| === Montresor is now known as Unit193 | ||
| ItzSwirl_ | there are tarballs for openssl 3.0.7 | 15:55 |
|---|---|---|
| ItzSwirl_ | https://ftp.openssl.org/source/openssl-3.0.7.tar.gz | 15:56 |
| amurray | ItzSwirl_: mdeslaur has this ready to go - I expect he will have released it within the next hour or so | 15:58 |
| ItzSwirl_ | shweet | 15:58 |
| mdeslaur | yes, just waiting for their official announcement | 15:59 |
| ItzSwirl_ | a one off error, that honestly is depressing ._. | 15:59 |
| ItzSwirl_ | how can only one byte lead to RCE? I'm not a security expert but I would've made the same mistakes. y i k e s | 15:59 |
| konstruktoid | https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#changes-between-306-and-307-1-nov-2022 | 15:59 |
| konstruktoid | "An attacker can craft a malicious email address to overflow an arbitrary number of bytes containing the . character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). ([CVE-2022-3786]) | 16:01 |
| konstruktoid | An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution depending on stack layout for any given platform/compiler. ([CVE-2022-3602])" | 16:01 |
| -ubottu:#ubuntu-security- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3786> | 16:01 | |
| -ubottu:#ubuntu-security- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3602> | 16:01 | |
| ItzSwirl_ | konstruktoid: i think by official announcement they mean mitre is updated and a proper email is sent out | 16:03 |
| konstruktoid | yeah, but that's the official openssl changelog | 16:04 |
| konstruktoid | and it doesn't matter really until there's a package available | 16:05 |
| konstruktoid | cant really tell people to patch before that | 16:06 |
| mdeslaur | https://www.openssl.org/news/secadv/20221101.txt | 16:06 |
| mdeslaur | releasing updates now | 16:10 |
| mdeslaur | (FWIW, DoS only on Ubuntu because of stack protector) | 16:10 |
| konstruktoid | it sure was hyped | 16:11 |
| ItzSwirl_ | Honestly it was overhyped, but rather be overprepared than underprepared. But let's be happy that Heartbleed has not resurrected itself. | 16:13 |
| ItzSwirl_ | I think at the time when they first read the report from the identifier, they may have perceived as critical but after more research scaled it down. | 16:13 |
| ItzSwirl_ | Okay, back to schoolwork. Cheers to all | 16:13 |
| mdeslaur | well, if you're running something that doesn't use stack protector... | 16:20 |
| mdeslaur | like some embedded device or legacy system | 16:20 |
| w1ntermute__ | an enbedded system that needs client authentication. Or calls malicious servers. I think this is hard to exploit | 16:26 |
| mdeslaur | it also needs a malicious certificate signed by a CA | 16:27 |
| JanC | embedded systems are often easy to exploit | 16:27 |
| mdeslaur | https://ubuntu.com/security/notices/USN-5710-1 | 17:17 |
| Odd_Bloke | Thanks Marc! | 17:24 |
| mdeslaur | Odd_Bloke: yw! | 17:24 |
| Unit193 | That was anticlimatic. | 21:19 |
| hggdh | fortunately... | 22:20 |
| Unit193 | Yes, anticlimatic openssl security releases is a good thing. | 22:20 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!