/srv/irclogs.ubuntu.com/2024/07/02/#ubuntu-discuss.txt

lotuspsychj3good morning02:17
lotuspsychj3https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt12:20
-ubottu:#ubuntu-discuss- A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6387>12:20
leftyfblotuspsychj3: there's package updates for every supported release that is vulnerable12:23
ogra_https://ubuntu.com/security/CVE-2024-638712:24
-ubottu:#ubuntu-discuss- A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6387>12:24
ogra_long fixed 😛12:24
lotuspsychj3yeah tnx, im 1 day behind my security news :p12:24
JanCwould have been really really bad if Ubuntu wouldn't have had fixes in time when there is a "coordinated release date" involving upstreams/downstreams/researchers  :)13:12
JanCOTOH, the more people know how urgent this update is the better, I guess13:13
pragmaticenigmabeen scratching my head why I didn't get an update... running an old enough LTS version it doesn't apply to me. win, for being a late adopter!13:32
JanChehe13:51
JanCI had some old system without update too, always good to check the OpenSSH version to be sure indeed13:52
pragmaticenigmaannoyed that Rocky isn't putting the patch in their main repo... instead opting for some security repo. but that machine isn't connectable from the Internet at this time. So not going to worry about it for now13:53
JanCit's not in the "main repo" in Ubuntu either... only in -updates & -security  ;)13:59
JanCbut I assume you mean something else for Rocky14:00
JanC(I don't really know how Rocky works nowadays)14:00
pragmaticenigmaIt's similar, I meant to main repos, not just the primary. But their remediation article says to install another repo SIG/security to get the patch for openssh. The article is at https://rockylinux.org/news/2024-07-01-rocky-linux-9-cve-2024-6378-regression if you're curious14:11
-ubottu:#ubuntu-discuss- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6378>14:11
pragmaticenigmaokay... that's an annoying feature ubottu14:12
pragmaticenigmaCan someone fix that? The pattern should make sure that the CVE designation has white space on either side, to avoid triggering that when it is embedded in a link14:13
JanCI don't mind if it finds CVEs inside URLs14:18
JanCthat's not the problem here, the problem is they apparently made a typo in their original article title, and the slug wasn't updated after they fixed the title  :)14:19
pragmaticenigmaIt might not always be a CVE in the URL... could just be someone's poor choice in naming convention/generation of their URLs14:20
JanCthat applies to non-URL mentions including "CVE" too, of course14:20
pragmaticenigmaYes, but I feel that's less likely for someone to prattle off something like CVE-2024-0000 in casual conversation14:21
JanCI haven't seen any URLs triggering it incorrectly14:22
lotuspsychj3pretty handy CVE & bugs link titles14:25
JanCseems like this whole thing is (at least in part) the result of RH policies?14:26
JanCthe special repo14:27
pragmaticenigmanot sure, When RH pulled the plug on their source repos being public, left a lot of the EL distros scrambling.14:28
pragmaticenigmaIn this case it appears to be a repo to hold security patches that cannot be sourced from any upstream EL repository. Meaning, the patch is probably not in the CentOS Stream repos14:30
=== PowaBanga_ is now known as PowaBanga
JanCsources only have to be published when the binary packages are released, but Rocky had to make fixes before that14:50
ogra_sources dont have to be published at all ... *if* someone asks for them you need to make them available ... but there is no obligation on the format ... i.e. you could send a box with punchcards to the asking person and would fulfill the GPL15:30
JanCtrue, but they probably don't want to handle individual requests--that could become time-consuming & expensive quickly  :)15:31
JanCalso, OpenSSH isn't GPL, of course15:32
ogra_indeed, nobody wants that which is why everyone publishes sources ... but this is not a *must* 15:33
ogra_yeah, and there is that ... 15:33
ogra_(FWIW, i have always wondered how many trucks the current kernel source would fill if you printed it out on punchcards)15:34
JanCmy point was more about the timing: Rocky wanted packages ready & available before the "coordinated release date", but even if RH publish source packages they won't do so before that date15:34
pragmaticenigmaYou would need very wide punchcards... or a lot of shift registers in the read in15:35
ogra_well, the question is also if rocky is even on the embargo list so they can get access to the fixes before release15:35
pragmaticenigmapretty sure they are15:36
JanCI would hope they are15:36
ogra_arent they a RH downstream  ?15:36
JanCit seems like that repo is also used by several other EL clones15:36
pragmaticenigmahence why I believe the patch was issued through a designated security repo15:36
JanCso is Oracle, but sure Oracle is on that list too?15:37
ogra_well, i'm pretty sure i.e. linuxmint isnt 15:38
ogra_probably a matter of size too 15:38
JanCthe upstream patch itself was, I'm sure, but stuff like the changelog message would not be  :)15:38
JanCand other distro-related stuff, like marking it important/urgent or whatever15:39
JanCdoesn't linuxmint depend on Ubuntu/Debian repos?15:41
ogra_except for the packages they hack 15:43
ogra_for that they have their own overlay repo i think15:43
JanCI sure hope they don't mess with OpenSSH  :)15:43
ogra_who knows .... they used to mess with Xorg, GTK and the kernel in the past 15:43
JanCand they would know about reported security bugs where they are upstream15:43
JanCoh15:44
ogra_luckily they stopped doing the Xorg and kernel bits long ago and simply use ours 15:44
ogra_but i think their GTK still carries patches for cinnamon .... 15:45
JanClet's hope they are kept into the loop for serious Gtk security bugs then15:48
ogra_yeah15:48
JanC(as hopefully they also inform other distros about serious cinnamon issues--it's mutually beneficial)15:50
pragmaticenigmafar as I can tell, embargo just means the details are unreleased and waiting on the original source to be patched by its maintainer. So no one is really on any embargo list, only that the controllers of information will not release until the software vendor says they've issued their patches. So the maintainer of OpenSSH would have to maintain a channel for informing downstream subscribers of their issuance of a security patch and 15:55
pragmaticenigmaask them to kindly refrain from publicly disclosing it until the maintainer is ready15:55
pragmaticenigmaJanC: There are plenty of moderators and ops in channel. if there's a problem, they will take care of it when they want to.19:10
JanCI know19:14
sarnoldogra_: rocky should be on the distros list, which was used for coordinating the openssh issue https://www.openwall.com/lists/oss-security/2023/10/17/420:34
sarnoldogra_: if they didn't have packages ready on release day, maybe they were just on holiday? it landed during canada day and a few days before the 4th of july, lots of north americans take time off around these days20:35
pragmaticenigmaIt's almost like it was it was intentionally dropped just before major north american holidays on purpose20:37
hggdhas far as I can remember Rocky is now represented in oss-security20:37
hggdh(they applied a few months back20:38
JanCsarnold: they were on release day AFAICT, but they were released in a separate repo that (apparently) not everybody knows about yet21:06
JanCI assume their main repo is supposed to be a clone of RHEL, and they couldn't do that for these security updates if they wanted to release on release day...21:07
sarnoldJanC: ahhhhhhhhhhhh21:38

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!