fails on jammy too, fwiw
[13:52] <ahasenack> in a call now, sorry
[13:52] <ahasenack> will come back later
[14:23] <ahasenack> mdeslaur: do you have a link to it being disabled in openssl 3? I've been searching
[14:23] <ahasenack> all I found were deprecation notices
[14:23] <ahasenack> but not a solid "this is disabled now"
[14:24] <ahasenack> something else still changed, because cyrus 2.1.27' digest-md5 works in jammy
[14:25]  * ahasenack goes over 2.1.28 changelog
[14:25] <ahasenack> so does 2.1.27 in karmic
[14:26] <ahasenack> cyrus-sasl, that is
[14:37] <ahasenack> found an interesting commit:     Use Openssl's EVP implementation of RC4 when available
[14:55] <mdeslaur> ahasenack: from the openssl 3.0 changelog "The implementation of older EVP ciphers related to CAST, IDEA, SEED, RC2, RC4, RC5, DESX and DES have been moved to the legacy provider."
[14:55] <ahasenack> and I found upstream commits in sasl to enable this legacy provider, plus other stuff
[14:55] <ahasenack> merged 2w ago
[14:55] <ahasenack> so the code has to specifically ask for that provider
[14:56] <ahasenack> I've seen this in other projects as well, I remember now