=== chris14_ is now known as chris14
=== bbezak6 is now known as bbezak
=== mrmango1760 is now known as mrmango176
kierankIf I wanted to backport a use-after-free crash to net-snmp 5.8 on ubuntu 20.04 how do I do that?12:38
lotuspsychje!backport | kierank can this help?13:00
ubottukierank can this help?: If new updated Ubuntu packages are built for an application, then they may go into Ubuntu Backports. See https://help.ubuntu.com/community/UbuntuBackports - See also !packaging13:00
JanCa backported bug fix should go into -updates, not -backports13:05
JanCor maybe even -security13:05
kierankI'm not 100% sure if it's exploitable13:12
JanCwell, that's often hard to say with this type of crashes13:29
JanCat the very least it would work as a DoS13:29
JanChttps://packaging.ubuntu.com/html/fixing-a-bug.html might be useful13:40
tobhehttps://wiki.ubuntu.com/StableReleaseUpdates is what you might want to follow actually13:55
rbasakkierank: I would start by preparing a debdiff that patches just that issue. Then ask the security team for first refusal.13:58
kierankThanks, will do that13:58
rbasakIf the security team say yes, they'll take it into focal-security. If instead you submit it as an SRU, "have you asked security" would probably be the SRU team's first question :)13:58
rbasakSee https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue on how to submit a debdiff to the security team.13:59
rbasakPlease do ask for more help here with the process if you need, and thank you for looking to make the package better!14:00
=== sdeziel_ is now known as sdeziel
samy1028Hey all.  So, we're trying to compile a later version of Zabbix-Agent on Ubuntu 20.04 FIPS since the repo version is 4.x.  We need features available in 6.x that's not in 4.0.14:58
samy1028The issue I'm having is installing libssl-dev. "apt-get install libssl-dev"  It's complaining with:   libssl-dev : Depends: libssl1.1 (= 1.1.1f-1ubuntu2.17) but 1.1.1f-1ubuntu2.fips.2.8 is to be installed14:59
samy1028any ideas?  Also, anyone know what the timeframe is for 22.04 FIPS Cloud version to be available on AWS and Azure?14:59
jchittumFIPS timeline for Jammy is pushed out further than we'd like. I'm asking for public roadmap now15:03
samy1028jchittum, I understand.  I think 20.04 FIPs on Azure/AWS was nearly 2 years after 20.04 base was released.15:04
jchittumsamy1028 , correct. we were hoping for something faster with 22.04, but FIPS moved to a new certification revision, 140-3. it included some differences in cryptography requirements, among other things, that made the move more complex. Plus testing, because no on had done a 140-3 cert yet15:05
samy1028understood.  We've been having to look over 140-3 also, but so far none of our clients request it.  They're all okay with 140-2 still.15:07
samy1028any thoughts about why I can't install libssl-dev with FIPS?15:07
tobhesamy1028: fips or fips-updates and what version of libssl-dev is that15:09
tobhenormally /etc/apt/preferences.d/ubuntu-fips-updates should pin the fips archive and pull in libssl-dev from there. it looks like yours is trying to use the non-fips version15:12
samy1028I wonder if it's because we tried building Zabbix-Agent using gnutls-dev on this same system?  don't know.15:13
samy1028However, this was a base 20.04 that was upgraded to PRO / FIPS.15:13
samy1028this is interesting.  It installed FIPS, but when I do "ua status" it's showing fips and fips-updates as disabled.  very odd.15:15
samy1028I know they were enabled previously.15:15
tobheno idea how that would happen. but 1.1.1f-1ubuntu2.fips.2.8 implies the fips archive is enabled in sources.list.d15:22
jchittumcould be a stale apt cache? if the apt cache has the fips repo...but one would assume that libssl-dev would _also_ then be referencing the stale cache? maybe?15:25
samy1028another oddity on this dev machine.  I did:  pro enable fips.  It updated and said a reboot was required.  I rebooted.  And now openssh-server doesn't want to start.  systemctl doesn't even list it anymore but according to apt it's still installed.15:27
samy1028well, a remove and re-install didn't fix openssh-server.  I may just revert back to a snapshot.15:29
tobhetry starting it via sshd -D and see what it reports15:29
samy1028tobhe, sshd re-exec requires execution with an absolute path15:31
tobhesorry, the full command would be something like: sudo mkdir -p /run/sshd && sudo /usr/sbin/sshd -Dd15:36
samy1028odd, now it's working.  But I didn't even get a chance to run your command.15:47
samy1028btw, it's "systemctl status sshd"  not "systemctl status openssh" or "openssh-server"15:48
samy1028well, fyi - after doing "pro enable fips" and the reboot, I can now successfully install libssl-dev FIPS.15:52
jaybHi!  Can someone recommend a way to see more detailed kernel logging of networking issues, specifically macvtap?  The background of the problems I'm having are here: https://braeburn.org/~jayb/ubuntu-macvtap0.txt16:19
deltreeyfor the past year or so, I've been migrating various servers from ubuntu-server to debian to minimize my OS footprint, but I wonder if that's a bad idea.  Can anyone explain the trade-offs to me?21:58
konstruktoidOne I can think of is that Debian tends to be a bid slower (or conservative) when it comes to package updates 22:05
konstruktoidUbuntu has newer stuff22:05
deltreeythat's relevant!22:11
JanCfor some things it's good to use multiple OS & software so that you have an alternative ready when one has an issue23:18
JanCe.g. I know some people do that for DNS (but Debian & Ubuntu might be too close for that)23:19

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!