=== gschanuel3 is now known as gschanuel === zareem3 is now known as zareem === zareem9 is now known as zareem === gschanuel4 is now known as gschanuel === lotuspsychje_ is now known as lotuspsychje === scoobydoob is now known as scoobydoo === kostkon_ is now known as kostkon [09:27] just a 0.2c tip; follow releases on github (e.g https://github.com/openssl/openssl) === alkisg1 is now known as alkisg === gschanuel2 is now known as gschanuel [14:03] ravage: I read where the vulnerable versions were 3.0+, No clue how accurate that is. [14:07] skeer: yes, the vuln is only in 3.0 (before 3.0.7) but they also provided a 1.1.1 bug fix release (1.1.1r) today [14:07] Ahhh interesting. [14:07] That's Canonicals versioning? [14:08] skeer: no, those are upstream version numbers [14:08] sdeziel: Ah yes (sorry, it's early) [14:09] skeer: AFAIK, Canonical has yet to release updates but I'm sure they are currently baking ;) [14:11] or waiting on openssl.. [14:11] Others have mentioned it but I'm still surprised at the lack of info on this current CVE [14:12] there's no info because it's not public yet, you need to wait a couple of hours for the openssl team to make the information public, at which time we'll publish updates [14:13] I wasn't complaining.. just stating is all. [14:13] https://www.openssl.org/news/cl30.txt shows 3.0.7, isn't it? [14:14] xx XXX xxxx [14:14] oh, now I see :) [14:20] oh, and yes, it's 3.x only [14:20] so only jammy+ [14:31] related info for those like me who are unaware: https://github.com/NCSC-NL/OpenSSL-2022/tree/main/software [16:02] https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#changes-between-306-and-307-1-nov-2022 === justache is now known as justPardoned [16:13] wenn openssl 3.0.7? [16:14] suppose to be <45min, but openssl.org website is ddos [16:15] or well, the time window ends in 45min, and not released yet, except in github [16:15] "Further analysis based on some of the mitigating factors described above [16:15] have led this to be downgraded to HIGH." [16:15] ya, thankfully [16:15] patdk-lap: https://www.openssl.org/news/secadv/20221101.txt [16:15] and "only" DoS on Ubuntu I believe [16:16] oh, that page loads, most of openssl just gives me timeout errors [16:16] (but was kinda expecting canonical to be in the fold and have 3.0.7 ready at the same time as source release?) [16:16] JornS: publication takes time [16:16] :) [16:17] (openssl github is also working fine: https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#changes-between-306-and-307-1-nov-2022 ) [16:17] I did say, except github [16:20] https://www.openssl.org/news/secadv/20221101.txt published [16:21] yes, it's a DoS only on Ubuntu, and you have to use a cert signed by a CA too...so... [16:21] why is it a dos only, because of the stack protections? [16:22] yes [16:22] it's a 4-byte stack overflow [16:50] Hey, they finally released the info? [16:52] yes :) [16:53] *Sigh of relief* wasn't a crypto break! Woot! [16:53] a crypto break would affect much more than *only* openssl [16:54] Well yes but sometimes crypto implementations have some boffo in them (like mega.nz found out the hard way) === arraybolt3_ is now known as arraybolt3 [16:56] but it wouldn't be a cryptobreak then [16:56] it would be an implementation break [16:57] Valid point, that's what I meant. === arraybolt3_ is now known as arraybolt3 [17:17] https://ubuntu.com/security/notices/USN-5710-1 [17:38] ❤️ [18:16] Alright, patch time! [18:16] * arraybolt3 reboots [18:18] Thank you for the timely update mdeslaur! [18:18] feurig: yw!