-
MattJ
Maranda[x]: good morning! Is the Matrix bridge up? (Is there a status page or something for it?)
-
nicoco
MattJ: I can't speak for Maranda, but it does not work for me today
-
MattJ
Okay, thanks for confirming!
-
MattJ
A casual reminder to all server operators that there is a critical OpenSSL security release scheduled to be announced later today. I'm not one for drama and speculation, but it would be diligent for anyone in charge of a server to look out for the announcement and upgrade in a timely manner if the issue affects them.
-
MattJ
My first step is identifying exactly which servers I'm in charge of 😅
-
Trung
hahahahahahaha
-
Zash
I would note that Debian stable is not affected.
-
MattJ
Yeah, unfortunately I've still set up at least one Ubuntu machine this year, despite my general Debian-only policy these days
-
Zash
Fate rewards you
-
Trung
ah thank you Zash. I was gonna miss my football match.
-
Zash
That's an odd spelling of 'rocket launch'
-
MattJ
Yeah, Ubuntu and Arch users can upgrade OpenSSL, Debian users can sit back and watch rockets :)
-
nuegia.net
MattJ, what happened?
-
MattJ
nuegia.net, to what?
-
nuegia.net
openssl
-
Zash
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html ?
-
Zash
nuegia.net, ↑
-
Zash
General PSA: https://www.openwall.com/lists/oss-security/ is a good mailing list to be subscribed to
-
nuegia.net
so their just stiring up a bunch of shit without letting us know of the actual details so we can start metigating?
-
Zash
no, they're giving advanced notice so people can adjust their busy schedules accordingly
-
nuegia.net
I'm really upset with the way this is being handled
-
Zash
security releases generally don't include details before the fix, as that gives attackers hints on how to develop exploits
-
MattJ
and with a large widely used component such as OpenSSL, it would be poor handling to just drop critical security releases unexpectedly
-
Zash
and since openssl is *everywhere*, you wanna be able to plan downtime for your services
-
nuegia.net
Hey attackers, come looky here we got a CRITICAL security vulnerability but we won't tell any details to server operators so they can start fixing things
-
kuba_
is this new ossl rce affecting libressl?
-
nuegia.net
kuba_, I don't think so
-
MattJ
kuba_, nobody knows it's RCE, and I've seen no announcement from libressl
-
kuba_
nuegia.net, MattJ: thx
-
Zash
kuba_, https://www.openwall.com/lists/oss-security/2022/10/29/2
-
nuegia.net
How do they know?
-
nuegia.net
they seem very sure
-
Zash
presumably they share the details with a select few so they can check and prepare patches etc
-
Zash
it's common to notify distros and provide patches so they can prepare updates so they're all ready at the same time as the announcement
-
nuegia.net
so big tech companies get protected while we get the leftover scraps
-
Zash
if you consider linux distros big tech companies, I guess?
-
MattJ
nuegia.net, a good overview is written up here: https://producingoss.com/en/publicity.html#security-prenotification
-
Zash
in the case of libressl, they're probably not affected because they forked long before OpenSSL 3.0
-
nuegia.net
question, does this bug only effect openssl 3.0+?
-
Link Mauve
“10:16:15 MattJ> Yeah, Ubuntu and Arch users can upgrade OpenSSL, Debian users can sit back and watch rockets :)”, ArchLinux still ships OpenSSL 1.1.1 and 1.0.2 fyi.
-
Link Mauve
It isn’t affected by the upcoming vulnerability.
-
MattJ
Link Mauve, oh, why??
-
Link Mauve
I don’t know.
-
nuegia.net
devuan is using 1.1.1n
-
nuegia.net
which is based on debian 10
-
nuegia.net
not 3
-
Link Mauve
nuegia.net, err, upgrade, the latest is 1.1.1.q.
-
nuegia.net
Link Mauve, what do you mean sit back and watch rockets?
-
Link Mauve
nuegia.net, I haven’t said that.
-
nuegia.net
MattJ, i mean
-
Zash
Or you could test your panic upgrade plans by upgrading to the also announced 1.1.1s (just a regular bugfix release)
-
MattJ
nuegia.net, https://en.wikipedia.org/wiki/List_of_Falcon_9_and_Falcon_Heavy_launches#2022_2
-
kuba_
Zash: thx
-
nuegia.net
MattJ, I don't understand your idom
-
nuegia.net
idiom
-
nuegia.net
some kind of regional slang?
-
nuegia.net
or methaphor
-
MattJ
No, there is a rocket launch scheduled today shortly after the OpenSSL announcement
-
nuegia.net
what does that have to do with debian users?
-
MattJ
Debian users won't be busy upgrading their servers
-
nuegia.net
because it doesn't effect them or because their not part of the systems considered 'big' enough to be notified about the nature of the security issue?
-
MattJ
It only affects OpenSSL 3.x, and Debian and some other distros don't ship 3.x yet (in stable, at least)
-
nuegia.net
ok
-
nuegia.net
> My first step is identifying exactly which servers I'm in charge of 😅 MattJ, running snmpd on your servers with a contact is great practice
-
Trung
> General PSA: https://www.openwall.com/lists/oss-security/ is a good mailing list to be subscribed to Just did. Thanks.
-
nuegia.net
I thought openwall was a router os
-
Trung
is the rocket launch live on internet somewhere? i might do that before footy
-
nuegia.net
Does anybody else run xmpp servers on freebsd?
-
MattJ
Trung, https://spaceflightnow.com/2022/11/01/falcon-heavy-ussf-44-mission-status-center/
-
Trung
nice ! thank you 😁
-
MattJ
There is xmpp:space@conference.conversations.im?join for further discussion of this topic :)
-
nuegia.net
SPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACE
-
mjk
yes
-
moparisthebest
it's not great https://sintonen.fi/temp/openssl-3.0.7-changelog.txt
-
moparisthebest
full changelog here but the above is the bad bit https://www.openssl.org/source/openssl-3.0.7.tar.gz
-
Zash
Äntligen?
-
Zash
Just as I got home.
-
mjk
so... it's email's fault
-
moparisthebest
Well it's certainly C's fault
-
mjk
orrr you could look at it this way: if it weren't for C, this same code could've been written in an assembly language!!! 😱️
-
moparisthebest
but today we should all be using rustls :D
-
mjk
yet here we are, discussing which major versions of openssl are shipped where and why
-
mjk
😮💨️