| === chris14_ is now known as chris14 | ||
| === ted_ is now known as ted | ||
| === ted is now known as Guest2352 | ||
| === NotEickmeyer is now known as Eickmeyer | ||
| === blahdeblah_ is now known as blahdeblah | ||
| === Guest2352 is now known as ted | ||
| ahasenack | hi, just a heads up, that I prepared an frr upload to mantic at https://code.launchpad.net/~ahasenack/ubuntu/+source/frr/+git/frr/+merge/450492 with fixes for CVE-2023-38802, CVE-2023-41358, CVE-2023-41360 (as uploaded by debian) | 19:59 |
|---|---|---|
| -ubottu:#ubuntu-security- FRRouting FRR 7.5.1 through 9.0 and Pica8 PICOS 4.3.3.2 allow a remote attacker to cause a denial of service via a crafted BGP update with a corrupted attribute 23 (Tunnel Encapsulation). <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38802> | 19:59 | |
| -ubottu:#ubuntu-security- An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c processes NLRIs if the attribute length is zero. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41358> | 19:59 | |
| -ubottu:#ubuntu-security- An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c can read the initial byte of the ORF header in an ahead-of-stream situation. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41360> | 19:59 | |
| ahasenack | ops, didn't intend to get the bot excited | 19:59 |
| Eickmeyer | ubottu not joking around! | 20:01 |
| ahasenack | hi #security, I would like to hear your thoughts about https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/1978849/comments/10 | 21:13 |
| -ubottu:#ubuntu-security- Launchpad bug 1978849 in bind9 (Ubuntu Mantic) "bind9-dyndb-ldap has unmet dependencies" [High, In Progress] | 21:13 | |
| ahasenack | tl;dr src:bind-dyndb-ldap since jammy is requiring exactly the version of bin:bind9-libs it was built with. Whenever src:bind9 gets an update, src:bind-dyndb-ldap breaks unless it's rebuilt. I'm adding a dep8 test to both packages to catch this | 21:14 |
| ahasenack | since we don't have a britney migrating packages in stable releases, we never catch the broken dependency otherwise | 21:14 |
| ahasenack | but the flip side is that we will then have this situation where, if src:bind-dyndb-ldap fails to build with src:bind9 for whatever reason, this would block the src:bind9 update due to a failing dep8 test | 21:15 |
| ahasenack | I think it's still better, as we can always override test results and make a release anyway, if we have to | 21:15 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!