| === chris14_ is now known as chris14 | ||
| === bbezak6 is now known as bbezak | ||
| === mrmango1760 is now known as mrmango176 | ||
| kierank | If I wanted to backport a use-after-free crash to net-snmp 5.8 on ubuntu 20.04 how do I do that? | 12:38 |
|---|---|---|
| lotuspsychje | !backport | kierank can this help? | 13:00 |
| ubottu | kierank can this help?: If new updated Ubuntu packages are built for an application, then they may go into Ubuntu Backports. See https://help.ubuntu.com/community/UbuntuBackports - See also !packaging | 13:00 |
| JanC | a backported bug fix should go into -updates, not -backports | 13:05 |
| JanC | or maybe even -security | 13:05 |
| kierank | I'm not 100% sure if it's exploitable | 13:12 |
| JanC | well, that's often hard to say with this type of crashes | 13:29 |
| JanC | at the very least it would work as a DoS | 13:29 |
| JanC | https://packaging.ubuntu.com/html/fixing-a-bug.html might be useful | 13:40 |
| tobhe | https://wiki.ubuntu.com/StableReleaseUpdates is what you might want to follow actually | 13:55 |
| rbasak | kierank: I would start by preparing a debdiff that patches just that issue. Then ask the security team for first refusal. | 13:58 |
| kierank | Thanks, will do that | 13:58 |
| rbasak | If the security team say yes, they'll take it into focal-security. If instead you submit it as an SRU, "have you asked security" would probably be the SRU team's first question :) | 13:58 |
| rbasak | See https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue on how to submit a debdiff to the security team. | 13:59 |
| rbasak | Please do ask for more help here with the process if you need, and thank you for looking to make the package better! | 14:00 |
| kierank | Thanks | 14:01 |
| === sdeziel_ is now known as sdeziel | ||
| samy1028 | Hey all. So, we're trying to compile a later version of Zabbix-Agent on Ubuntu 20.04 FIPS since the repo version is 4.x. We need features available in 6.x that's not in 4.0. | 14:58 |
| samy1028 | The issue I'm having is installing libssl-dev. "apt-get install libssl-dev" It's complaining with: libssl-dev : Depends: libssl1.1 (= 1.1.1f-1ubuntu2.17) but 1.1.1f-1ubuntu2.fips.2.8 is to be installed | 14:59 |
| samy1028 | any ideas? Also, anyone know what the timeframe is for 22.04 FIPS Cloud version to be available on AWS and Azure? | 14:59 |
| jchittum | FIPS timeline for Jammy is pushed out further than we'd like. I'm asking for public roadmap now | 15:03 |
| samy1028 | jchittum, I understand. I think 20.04 FIPs on Azure/AWS was nearly 2 years after 20.04 base was released. | 15:04 |
| jchittum | samy1028 , correct. we were hoping for something faster with 22.04, but FIPS moved to a new certification revision, 140-3. it included some differences in cryptography requirements, among other things, that made the move more complex. Plus testing, because no on had done a 140-3 cert yet | 15:05 |
| samy1028 | understood. We've been having to look over 140-3 also, but so far none of our clients request it. They're all okay with 140-2 still. | 15:07 |
| samy1028 | any thoughts about why I can't install libssl-dev with FIPS? | 15:07 |
| tobhe | samy1028: fips or fips-updates and what version of libssl-dev is that | 15:09 |
| tobhe | normally /etc/apt/preferences.d/ubuntu-fips-updates should pin the fips archive and pull in libssl-dev from there. it looks like yours is trying to use the non-fips version | 15:12 |
| samy1028 | I wonder if it's because we tried building Zabbix-Agent using gnutls-dev on this same system? don't know. | 15:13 |
| samy1028 | However, this was a base 20.04 that was upgraded to PRO / FIPS. | 15:13 |
| samy1028 | hmm.. | 15:14 |
| samy1028 | this is interesting. It installed FIPS, but when I do "ua status" it's showing fips and fips-updates as disabled. very odd. | 15:15 |
| samy1028 | I know they were enabled previously. | 15:15 |
| tobhe | no idea how that would happen. but 1.1.1f-1ubuntu2.fips.2.8 implies the fips archive is enabled in sources.list.d | 15:22 |
| jchittum | could be a stale apt cache? if the apt cache has the fips repo...but one would assume that libssl-dev would _also_ then be referencing the stale cache? maybe? | 15:25 |
| samy1028 | another oddity on this dev machine. I did: pro enable fips. It updated and said a reboot was required. I rebooted. And now openssh-server doesn't want to start. systemctl doesn't even list it anymore but according to apt it's still installed. | 15:27 |
| samy1028 | well, a remove and re-install didn't fix openssh-server. I may just revert back to a snapshot. | 15:29 |
| tobhe | try starting it via sshd -D and see what it reports | 15:29 |
| samy1028 | tobhe, sshd re-exec requires execution with an absolute path | 15:31 |
| tobhe | sorry, the full command would be something like: sudo mkdir -p /run/sshd && sudo /usr/sbin/sshd -Dd | 15:36 |
| samy1028 | odd, now it's working. But I didn't even get a chance to run your command. | 15:47 |
| samy1028 | btw, it's "systemctl status sshd" not "systemctl status openssh" or "openssh-server" | 15:48 |
| samy1028 | well, fyi - after doing "pro enable fips" and the reboot, I can now successfully install libssl-dev FIPS. | 15:52 |
| jayb | Hi! Can someone recommend a way to see more detailed kernel logging of networking issues, specifically macvtap? The background of the problems I'm having are here: https://braeburn.org/~jayb/ubuntu-macvtap0.txt | 16:19 |
| deltreey | for the past year or so, I've been migrating various servers from ubuntu-server to debian to minimize my OS footprint, but I wonder if that's a bad idea. Can anyone explain the trade-offs to me? | 21:58 |
| konstruktoid | One I can think of is that Debian tends to be a bid slower (or conservative) when it comes to package updates | 22:05 |
| konstruktoid | Ubuntu has newer stuff | 22:05 |
| deltreey | that's relevant! | 22:11 |
| JanC | for some things it's good to use multiple OS & software so that you have an alternative ready when one has an issue | 23:18 |
| JanC | e.g. I know some people do that for DNS (but Debian & Ubuntu might be too close for that) | 23:19 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!