XMPP Service Operators - 2022-11-01

  1. MattJ

    Maranda[x]: good morning! Is the Matrix bridge up? (Is there a status page or something for it?)

  2. nicoco

    MattJ: I can't speak for Maranda, but it does not work for me today

  3. MattJ

    Okay, thanks for confirming!

  4. MattJ

    A casual reminder to all server operators that there is a critical OpenSSL security release scheduled to be announced later today. I'm not one for drama and speculation, but it would be diligent for anyone in charge of a server to look out for the announcement and upgrade in a timely manner if the issue affects them.

  5. MattJ

    My first step is identifying exactly which servers I'm in charge of 😅

  6. Trung


  7. Zash

    I would note that Debian stable is not affected.

  8. MattJ

    Yeah, unfortunately I've still set up at least one Ubuntu machine this year, despite my general Debian-only policy these days

  9. Zash

    Fate rewards you

  10. Trung

    ah thank you Zash. I was gonna miss my football match.

  11. Zash

    That's an odd spelling of 'rocket launch'

  12. MattJ

    Yeah, Ubuntu and Arch users can upgrade OpenSSL, Debian users can sit back and watch rockets :)

  13. nuegia.net

    MattJ, what happened?

  14. MattJ

    nuegia.net, to what?

  15. nuegia.net


  16. Zash

    https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html ?

  17. Zash

    nuegia.net, ↑

  18. Zash

    General PSA: https://www.openwall.com/lists/oss-security/ is a good mailing list to be subscribed to

  19. nuegia.net

    so their just stiring up a bunch of shit without letting us know of the actual details so we can start metigating?

  20. Zash

    no, they're giving advanced notice so people can adjust their busy schedules accordingly

  21. nuegia.net

    I'm really upset with the way this is being handled

  22. Zash

    security releases generally don't include details before the fix, as that gives attackers hints on how to develop exploits

  23. MattJ

    and with a large widely used component such as OpenSSL, it would be poor handling to just drop critical security releases unexpectedly

  24. Zash

    and since openssl is *everywhere*, you wanna be able to plan downtime for your services

  25. nuegia.net

    Hey attackers, come looky here we got a CRITICAL security vulnerability but we won't tell any details to server operators so they can start fixing things

  26. kuba_

    is this new ossl rce affecting libressl?

  27. nuegia.net

    kuba_, I don't think so

  28. MattJ

    kuba_, nobody knows it's RCE, and I've seen no announcement from libressl

  29. kuba_

    nuegia.net, MattJ: thx

  30. Zash

    kuba_, https://www.openwall.com/lists/oss-security/2022/10/29/2

  31. nuegia.net

    How do they know?

  32. nuegia.net

    they seem very sure

  33. Zash

    presumably they share the details with a select few so they can check and prepare patches etc

  34. Zash

    it's common to notify distros and provide patches so they can prepare updates so they're all ready at the same time as the announcement

  35. nuegia.net

    so big tech companies get protected while we get the leftover scraps

  36. Zash

    if you consider linux distros big tech companies, I guess?

  37. MattJ

    nuegia.net, a good overview is written up here: https://producingoss.com/en/publicity.html#security-prenotification

  38. Zash

    in the case of libressl, they're probably not affected because they forked long before OpenSSL 3.0

  39. nuegia.net

    question, does this bug only effect openssl 3.0+?

  40. Link Mauve

    “10:16:15 MattJ> Yeah, Ubuntu and Arch users can upgrade OpenSSL, Debian users can sit back and watch rockets :)”, ArchLinux still ships OpenSSL 1.1.1 and 1.0.2 fyi.

  41. Link Mauve

    It isn’t affected by the upcoming vulnerability.

  42. MattJ

    Link Mauve, oh, why??

  43. Link Mauve

    I don’t know.

  44. nuegia.net

    devuan is using 1.1.1n

  45. nuegia.net

    which is based on debian 10

  46. nuegia.net

    not 3

  47. Link Mauve

    nuegia.net, err, upgrade, the latest is 1.1.1.q.

  48. nuegia.net

    Link Mauve, what do you mean sit back and watch rockets?

  49. Link Mauve

    nuegia.net, I haven’t said that.

  50. nuegia.net

    MattJ, i mean

  51. Zash

    Or you could test your panic upgrade plans by upgrading to the also announced 1.1.1s (just a regular bugfix release)

  52. MattJ

    nuegia.net, https://en.wikipedia.org/wiki/List_of_Falcon_9_and_Falcon_Heavy_launches#2022_2

  53. kuba_

    Zash: thx

  54. nuegia.net

    MattJ, I don't understand your idom

  55. nuegia.net


  56. nuegia.net

    some kind of regional slang?

  57. nuegia.net

    or methaphor

  58. MattJ

    No, there is a rocket launch scheduled today shortly after the OpenSSL announcement

  59. nuegia.net

    what does that have to do with debian users?

  60. MattJ

    Debian users won't be busy upgrading their servers

  61. nuegia.net

    because it doesn't effect them or because their not part of the systems considered 'big' enough to be notified about the nature of the security issue?

  62. MattJ

    It only affects OpenSSL 3.x, and Debian and some other distros don't ship 3.x yet (in stable, at least)

  63. nuegia.net


  64. nuegia.net

    > My first step is identifying exactly which servers I'm in charge of 😅 MattJ, running snmpd on your servers with a contact is great practice

  65. Trung

    > General PSA: https://www.openwall.com/lists/oss-security/ is a good mailing list to be subscribed to Just did. Thanks.

  66. nuegia.net

    I thought openwall was a router os

  67. Trung

    is the rocket launch live on internet somewhere? i might do that before footy

  68. nuegia.net

    Does anybody else run xmpp servers on freebsd?

  69. MattJ

    Trung, https://spaceflightnow.com/2022/11/01/falcon-heavy-ussf-44-mission-status-center/

  70. Trung

    nice ! thank you 😁

  71. MattJ

    There is xmpp:space@conference.conversations.im?join for further discussion of this topic :)

  72. nuegia.net


  73. mjk


  74. moparisthebest

    it's not great https://sintonen.fi/temp/openssl-3.0.7-changelog.txt

  75. moparisthebest

    full changelog here but the above is the bad bit https://www.openssl.org/source/openssl-3.0.7.tar.gz

  76. Zash


  77. Zash

    Just as I got home.

  78. mjk

    so... it's email's fault

  79. moparisthebest

    Well it's certainly C's fault

  80. mjk

    orrr you could look at it this way: if it weren't for C, this same code could've been written in an assembly language!!! 😱️

  81. moparisthebest

    but today we should all be using rustls :D

  82. mjk

    yet here we are, discussing which major versions of openssl are shipped where and why

  83. mjk