| === Montresor is now known as Unit193 | ||
| luna__ | listening to this weeks podcast now | 09:20 |
|---|---|---|
| simonb | Hi, do we have any idea when the tomcat10 package for 24.04 will be updated? The package is 11months old and has 4 high scoring CVEs (CVE-2024-24549 CVE-2024-23672 CVE-2024-38286 CVE-2024-34750) | 09:59 |
| -ubottu:#ubuntu-security- Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, f... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24549> | 09:59 | |
| -ubottu:#ubuntu-security- Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23672> | 09:59 | |
| -ubottu:#ubuntu-security- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38286> | 09:59 | |
| -ubottu:#ubuntu-security- Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain ope... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34750> | 09:59 | |
| simonb | This is based off https://tomcat.apache.org/security-10.html | 10:01 |
| simonb | 24.10 has a package for 10.1.25 currently, that was available in July | 10:01 |
| simonb | I have created a question against that particular package, and can convert to a bug if required. | 10:26 |
| ebarretto | simonb: tomcat10 is in universe, therefore it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures | 10:32 |
| simonb | This is where Im struggling, as I've been pointed to SRU and told wont fix, then directed to you. I'm happy to get involved, patch, build, or anything that is required. But Im only being directed to other people/teams. | 10:34 |
| ebarretto | simonb: SRU process is not for security updates, that's why the forward you to us. The wiki has some pointers on patching, triaging and so forth. If you want to first create a bug, we can help you along the process of patching and publishing it. I recommend you take some time to go through the wiki as it is a lot of information | 10:38 |
| simonb | Thank you. I shall do that. | 10:45 |
| lotuspsychje | he made bug #2086358 | 10:59 |
| -ubottu:#ubuntu-security- Bug 2086358 in tomcat10 (Ubuntu) "Multiple CVE patches, bugfixes, and enhancements availble for 11month old LTS package." [Undecided, New] https://launchpad.net/bugs/2086358 | 10:59 | |
| ebarretto | thanks lotuspsychje | 11:13 |
| lotuspsychje | welcome | 11:13 |
| zeemate | hello I have a question: Im using Ubuntu in safe gfxmode right now, and dmesg gives me LSM: initializing lsm=lockdown,capability,landlock,yama,apparmor,ima,evm | 13:37 |
| zeemate | which is instruction for kernel_lockdown to free some components from lockdown. | 13:37 |
| zeemate | Im looking for documentation of these instructions, which parameters are possible | 13:37 |
| zeemate | where to put in these parameters? because there is nothing in /proc/cmdline about lsm! | 13:38 |
| zeemate | this man page gives me only a hint, no details: https://man7.org/linux/man-pages/man7/kernel_lockdown.7.html | 14:48 |
| zeemate | well, these parameters are fixed written into the kernel, in autoconf.h the possible parameters are within kernel docs only: https://docs.kernel.org/userspace-api/landlock.html | 15:19 |
| === Juesto is now known as Juest | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!