[03:08] <sbeattie> ginggs: hey, I see you tried to rebuild pysha3 as part of the py3.11 transition for lunar which FTBFS; if you're investigating it further, it's been removed from debian, and so I'd suggest pushing to get it removed from ubuntu as well, rather than spend any time on it. (I filed LP: #1996562 on it, but not sure when an archive admin will process that.)
[03:08] -ubottu:#ubuntu-devel- Launchpad bug 1996562 in pysha3 (Ubuntu) "Please remove src:pysha3 from lunar" [Undecided, New] https://launchpad.net/bugs/1996562
[07:06] <ginggs> sbeattie: thanks! one less for me to worry about :)
[09:11] <utkarsh2102> waveform: hey, did you see my text on #ubuntu-meeting:libera.chat?
[09:11] <utkarsh2102> I can't make you a MOTU unless that's there, so let me know :)
[15:43] <hggdh> quit
[17:13] <rbasak> bdmurray: https://git.launchpad.net/~ubuntu-server/+git/ubuntu-helpers/tree/rbasak/gu-qvs and https://git.launchpad.net/~ubuntu-server/+git/ubuntu-helpers/tree/rbasak/git-dod (plus .bash-completion)
[17:13] <rbasak> And "git ubuntu queue sync" should work from the git-ubuntu snap (but use edge until I do a release please)
[17:15] <alkisg> Hi all, ldap-account-manager 7.7-1 in jammie has a critical security issue: https://www.ldap-account-manager.org/lamcms/node/455
[17:15] <alkisg> The upstream advice is "upgrade to versions 8+", there's no patch available that would solve the issue for 7.x versions
[17:15] <alkisg> Can we request a "quick SRU" of kinetic's 8.0.1-1.1 to jammie (being LTS and all), or someone would actually need to create a patch to address the security issue in the 7.x versions?
[17:16] <arraybolt3> alkisg: Where is the source code, and do they have a link to the diff?
[17:17] <ogra> alkisg, you know the drill ... open an SRU bug and hope for the best 🙂
[17:17] <arraybolt3> Ugh, I see .tar.bz2 files...
[17:18] <ogra> (and consider joining the SRU team to speed it up 😉 )
[17:19] <rbasak> If it's a security issue, then you want the security team, not the SRU team. Try asking in #ubuntu-security. But usually they'll expect a patch to fix the specific issue.
[17:20] <arraybolt3> Blah. The guy's GitHub commit messages are horribly non-descriptive.
[17:21] <alkisg> ogra, oh, I didn't know community members could join the SRU team!
[17:21] <bdmurray> rbasak: How are these supposed to be used?
[17:21] <ogra> alkisg, sure can ... as long as you have uploader status in sime way
[17:21] <ogra> *some
[17:22] <rbasak> bdmurray: run gu-qvs after running "git ubuntu queue sync" (after you run "git ubuntu clone foo" and "cd foo"). It'll output the equivalent of rmadison -asource but with the unapproved uploads added.
[17:22] <alkisg> Got it. @rbasak thank you, yeh I was expecting that, preparing a patch would need more time than I currently have :/
[17:23] <alkisg> arraybolt3: I haven't seen many frontend developers with good commit messages :D https://github.com/LDAPAccountManager/lam/commits/develop
[17:24] <rbasak> bdmurray: git-dod works exactly like git-range-diff(1) except that it will also flatten everything to one commit. So for example "git-dod queue/k<tab> queue/f<tab>"
[17:25] <rbasak> bdmurray: https://lists.ubuntu.com/archives/ubuntu-devel/2021-February/041395.html
[17:26] <arraybolt3> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ldap+account+manager I see five vulns in here that were fixed in 8.0, not sure which one is the one he talked about, though.
[17:27] <arraybolt3> alkisg: I'd guess it's this one though: https://nvd.nist.gov/vuln/detail/CVE-2022-31084
[17:27] -ubottu:#ubuntu-devel- LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 There are cases where LAM instantiates objects from arbitrary classes. An attacker can inject the first constructor argument. This can lead to code execution if non-LAM classes are instantiated that execute code dur... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31084>
[17:28] <arraybolt3> Oh and look here, I have the commit that fixes it! Add that to the list of things NIST.gov can do!
[17:28] <arraybolt3> https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4
[17:28] -ubottu:#ubuntu-devel- Commit f1d5d04 in LDAPAccountManager/lam "Merge pull request from GHSA-r387-grjx-qgvw"
[17:29] <arraybolt3> Hmm, that looks like it fixes all five, actually. Not a bad thing, though.
[17:31] <arraybolt3> Blah, that's huge. Maybe that's why he suggests upgrading to 8.0...
[19:08] <alkisg> Yeah it's big, "showing 20 changed files with 312 additions and 171 deletions."...