luna | is the podcast on hold, not been any episodes this year? | 08:03 |
---|---|---|
teward | mdeslaur: sbeattie: re: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1977718 i doubt CVEs have been issued because its a third party repo not part of main NGINX sources (so no CVE issuing authority directly auditing it) | 15:27 |
-ubottu:#ubuntu-security- Launchpad bug 1977718 in nginx (Ubuntu) "buffer overflow in nginx rtmp module" [Undecided, Confirmed] | 15:27 | |
mdeslaur | teward: if you want to fix it, we can sponsor debdiffs | 15:27 |
teward | mdeslaur: lemme do due diligence first - gotta make sure this is fixed in Debian ;) | 15:28 |
mdeslaur | the modules were removed in recent nginx packages so it's just focal and jammy afaik | 15:29 |
teward | mdeslaur: modules in Debian were moved to extra source packages | 15:29 |
teward | so still wanna make sure tbey're fixed in Debian | 15:29 |
teward | huge restructure of nginx packaging happened in Debian xD | 15:29 |
teward | but i'll get debdiffs | 15:30 |
teward | ... as soon as I figure out where the hell my laptop charger is | 15:30 |
mdeslaur | hehe cool | 15:31 |
teward | mdeslaur: since i'm not in front of my computer can you assign relevant series tasks to ta | 15:37 |
teward | that bug* | 15:37 |
teward | so, focal and jammy. | 15:37 |
mdeslaur | sure | 15:38 |
teward | mdeslaur: debdiffs attached. unfortunately since it's not quilt patches since it's inside debian/modules/... folder it looks a little weird but let me know if the debdiffs are sufficient or not | 18:49 |
teward | and feel free to have your way with them :0 | 18:49 |
teward | *goes to get another coffee* | 18:49 |
teward | also apologies i had to do some actual Work today xD | 18:49 |
teward | so i got pulled away for a bit | 18:49 |
teward | unrelated: i'm enjoying messing around with a new framework 16 laptop so yay :P | 18:51 |
mdeslaur | oh, that' cool | 18:52 |
mdeslaur | thanks for the debdiffs, I'll take a look next week | 18:52 |
teward | mdeslaur: since Ubuntu can assign CVE numbers, do you want to go and assign such CVEs to these two incidents, or do you just want to say "screw it" and patch without CVE numbers? | 18:53 |
teward | and ye no problem and no rush :) | 18:53 |
teward | s/Ubuntu can assign/Ubuntu Security team can assign/ | 18:53 |
mdeslaur | I don't think we can assign CVEs to public issues like that | 18:54 |
mdeslaur | sarnold: ^ | 18:54 |
teward | oh good i've officially gotten us to ping sarnold | 18:54 |
teward | sarnold: speaking of you, how goes that mailman3 MIR? :P | 18:55 |
teward | (me literally just dredging up reasons for sarnold to tell me to go to heck xD) | 18:55 |
teward | mdeslaur: ultimately, whether it has a CVE or not, it's inclusion-worthy for Security updates, so even without a CVE we can indicate these issues were identified and fixed upstream in any USN or such | 18:57 |
mdeslaur | we can release a usn with a bug number | 18:58 |
teward | check :D | 18:58 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!