[09:27] <konstruktoid> just a 0.2c tip; follow releases on github (e.g https://github.com/openssl/openssl) 
[14:03] <skeer> ravage: I read where the vulnerable versions were 3.0+, No clue how accurate that is.
[14:07] <sdeziel> skeer: yes, the vuln is only in 3.0 (before 3.0.7) but they also provided a 1.1.1 bug fix release (1.1.1r) today
[14:07] <skeer> Ahhh interesting.
[14:07] <skeer> That's Canonicals versioning?
[14:08] <sdeziel> skeer: no, those are upstream version numbers
[14:08] <skeer> sdeziel: Ah yes (sorry, it's early)
[14:09] <sdeziel> skeer: AFAIK, Canonical has yet to release updates but I'm sure they are currently baking ;)
[14:11] <sarnold> or waiting on openssl..
[14:11] <skeer> Others have mentioned it but I'm still surprised at the lack of info on this current CVE
[14:12] <mdeslaur> there's no info because it's not public yet, you need to wait a couple of hours for the openssl team to make the information public, at which time we'll publish updates
[14:13] <skeer> I wasn't complaining.. just stating is all. 
[14:13] <sdeziel> https://www.openssl.org/news/cl30.txt shows 3.0.7, isn't it?
[14:14] <sarnold> xx XXX xxxx
[14:14] <sdeziel> oh, now I see :)
[14:20] <mdeslaur> oh, and yes, it's 3.x only
[14:20] <mdeslaur> so only jammy+
[14:31] <skeer> related info for those like me who are unaware: https://github.com/NCSC-NL/OpenSSL-2022/tree/main/software
[16:02] <konstruktoid> https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#changes-between-306-and-307-1-nov-2022
[16:13] <JornS> wenn openssl 3.0.7?
[16:14] <patdk-lap> suppose to be <45min, but openssl.org website is ddos
[16:15] <patdk-lap> or well, the time window ends in 45min, and not released yet, except in github
[16:15] <konstruktoid> "Further analysis based on some of the mitigating factors described above
[16:15] <konstruktoid> have led this to be downgraded to HIGH."
[16:15] <JornS> ya, thankfully
[16:15] <sarnold> patdk-lap: https://www.openssl.org/news/secadv/20221101.txt
[16:15] <konstruktoid> and "only" DoS on Ubuntu I believe
[16:16] <patdk-lap> oh, that page loads, most of openssl just gives me timeout errors
[16:16] <JornS> (but was kinda expecting canonical to be in the fold and have 3.0.7 ready at the same time as source release?)
[16:16] <sarnold> JornS: publication takes time
[16:16] <JornS> :)
[16:17] <JornS> (openssl github is also working fine: https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#changes-between-306-and-307-1-nov-2022 )
[16:17] <patdk-lap> I did say, except github
[16:20] <ahasenack> https://www.openssl.org/news/secadv/20221101.txt published
[16:21] <mdeslaur> yes, it's a DoS only on Ubuntu, and you have to use a cert signed by a CA too...so...
[16:21] <ahasenack> why is it a dos only, because of the stack protections?
[16:22] <mdeslaur> yes
[16:22] <mdeslaur> it's a 4-byte stack overflow
[16:50] <arraybolt3_> Hey, they finally released the info?
[16:52] <mdeslaur> yes :)
[16:53] <arraybolt3_> *Sigh of relief* wasn't a crypto break! Woot!
[16:53] <patdk-lap> a crypto break would affect much more than *only* openssl
[16:54] <arraybolt3_> Well yes but sometimes crypto implementations have some boffo in them (like mega.nz found out the hard way)
[16:56] <patdk-lap> but it wouldn't be a cryptobreak then
[16:56] <patdk-lap> it would be an implementation break
[16:57] <arraybolt3> Valid point, that's what I meant.
[17:17] <mdeslaur> https://ubuntu.com/security/notices/USN-5710-1
[17:38] <tomreyn> ❤️
[18:16] <arraybolt3> Alright, patch time!
[18:16]  * arraybolt3 reboots
[18:18] <feurig> Thank you for the timely update mdeslaur!
[18:18] <mdeslaur> feurig: yw!