[12:38] <kierank> If I wanted to backport a use-after-free crash to net-snmp 5.8 on ubuntu 20.04 how do I do that?
[13:00] <lotuspsychje> !backport | kierank can this help?
[13:05] <JanC> a backported bug fix should go into -updates, not -backports
[13:05] <JanC> or maybe even -security
[13:12] <kierank> I'm not 100% sure if it's exploitable
[13:29] <JanC> well, that's often hard to say with this type of crashes
[13:29] <JanC> at the very least it would work as a DoS
[13:40] <JanC> https://packaging.ubuntu.com/html/fixing-a-bug.html might be useful
[13:55] <tobhe> https://wiki.ubuntu.com/StableReleaseUpdates is what you might want to follow actually
[13:58] <rbasak> kierank: I would start by preparing a debdiff that patches just that issue. Then ask the security team for first refusal.
[13:58] <kierank> Thanks, will do that
[13:58] <rbasak> If the security team say yes, they'll take it into focal-security. If instead you submit it as an SRU, "have you asked security" would probably be the SRU team's first question :)
[13:59] <rbasak> See https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue on how to submit a debdiff to the security team.
[14:00] <rbasak> Please do ask for more help here with the process if you need, and thank you for looking to make the package better!
[14:01] <kierank> Thanks
[14:58] <samy1028> Hey all.  So, we're trying to compile a later version of Zabbix-Agent on Ubuntu 20.04 FIPS since the repo version is 4.x.  We need features available in 6.x that's not in 4.0.
[14:59] <samy1028> The issue I'm having is installing libssl-dev. "apt-get install libssl-dev"  It's complaining with:   libssl-dev : Depends: libssl1.1 (= 1.1.1f-1ubuntu2.17) but 1.1.1f-1ubuntu2.fips.2.8 is to be installed
[14:59] <samy1028> any ideas?  Also, anyone know what the timeframe is for 22.04 FIPS Cloud version to be available on AWS and Azure?
[15:03] <jchittum> FIPS timeline for Jammy is pushed out further than we'd like. I'm asking for public roadmap now
[15:04] <samy1028> jchittum, I understand.  I think 20.04 FIPs on Azure/AWS was nearly 2 years after 20.04 base was released.
[15:05] <jchittum> samy1028 , correct. we were hoping for something faster with 22.04, but FIPS moved to a new certification revision, 140-3. it included some differences in cryptography requirements, among other things, that made the move more complex. Plus testing, because no on had done a 140-3 cert yet
[15:07] <samy1028> understood.  We've been having to look over 140-3 also, but so far none of our clients request it.  They're all okay with 140-2 still.
[15:07] <samy1028> any thoughts about why I can't install libssl-dev with FIPS?
[15:09] <tobhe> samy1028: fips or fips-updates and what version of libssl-dev is that
[15:12] <tobhe> normally /etc/apt/preferences.d/ubuntu-fips-updates should pin the fips archive and pull in libssl-dev from there. it looks like yours is trying to use the non-fips version
[15:13] <samy1028> I wonder if it's because we tried building Zabbix-Agent using gnutls-dev on this same system?  don't know.
[15:13] <samy1028> However, this was a base 20.04 that was upgraded to PRO / FIPS.
[15:14] <samy1028> hmm..
[15:15] <samy1028> this is interesting.  It installed FIPS, but when I do "ua status" it's showing fips and fips-updates as disabled.  very odd.
[15:15] <samy1028> I know they were enabled previously.
[15:22] <tobhe> no idea how that would happen. but 1.1.1f-1ubuntu2.fips.2.8 implies the fips archive is enabled in sources.list.d
[15:25] <jchittum> could be a stale apt cache? if the apt cache has the fips repo...but one would assume that libssl-dev would _also_ then be referencing the stale cache? maybe?
[15:27] <samy1028> another oddity on this dev machine.  I did:  pro enable fips.  It updated and said a reboot was required.  I rebooted.  And now openssh-server doesn't want to start.  systemctl doesn't even list it anymore but according to apt it's still installed.
[15:29] <samy1028> well, a remove and re-install didn't fix openssh-server.  I may just revert back to a snapshot.
[15:29] <tobhe> try starting it via sshd -D and see what it reports
[15:31] <samy1028> tobhe, sshd re-exec requires execution with an absolute path
[15:36] <tobhe> sorry, the full command would be something like: sudo mkdir -p /run/sshd && sudo /usr/sbin/sshd -Dd
[15:47] <samy1028> odd, now it's working.  But I didn't even get a chance to run your command.
[15:48] <samy1028> btw, it's "systemctl status sshd"  not "systemctl status openssh" or "openssh-server"
[15:52] <samy1028> well, fyi - after doing "pro enable fips" and the reboot, I can now successfully install libssl-dev FIPS.
[16:19] <jayb> Hi!  Can someone recommend a way to see more detailed kernel logging of networking issues, specifically macvtap?  The background of the problems I'm having are here: https://braeburn.org/~jayb/ubuntu-macvtap0.txt
[21:58] <deltreey> for the past year or so, I've been migrating various servers from ubuntu-server to debian to minimize my OS footprint, but I wonder if that's a bad idea.  Can anyone explain the trade-offs to me?
[22:05] <konstruktoid> One I can think of is that Debian tends to be a bid slower (or conservative) when it comes to package updates 
[22:05] <konstruktoid> Ubuntu has newer stuff
[22:11] <deltreey> that's relevant!
[23:18] <JanC> for some things it's good to use multiple OS & software so that you have an alternative ready when one has an issue
[23:19] <JanC> e.g. I know some people do that for DNS (but Debian & Ubuntu might be too close for that)