[02:57] <arraybolt3> Hey all o/ So as part of my job, I ended up finding and develping a PoC for a live-build vulnerability. Debian Security Team already knows and basically encouraged me to make it public, so I did. MIght be worth taking a look at Ubuntu's ISO build infra and making sure that you're not downloading things over plain HTTP. https://gist.github.com/ArrayBolt3/99d1296a6d82b5a6f2453943eaf85520
[02:58] <tsimonq2> mdeslaur, sarnold: ^^^ I suggested he raise it here as well :)
[02:58] <arraybolt3> also worth looking at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718225, the bug's been known about for a while. I sent the above link there too.
[02:58] -ubottu:#ubuntu-security- Debian bug 718225 in live-build "live-build should authenticate files it downloads" [Wishlist, Open]
=== Juesto is now known as Juest
[20:36] <sarnold> arraybolt3, tsimonq2, awesome, thanks <3
[20:37] <tsimonq2> Of course :)
[20:38]  * arraybolt3 missed backlog because I'm using a non-bouncered client
[20:38] <tsimonq2> arraybolt3: You didn't miss anything :)
[20:39] <arraybolt3> ah kk
[20:39] <sarnold> whole buncha connects, quits, netsplits, all the usual irc gunk