| enyc | hrrrrrrrrrrm | 07:19 |
|---|---|---|
| enyc | Thunderbird packages keep appearing in https://launchpad.net/~ubuntu-mozilla-security/+archive/ubuntu/ppa but don't get them through to LTS/releases ??!? | 07:19 |
| enyc | 102.2.2 has many security flaws, etc... | 07:21 |
| enyc | ;/ | 07:21 |
| tumbleweed | am I missing something in the security sponsorship process? https://bugs.launchpad.net/ubuntu/+source/pysha3/+bug/1995197 | 07:57 |
| -ubottu:#ubuntu-security- Launchpad bug 1995197 in pysha3 (Ubuntu Kinetic) "Vulnerable to CVE 2022-37454 (SHA-3 buffer overflow)" [Undecided, Confirmed] | 07:57 | |
| ebarretto | tumbleweed, we will take a look today, sorry for the delay | 08:18 |
| ebarretto | enyc, we are aware of the delay in thunderbird and browsing packages and we are had discussions last week to try to address it and get more people involved in the process of doing those sponsoring, sorry about that | 08:22 |
| tumbleweed | ebarretto: thanks | 08:41 |
| enyc | ebarretto: thankyou for letting me know! | 08:49 |
| * enyc meows ;o | 09:17 | |
| * Unit193 makes a note to rebuild mdeslaur with -fstack-protector-strong :> | 12:47 | |
| mdeslaur | lol | 12:47 |
| mickeypash | Hello! | 15:46 |
| mickeypash | Can someone comment on this https://ubuntu.com/security/CVE-2022-42919 | 15:46 |
| -ubottu:#ubuntu-security- Python 3.9.x and 3.10.x through 3.10.8 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine.... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919> | 15:46 | |
| mickeypash | 3.9 ~ 20.04 says a patch is required (Needed). | 15:48 |
| mickeypash | There is a patch for this on the Python repo (if I understand correctly) | 15:48 |
| mickeypash | I think what is required a corresponding Ubuntu patch? | 15:50 |
| mickeypash | Could someone help me grok this? | 15:50 |
| sdeziel | mickeypash: I'm not member of the security team but I /think/ that since python3.9 is in universe for 20.04, it is community supported (while main is supported by Canonical) | 16:03 |
| sdeziel | that said, python3.9 in 20.04 did receive a security patch before from a Canonical employee so maybe they'll get around to doing it again, dunno | 16:04 |
| mickeypash | sdeziel thanks, that is correct I checked with a Canonical security team member and he said the same thing | 16:11 |
| mickeypash | But isn't there someone from the community to help out? | 16:12 |
| mickeypash | I'm willing to do it but I don't have the context | 16:12 |
| mickeypash | I suspect it's simple if one had the setup in place? | 16:13 |
| sdeziel | mickeypash: the patch is rather trivial so it shouldn't be too hard and would be a good deed for the community | 16:18 |
| sdeziel | https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation might be a good starting point | 16:21 |
| mickeypash | Nice thanks! I hope I have the headspace to do it | 16:28 |
| mickeypash | Reality is I probably don't | 16:31 |
| mickeypash | I'd rather stay at a higher level of abstraction:D | 16:31 |
| sdeziel | mickeypash: the lazy way out is to move your stuff to 22.04 which has python3.10 in main ;) | 16:38 |
| teward | sdeziel: i heard python and patch what'd i miss heh | 21:07 |
| sdeziel | teward: tl;dr is use python3.X from main and the security team will "have your back" (quoting Alex Murray from the podcast ;) | 21:10 |
| teward | accurate xD | 21:10 |
| teward | i mean i keep a pyenv around for newer/older versions for compatibility testing or version specific stuff but i use stock main repo versions for most stuff xD | 21:11 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!