tewardsdeziel: so fyi "public mirrors" end up in the country RRs.  So even if you're in {CC}.archive.ubuntu.com you end up being put through the pool.  Hence security.ubuntu.com as the default01:43
tewardjust to echo mdeslaur and others01:43
tewardit's soemthing that's been that way forever, as the Mirrors team (not Security) explained initally01:43
teward(back when I did regular mirroring)01:44
=== Eickmeyer0 is now known as Eickmeyer
tommyfunI keep my ubuntu servers patched nightly with the unattended upgrades19:36
tommyfunthe security team at my org scanned my 20.04 servers and triggered an alert that apache2 was insecure19:36
tommyfunbut it's the latest one19:37
tommyfunthey use nessus19:37
tommyfunif I put the latest apache2 dpkg on, will it fuck it up somehow?  break dependancies? not be upgradeable with unattended-upgrades?19:38
arraybolt3apache2 is in the Main repository, if you keep your system up-to-date you should be good.19:38
arraybolt3I'd run "sudo apt update && sudo apt full-upgrade" to be sure.19:38
tommyfunOr should I trust the security updates and tell them to kick rocks19:38
arraybolt3Security scanners are notoriously bad at scanning Ubuntu.19:38
arraybolt3They seem to scan the version numbers to check for vulns.19:38
arraybolt3Ubuntu uses old versions of software and backports fixes as needed.19:38
arraybolt3So the version numbers *look* insecure to some scanners, even though the vulns are fixed.19:39
arraybolt3You can use security.ubuntu.com to look up Ubuntu Security Notices to ensure that certain CVEs are patched.19:39
tomreynyes, it can depend on how nessus determines the versions. they support two approaches - network scans (from external) or agent based (running on the system). the latter can make use of information provided by dpkg, such as which actual pakcage version is installed. whereas network scanning may only see the version the serive (apache) exposes, which is often just the base version, not providing information on which security patches were 19:41
tomreynserive -> service19:43
arraybolt3Oddly, though, security.ubuntu.com seems to be possibly missing some CVE info? For instance, I can see that apache2 isn't vulnerable to CVE-2022-23943 looking at Debian's security tracker and comparing the version numbers there to the version number in Ubuntu 22.10... but I can't find said CVE in the Ubuntu Security Notice list.19:43
-ubottu:#ubuntu-security- Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23943>19:43
sdezielto avoid tripping version sniffers, you can tell Apache2 to disclose less with `ServerTokens Prod` and `ServerSignature Off`19:43
tommyfunyeah, I had the security.conf settings not to disclode anything but I thought that this might be the issue, becasue it can't tell19:44
arraybolt3Oh wait, now I found it.19:44
arraybolt3Meh. Wonder why I didn't find it at first.19:45
tommyfunOne of the issues is/was with mod proxy, but I'm not even running it, my boss doesn't want their nessus agent on the server, but I don't have time to deal with these false positives19:46
arraybolt3tomreyn: Isn't there some sort of security scanner for Ubuntu specifically that Canonical has, something about OPAL or some such?19:47
arraybolt3Found it.19:47
tommyfunI don't know.  Both of you have helped me enough.19:48
tomreynarraybolt3: i'm not aware of Canonical producing a vulnerability scanner specifically for Ubuntu19:48
tomreyntommyfun: what's the report you've been given?19:48
arraybolt3It wasn't a scanner, it's data *for* a scanner.19:48
tommyfunit was a nessus report19:48
tomreyntommyfun: and the very finding is?19:49
arraybolt3Not sure if you can afford to uproot whatever you're using and try and use OpenSCAP, and I don't know enough to know if that's even a good idea or if the two are the same thing or close, but from what I've gleaned here, that might be useful.19:49
tommyfunsorry it's tenable19:50
arraybolt3tommyfun: I think he wants to know so that he can show the corresponding Ubuntu Security Notice.19:50
arraybolt3But you should be able to just plug in whatever CVE number it spit out into the USN database and it will tell you what update fixes it.19:50
tommyfunApache 2.4.x < 2.4.55 Multiple Vulnerabilities: Upgrade to Apache version 2.4.55 or later.19:50
tomreynthis very finding you should be able to get rid of by using what sdeziel suggested19:51
arraybolt3I see there are vuln-patching updates as early as 1 February here https://ubuntu.com/security/notices/USN-5839-119:52
tommyfunyeah, I was looking at that feb 1 notice19:52
tommyfunso if I installed the latest dpkg manually, does that break anything?19:53
arraybolt3You might break stuff installing things with dpkg. It should never be used manually except in exceptional circumstances.19:53
arraybolt3apt can apply updates safely and easily.19:54
tommyfunyeah, that's what I thought.19:54
tommyfunI could build a vm and test it, maybe later19:54
tommyfunthanks for all your help19:54
tomreynthis approach won't solve the issue for you in the long term19:55
arraybolt3tommyfun: If you're trying to only selectively patch just Apache, you can do that with apt.19:55
arraybolt3"sudo apt update && sudo apt install apache2" will update only just Apache and anything that needs to be updated in order for Apache to be updated.19:56
tomreynthere is something else you need to know, which is that while unattended-upgrades will update and reload affected services automatically, libraries may not immediately get updated, if they are still in use. but, based on the finding given, that's probbaly not what's happening here.19:56
tomreynhttps://www.tenable.com/plugins/nessus/170113 -> the relevant info is "Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."20:00
=== CodeMouse92 is now known as Guest5011

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!