=== chris14_ is now known as chris14
=== Juesto is now known as Juest
[06:07] <mcphail> amurray: fyi: https://gld.mcphail.uk/posts/explaining-cve-2024-1724/
[06:07] -ubottu:#ubuntu-security- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1724>
[06:09] <amurray> mcphail: thanks - I am in the process of getting the cves published to mitre/nvd on our and getting the associated snapd updates published to the -security pocket (they are already in -updates so should be a simple no-change rebuild and publish)
[06:09] <amurray> *on our side
[06:09] <mcphail> Ta
[14:32] <ricotz> mdeslaur, hello, please see https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/2071624
[14:32] -ubottu:#ubuntu-security- Launchpad bug 2071624 in libreoffice (Ubuntu Noble) "CVE-2024-5261" [Medium, In Progress]
[14:35] <mdeslaur> ricotz: cool, I'll upload it when I get back tomorrow
[14:35] <mdeslaur> thanks!
[14:36] <ricotz> mdeslaur, great!, the noble package will need a no-change rebuild for -security
[14:37] <mdeslaur> ah! right, thanks
[14:39] <ricotz> thanks :)
[15:54] <juliaaa> It was discovered that OpenSSH incorrectly handled signal management. A remote attacker could use this issue to bypass authentication
[15:54] <juliaaa> CVE-2024-6387
[15:54] -ubottu:#ubuntu-security- A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6387>
[15:55] <juliaaa> A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). <https://cve.mitre.org/cgi-bin/cvename.
[15:55] <juliaaa> cgi?name=CVE-2024-6387>
[15:55] -ubottu:#ubuntu-security- A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6387>
[15:56] <juliaaa> oops
[16:12] <mdeslaur> https://ubuntu.com/security/notices/USN-6859-1
[16:13] <mdeslaur> juliaaa: ^
[20:52] <teward> because i have a headache and my brain doesn't work well in those cases.  mdeslaur: wrt CVE-2024-6387, i assume the Mitigation(s) aren't needed if we update to the patched version of the OpenSSH packages?
[20:52] -ubottu:#ubuntu-security- A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6387>
[22:22] <mdeslaur> teward: install your updates, and go have some sleep