[15:55] <ItzSwirl_> there are tarballs for openssl 3.0.7
[15:56] <ItzSwirl_> https://ftp.openssl.org/source/openssl-3.0.7.tar.gz
[15:58] <amurray> ItzSwirl_: mdeslaur has this ready to go - I expect he will have released it within the next hour or so
[15:58] <ItzSwirl_> shweet
[15:59] <mdeslaur> yes, just waiting for their official announcement
[15:59] <ItzSwirl_> a one off error, that honestly is depressing ._.
[15:59] <ItzSwirl_> how can only one byte lead to RCE? I'm not a security expert but I would've made the same mistakes. y i k e s
[15:59] <konstruktoid> https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#changes-between-306-and-307-1-nov-2022
[16:01] <konstruktoid> "An attacker can craft a malicious email address to overflow an arbitrary number of bytes containing the . character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). ([CVE-2022-3786])
[16:01] <konstruktoid> An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution depending on stack layout for any given platform/compiler. ([CVE-2022-3602])"
[16:01] -ubottu:#ubuntu-security- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3786>
[16:01] -ubottu:#ubuntu-security- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3602>
[16:03] <ItzSwirl_> konstruktoid: i think by official announcement they mean mitre is updated and a proper email is sent out
[16:04] <konstruktoid> yeah, but that's the official openssl changelog
[16:05] <konstruktoid> and it doesn't matter really until there's a package available
[16:06] <konstruktoid> cant really tell people to patch before that
[16:06] <mdeslaur> https://www.openssl.org/news/secadv/20221101.txt
[16:10] <mdeslaur> releasing updates now
[16:10] <mdeslaur> (FWIW, DoS only on Ubuntu because of stack protector)
[16:11] <konstruktoid> it sure was hyped
[16:13] <ItzSwirl_> Honestly it was overhyped, but rather be overprepared than underprepared. But let's be happy that Heartbleed has not resurrected itself.
[16:13] <ItzSwirl_> I think at the time when they first read the report from the identifier, they may have perceived as critical but after more research scaled it down.
[16:13] <ItzSwirl_> Okay, back to schoolwork. Cheers to all
[16:20] <mdeslaur> well, if you're running something that doesn't use stack protector...
[16:20] <mdeslaur> like some embedded device or legacy system
[16:26] <w1ntermute__> an enbedded system that needs client authentication. Or calls malicious servers. I think this is hard to exploit
[16:27] <mdeslaur> it also needs a malicious certificate signed by a CA
[16:27] <JanC> embedded systems are often easy to exploit
[17:17] <mdeslaur> https://ubuntu.com/security/notices/USN-5710-1
[17:24] <Odd_Bloke> Thanks Marc!
[17:24] <mdeslaur> Odd_Bloke: yw!
[21:19] <Unit193> That was anticlimatic.
[22:20] <hggdh> fortunately...
[22:20] <Unit193> Yes, anticlimatic openssl security releases is a good thing.