| === JanC_ is now known as JanC | ||
| === chris14_ is now known as chris14 | ||
| blahdeblah | Out of curiosity, how often do old vulns get reevaluated? Our corporate vuln management tool is complaining about https://ubuntu.com/security/CVE-2021-3864 on my fully-patched jammy system. | 05:55 |
|---|---|---|
| -ubottu:#ubuntu-security- A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a re... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3864> | 05:55 | |
| amurray | blahdeblah: the ubuntu cve page for this has a note from sbeattie saying there is no official fix from upstream for this as of 2022-01-27 - I am assuming this is still the case | 07:02 |
| blahdeblah | Yep, saw that; just wondered if it is still true, given that note was the last time the entry appears to have changed. | 07:04 |
| Apparmortastic | georgiag that's interesting, then my question becomes, has libnss-resolve ever worked on apparmor based systems? | 09:12 |
| Apparmortastic | because if i understand flags=(attach_disconnected) right, it's a security issue to do so and i would have to add it to all profiles that need internet, which is all of them | 09:13 |
| georgiag | Apparmortastic: I'm not sure, I'd have to check. I was basing myself only on the "allowed" log you pasted. we are currently working on improving attach_disconnected because it's very permissive, but a lot of applications need it. depending on the version you're running, you can specify the path using flags=(attach_disconnected.path=/foo) | 11:29 |
| Apparmortastic | georgiag i made a bug report https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2051506 for this | 11:42 |
| -ubottu:#ubuntu-security- Launchpad bug 2051506 in apparmor (Ubuntu) "apparmor blocks libnss-resolve socket" [Undecided, Confirmed] | 11:42 | |
| georgiag | Apparmortastic: thanks! | 11:46 |
| sbeattie | blahdeblah: we do periodically go back through the cves that don't have an identified upstream fix, though the ones that are older get less focesed attention. | 17:22 |
| sbeattie | blahdeblah: looking at that specific cve, I'm not seeing a fix that landed upstream for it, and both redhat and suse closed out their associated bug reports with wontfix. :/ | 17:23 |
| blahdeblah | Thanks sbeattie | 19:05 |
| === user03 is now known as gchound | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!