=== JanC is now known as Guest5680
=== hosegypldlckylih is now known as didrgdfjeeuvlgel
=== didrgdfjeeuvlgel is now known as georgiag
=== JanC is now known as Guest3759
=== fauxpride- is now known as fauxpride
[19:47]  * popey waves to bress
[19:49] <bress> Hi all, I have a question about your CVE tracker data vs what the website shows (popey told me to ask here, I totally blame him if that's not right). This CVE https://ubuntu.com/security/CVE-2023-4911 lists a number of distros as Not Affected, but if I look at the data https://git.launchpad.net/ubuntu-cve-tracker/tree/retired/CVE-2023-4911#n34 it says ignored
[19:49] -ubottu:#ubuntu-security- A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4911>
[19:49]  * bress waves back
[19:50] <bress> So my question. Is there some other data source I should be looking at, or is there something incorrect with the tracker page?
[19:58] <oerheks> i think git is right; trusty and xenial are out of standard support, for ESM line #35 esm-infra/xenial_glibc: not-affected (code not present)
[20:29] <bress> Ahhhh, so it's howing not affected due to the esm status, not the not-esm status
[20:37] <mdeslaur> yes, that is accurante, once a release goes out of standard support, it's the esm status that takes over
[20:38] <mdeslaur> *accurate
[20:38] <mdeslaur> also, popey is always right
[20:38] <mdeslaur> ;)
[20:55] <popey> I *knew* lurking here was worth it. IRC FOREVER!
[20:56] <bress> So I have a request that I'm willing to accept no as the answer. Is there any chance you would be willing to mark the other distros not affected instead of ignored. We use the data in Grype (the vulnerability scanner) and we see people running it against unsupported distros (we also don't support esm correctly at the moment, we're working on it, but even if we did, this isn't an esm scan). That CVE 
[20:57] <bress> is on teh KEV list so it gets some extra attention
[21:06] <tsimonq2> Hi, this CVE patch is curious but I'm not seeing any details on that CVE number: https://download.qt.io/archive/qt/6.8/CVE-2025-23050-qtconnectivity-6.8.diff
[21:06] -ubottu:#ubuntu-security- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-23050>
[21:07] <tsimonq2> Is this an accidental release of an embargoed patch? Or perhaps something stuck in processes?
[21:31] <mdeslaur> bress: that would be hard for us to do as we are no longer basing our research on the end-of-life distro. I mean, I can do it for a specific CVE if you'd like, but it's not something we would invest time into doing going forward.
[21:32] <mdeslaur> tsimonq2: this? https://www.qt.io/blog/security-advisory-qlowenergycontroller-on-linux
[21:40] <tsimonq2> mdeslaur: Yup, looks like it.
[21:41] <tsimonq2> Is anyone working on patches for that? If not, I can.
[22:02] <sarnold> bress: I think "not-affected" on eg xenial would give the wrong impression to people who are continuing to use xenial without having ESM configured
[22:03] <sarnold> bress: that both suggests that (a) we've done research on it (we probably haven't) and that (b) the user doesn't have anything to worry about (they do)
[22:07] <bress> Thanks sarnold and mdeslaur, I can't argue with that
[22:09] <bress> Now, that said :)  It's common for people to run ass old versions of everything. Having some sort of note on your CVE tracker to differentiate between the esm and non esm distros would be useful for situations like this
[22:10] <bress> I'm going to explain all this, and I 100% guarantee the response will be "bUt ThE TrAcKeR SaYz n0t VuLnErAbLe!!!!"
[22:11] <oerheks> why would one run ancient xenial?
[22:11] <bress> Lots of orgs run super old stuff. It's just how it is
[22:12] <oerheks> no, i dnt believe so, but again 
[22:12] <oerheks>  for ESM line #35 esm-infra/xenial_glibc: not-affected (code not present
[22:13] <bress> Yeah, in the git repo, but not on the fancy website https://ubuntu.com/security/CVE-2023-4911
[22:13] -ubottu:#ubuntu-security- A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4911>
[22:13] <bress> That bot is great :)
[22:13] <oerheks> the website does not mention ESM
[22:14] <oerheks> git does
[22:14] <bress> I know, but it does say Not effected when it should say Ignored. I assume it's using the esm status
[22:14] <sarnold> bress: aye, it does feel like this is something we could or should document better, it feels like we have a version of this conversation every two weeks or so ;)
[22:14] <bress> sarnold: I feel your pain my friend
[22:15] <sarnold> bress: <3