| arraybolt3 | Hey all o/ So as part of my job, I ended up finding and develping a PoC for a live-build vulnerability. Debian Security Team already knows and basically encouraged me to make it public, so I did. MIght be worth taking a look at Ubuntu's ISO build infra and making sure that you're not downloading things over plain HTTP. https://gist.github.com/ArrayBolt3/99d1296a6d82b5a6f2453943eaf85520 | 02:57 |
|---|---|---|
| tsimonq2 | mdeslaur, sarnold: ^^^ I suggested he raise it here as well :) | 02:58 |
| arraybolt3 | also worth looking at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718225, the bug's been known about for a while. I sent the above link there too. | 02:58 |
| -ubottu:#ubuntu-security- Debian bug 718225 in live-build "live-build should authenticate files it downloads" [Wishlist, Open] | 02:58 | |
| === Juesto is now known as Juest | ||
| sarnold | arraybolt3, tsimonq2, awesome, thanks <3 | 20:36 |
| tsimonq2 | Of course :) | 20:37 |
| * arraybolt3 missed backlog because I'm using a non-bouncered client | 20:38 | |
| tsimonq2 | arraybolt3: You didn't miss anything :) | 20:38 |
| arraybolt3 | ah kk | 20:39 |
| sarnold | whole buncha connects, quits, netsplits, all the usual irc gunk | 20:39 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!