| ebarretto | hey luis220413 can you provide more information on the false positives you mentioned the other day for the kernel | 07:59 |
|---|---|---|
| luis220413 | These vulnerabilities are listed as released and not vulnerable (respectively) in the linux source package for 20.04. | 07:59 |
| ebarretto | luis220413, I mean actual log from the oval, to see what is returning true | 08:01 |
| luis220413 | ebarretto: Sorry, I do not have logs for that scan. | 08:02 |
| ebarretto | luis220413, if you get to see this again could you provide us the log? Doing a kind of analysis like we did for that other CVE is better than sending the actual log files as they are huge as you saw it | 08:05 |
| luis220413 | ebarretto: Yes. I will rescan today. | 08:06 |
| ebarretto | luis220413, thanks! | 08:07 |
| luis220413 | ebarretto: Another issue: packages.ubuntu.com links to source files in archive.ubuntu.com, that is HTTP-only, causing problems with Firefox's HTTPS-Only Mode. | 08:08 |
| ebarretto | luis220413, archive.ubuntu.com is http and there are reasons for it to still be http only, which you might find in some launchpad bugs or blogs. Maybe someone else can give you more information on that. That's out of the security team scope currently | 08:13 |
| luis220413 | ebarretto: https://bugs.launchpad.net/ubuntu/+bug/1464064 | 08:14 |
| ubottu | Launchpad bug 1464064 in Ubuntu "Ubuntu apt repos are not available via HTTPS" [Undecided, Confirmed] | 08:14 |
| luis220413 | ebarretto: If archive.ubuntu.com should really remain HTTP-only, this is a bug in packages.ubuntu.com, that should link instead to an HTTPS-enabled mirror of the Ubuntu archive. Otherwise, this is a bug in archive.ubuntu.com, that should enable HTTPS. | 08:18 |
| ebarretto | luis220413, again, not a Ubuntu security team scope here. You can report a bug in the packages.ubuntu.com if you scroll to the end of the page | 08:21 |
| luis220413 | ebarretto: Thanks! | 08:22 |
| luis220413 | ebarretto: I believe this is a severe information disclosure vulnerability, and therefore in the scope of the security team. | 08:31 |
| ebarretto | luis220413, what I mean is that the ubuntu security team doesn't maintain the web pages or the archive, we have specific teams for each | 08:35 |
| luis220413 | ebarretto: Thanks! | 08:36 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!