[17:40] <tsimonq2> Hey!
[17:40] <tsimonq2> I'm trying to access this page from Firefox nightly and I'm getting a Content Encoding Error: https://ubuntu.com/security/cves
[17:41] <tsimonq2> Where's the best place to report this?
[19:34] <sdeziel> tsimonq2: works for me ATM, maybe it was transient?
[19:34] <tsimonq2> sdeziel: Can confirm. Thanks for listening. :)
[19:35] <sdeziel> np
[19:39] <ItzSwirlz> o/ sorry, but can someone take a look at LP #1977694?
[19:39] <ubottu> Launchpad bug 1977694 in rust-regex (Ubuntu) "[CVE-2022-24713] Denial of service in compiler with rust-regex" [Undecided, In Progress] https://launchpad.net/bugs/1977694
[19:40] <ItzSwirlz> the cve tracker also claims jammy is vulnerable but its not if you check the changelog
[19:40] <tsimonq2> ItzSwirlz: It's been a while since I've done Universe security updates but I believe it isn't SRU'ed, it's direct-pushed. Do you have testing results?
[19:41] <tsimonq2> ItzSwirlz: Ah, I see there's a test in the patch. Have you done any verification thus far?
[19:42] <tsimonq2> Otherwise besides some changelog formatting it seems okay.
[19:43] <tsimonq2> Also, I'll add the serieses on there for you. I don't know if you have access. :)
[19:57] <ItzSwirlz> tsimonq2: Crates now actually force pushes latest version of regex
[19:57] <ItzSwirlz> I tried to make a POC (See my github repo) but results were lame. I tried redirecting it to old regex but i need to test it a bit more to find the bug but now its fine. On my local laptop no DoS.
[19:58] <ItzSwirlz> What's the changelog issue + did it not get added to d/patches/series? It's at the bottom of the debdiff
[19:58] <ItzSwirlz> If it is an external service that requires access of course I do not have it. I haven't even applied officially for PPU (Though I plan to this summer)
[20:00] <ItzSwirlz> tsimonq2: wait im big dumb
[20:00] <ItzSwirlz> Kinetic is patched. Jammy isn't. https://launchpad.net/ubuntu/+source/rust-regex sorry for the confusion
[20:00] <tsimonq2> hi big dumb I'm dad
[20:04] <tsimonq2> <ItzSwirlz> "What's the changelog issue + did..." <- Just minor formatting, see other security update changelogs for ref
[20:06] <ItzSwirlz> oh i see, with the -'s
[20:07] <tsimonq2> yeah you catch my drift :)
[20:07] <tsimonq2> I'm sure that the Ubuntu Security Team is better at reviewing this but it seems okay from first look
[20:08] <ItzSwirlz> ill also create a focal patch. idrc about impish as its EOL shortly
[20:14] <tsimonq2> It's a Universe package, I doubt that would be required (re: impish)
[20:17] <ItzSwirlz> do you guys care about the comments or not
[20:17] <tsimonq2> In where?
[20:18] <ItzSwirlz> in the commit/patch specifically
[20:18] <ItzSwirlz> without comments (or the testusuite but I think that should be kept) the commit would be 1/2 the size
[20:18] <ItzSwirlz> https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e
[20:18] <ubottu> Commit ae70b41 in rust-lang/regex "security: fix denial-of-service bug in compiler"
[20:21] <tsimonq2> I wouldn't say that more documentation is a bad idea but the Ubuntu Security Team would know for sure.
[20:22] <tsimonq2> Thanks for formatting it with DEP-3.
[20:28] <ItzSwirlz> np