| * amurray wishes that we merges.ubuntu.com would email whoever TIL instead of hoping they remember to run grep-merges | 01:07 | |
| sarnold | yeah, at least it doesn't fit into our workflow very well as it is, since we own so few packages we rarely think of it .. and you already worked on it once to try to get it all sorted out :) | 01:23 |
|---|---|---|
| sarnold | amurray: I took a very quick look at https://patches.ubuntu.com/libs/libselinux/libselinux_3.7-3ubuntu2.patch and https://launchpad.net/debian/+source/libselinux/+changelog to try to guess if we ought to push this forward or roll back a release, and couldn't come to an answer quickly | 01:30 |
| sarnold | amurray: vorlon's t64 changes feel likely to still be necessary in our packages, so sticking on the older release feels like the 'easier' answer to me .. we're not so invested in selinux that an interim release needs to be the latest and greatest imho | 01:32 |
| teward | leosilva1: mdeslaur: sarnold: who's a good Kernel security contact to look at this? https://askubuntu.com/questions/1542374/inquiry-on-fix-schedule-for-cve-2024-56658-cve-2024-57798-and-cve-2024-56672-i | 19:39 |
| -ubottu:#ubuntu-security- In the Linux kernel, the following vulnerability has been resolved: net: defer final 'struct net' free in netns dismantle Ilya reported a slab-use-after-free in dst_destroy [1] Issue is in xfrm6_net_init() and xfrm4_net_init() : They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops. But net structure might be freed before all the dst callbacks are cal... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56658> | 19:39 | |
| -ubottu:#ubuntu-security- In the Linux kernel, the following vulnerability has been resolved: drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() While receiving an MST up request message from one thread in drm_dp_mst_handle_up_req(), the MST topology could be removed from another thread via drm_dp_mst_topology_mgr_set_mst(false), freeing mst_primary and setting dr... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-57798> | 19:39 | |
| -ubottu:#ubuntu-security- In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix UAF in blkcg_unpin_online() blkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To walk up, it uses blkcg_parent(blkcg) but it was calling that after blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the following UAF: ==========================... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56672> | 19:39 | |
| teward | someone's trying to reach y'all about timelines on this via Ask Ubuntu, I told them that's not how to reach Security | 19:40 |
| mdeslaur | probably nobody that can answer those questions | 19:41 |
| teward | mdeslaur: yeah that was my assessment | 19:42 |
| teward | but people're whiny and it seems like a business person/contact trying to figure out "When will this be patched!" complaining | 19:42 |
| teward | so *shrugs* | 19:42 |
| teward | mdeslaur: was there a USN planned for the nginx patches I submitted (which were uploaded)? | 19:42 |
| teward | or did I miss the USN going out | 19:43 |
| mdeslaur | this? https://ubuntu.com/security/notices/USN-7285-1 | 19:44 |
| teward | yep i missed it going out. I see there's two issues / patchsets in the same USN, but i see it addressed the rtmp module patches are referenced in there too | 19:46 |
| teward | good | 19:46 |
| teward | *sips coffee* | 19:46 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!