/srv/irclogs.ubuntu.com/2022/11/01/#ubuntu-server.txt

=== gschanuel3 is now known as gschanuel
=== zareem3 is now known as zareem
=== zareem9 is now known as zareem
=== gschanuel4 is now known as gschanuel
=== lotuspsychje_ is now known as lotuspsychje
=== scoobydoob is now known as scoobydoo
=== kostkon_ is now known as kostkon
konstruktoidjust a 0.2c tip; follow releases on github (e.g https://github.com/openssl/openssl) 09:27
=== alkisg1 is now known as alkisg
=== gschanuel2 is now known as gschanuel
skeerravage: I read where the vulnerable versions were 3.0+, No clue how accurate that is.14:03
sdezielskeer: yes, the vuln is only in 3.0 (before 3.0.7) but they also provided a 1.1.1 bug fix release (1.1.1r) today14:07
skeerAhhh interesting.14:07
skeerThat's Canonicals versioning?14:07
sdezielskeer: no, those are upstream version numbers14:08
skeersdeziel: Ah yes (sorry, it's early)14:08
sdezielskeer: AFAIK, Canonical has yet to release updates but I'm sure they are currently baking ;)14:09
sarnoldor waiting on openssl..14:11
skeerOthers have mentioned it but I'm still surprised at the lack of info on this current CVE14:11
mdeslaurthere's no info because it's not public yet, you need to wait a couple of hours for the openssl team to make the information public, at which time we'll publish updates14:12
skeerI wasn't complaining.. just stating is all. 14:13
sdezielhttps://www.openssl.org/news/cl30.txt shows 3.0.7, isn't it?14:13
sarnoldxx XXX xxxx14:14
sdezieloh, now I see :)14:14
mdeslauroh, and yes, it's 3.x only14:20
mdeslaurso only jammy+14:20
skeerrelated info for those like me who are unaware: https://github.com/NCSC-NL/OpenSSL-2022/tree/main/software14:31
konstruktoidhttps://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#changes-between-306-and-307-1-nov-202216:02
=== justache is now known as justPardoned
JornSwenn openssl 3.0.7?16:13
patdk-lapsuppose to be <45min, but openssl.org website is ddos16:14
patdk-lapor well, the time window ends in 45min, and not released yet, except in github16:15
konstruktoid"Further analysis based on some of the mitigating factors described above16:15
konstruktoidhave led this to be downgraded to HIGH."16:15
JornSya, thankfully16:15
sarnoldpatdk-lap: https://www.openssl.org/news/secadv/20221101.txt16:15
konstruktoidand "only" DoS on Ubuntu I believe16:15
patdk-lapoh, that page loads, most of openssl just gives me timeout errors16:16
JornS(but was kinda expecting canonical to be in the fold and have 3.0.7 ready at the same time as source release?)16:16
sarnoldJornS: publication takes time16:16
JornS:)16:16
JornS(openssl github is also working fine: https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#changes-between-306-and-307-1-nov-2022 )16:17
patdk-lapI did say, except github16:17
ahasenackhttps://www.openssl.org/news/secadv/20221101.txt published16:20
mdeslauryes, it's a DoS only on Ubuntu, and you have to use a cert signed by a CA too...so...16:21
ahasenackwhy is it a dos only, because of the stack protections?16:21
mdeslauryes16:22
mdeslaurit's a 4-byte stack overflow16:22
arraybolt3_Hey, they finally released the info?16:50
mdeslauryes :)16:52
arraybolt3_*Sigh of relief* wasn't a crypto break! Woot!16:53
patdk-lapa crypto break would affect much more than *only* openssl16:53
arraybolt3_Well yes but sometimes crypto implementations have some boffo in them (like mega.nz found out the hard way)16:54
=== arraybolt3_ is now known as arraybolt3
patdk-lapbut it wouldn't be a cryptobreak then16:56
patdk-lapit would be an implementation break16:56
arraybolt3Valid point, that's what I meant.16:57
=== arraybolt3_ is now known as arraybolt3
mdeslaurhttps://ubuntu.com/security/notices/USN-5710-117:17
tomreyn❤️17:38
arraybolt3Alright, patch time!18:16
* arraybolt3 reboots18:16
feurigThank you for the timely update mdeslaur!18:18
mdeslaurfeurig: yw!18:18

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!