[19:59] <ahasenack> hi, just a heads up, that I prepared an frr upload to mantic at https://code.launchpad.net/~ahasenack/ubuntu/+source/frr/+git/frr/+merge/450492 with fixes for CVE-2023-38802, CVE-2023-41358, CVE-2023-41360 (as uploaded by debian)
[19:59] -ubottu:#ubuntu-security- FRRouting FRR 7.5.1 through 9.0 and Pica8 PICOS 4.3.3.2 allow a remote attacker to cause a denial of service via a crafted BGP update with a corrupted attribute 23 (Tunnel Encapsulation). <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38802>
[19:59] -ubottu:#ubuntu-security- An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c processes NLRIs if the attribute length is zero. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41358>
[19:59] -ubottu:#ubuntu-security- An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c can read the initial byte of the ORF header in an ahead-of-stream situation. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41360>
[19:59] <ahasenack> ops, didn't intend to get the bot excited
[20:01] <Eickmeyer> ubottu not joking around!
[21:13] <ahasenack> hi #security, I would like to hear your thoughts about https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/1978849/comments/10
[21:13] -ubottu:#ubuntu-security- Launchpad bug 1978849 in bind9 (Ubuntu Mantic) "bind9-dyndb-ldap has unmet dependencies" [High, In Progress]
[21:14] <ahasenack> tl;dr src:bind-dyndb-ldap since jammy is requiring exactly the version of bin:bind9-libs it was built with. Whenever src:bind9 gets an update, src:bind-dyndb-ldap breaks unless it's rebuilt. I'm adding a dep8 test to both packages to catch this
[21:14] <ahasenack> since we don't have a britney migrating packages in stable releases, we never catch the broken dependency otherwise
[21:15] <ahasenack> but the flip side is that we will then have this situation where, if src:bind-dyndb-ldap fails to build with src:bind9 for whatever reason, this would block the src:bind9 update due to a failing dep8 test
[21:15] <ahasenack> I think it's still better, as we can always override test results and make a release anyway, if we have to