XMPP Service Operators - 2022-11-01

Maranda[x]: good morning! Is the Matrix bridge up? (Is there a status page or something for it?)

MattJ: I can't speak for Maranda, but it does not work for me today

Okay, thanks for confirming!

A casual reminder to all server operators that there is a critical OpenSSL security release scheduled to be announced later today. I'm not one for drama and speculation, but it would be diligent for anyone in charge of a server to look out for the announcement and upgrade in a timely manner if the issue affects them.

My first step is identifying exactly which servers I'm in charge of 😅

hahahahahahaha

I would note that Debian stable is not affected.

Yeah, unfortunately I've still set up at least one Ubuntu machine this year, despite my general Debian-only policy these days

Fate rewards you

ah thank you Zash. I was gonna miss my football match.

That's an odd spelling of 'rocket launch'

Yeah, Ubuntu and Arch users can upgrade OpenSSL, Debian users can sit back and watch rockets :)

MattJ, what happened?

nuegia.net, to what?

openssl

https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html ?

nuegia.net, ↑

General PSA: https://www.openwall.com/lists/oss-security/ is a good mailing list to be subscribed to

so their just stiring up a bunch of shit without letting us know of the actual details so we can start metigating?

no, they're giving advanced notice so people can adjust their busy schedules accordingly

I'm really upset with the way this is being handled

security releases generally don't include details before the fix, as that gives attackers hints on how to develop exploits

and with a large widely used component such as OpenSSL, it would be poor handling to just drop critical security releases unexpectedly

and since openssl is *everywhere*, you wanna be able to plan downtime for your services

Hey attackers, come looky here we got a CRITICAL security vulnerability but we won't tell any details to server operators so they can start fixing things

is this new ossl rce affecting libressl?

kuba_, I don't think so

kuba_, nobody knows it's RCE, and I've seen no announcement from libressl

nuegia.net, MattJ: thx

kuba_, https://www.openwall.com/lists/oss-security/2022/10/29/2

How do they know?

they seem very sure

presumably they share the details with a select few so they can check and prepare patches etc

it's common to notify distros and provide patches so they can prepare updates so they're all ready at the same time as the announcement

so big tech companies get protected while we get the leftover scraps

if you consider linux distros big tech companies, I guess?

nuegia.net, a good overview is written up here: https://producingoss.com/en/publicity.html#security-prenotification

in the case of libressl, they're probably not affected because they forked long before OpenSSL 3.0

question, does this bug only effect openssl 3.0+?

“10:16:15 MattJ> Yeah, Ubuntu and Arch users can upgrade OpenSSL, Debian users can sit back and watch rockets :)”, ArchLinux still ships OpenSSL 1.1.1 and 1.0.2 fyi.

It isn’t affected by the upcoming vulnerability.

Link Mauve, oh, why??

I don’t know.

devuan is using 1.1.1n

which is based on debian 10

not 3

nuegia.net, err, upgrade, the latest is 1.1.1.q.

Link Mauve, what do you mean sit back and watch rockets?

nuegia.net, I haven’t said that.

MattJ, i mean

Or you could test your panic upgrade plans by upgrading to the also announced 1.1.1s (just a regular bugfix release)

nuegia.net, https://en.wikipedia.org/wiki/List_of_Falcon_9_and_Falcon_Heavy_launches#2022_2

Zash: thx

MattJ, I don't understand your idom

idiom

some kind of regional slang?

or methaphor

No, there is a rocket launch scheduled today shortly after the OpenSSL announcement

what does that have to do with debian users?

Debian users won't be busy upgrading their servers

because it doesn't effect them or because their not part of the systems considered 'big' enough to be notified about the nature of the security issue?

It only affects OpenSSL 3.x, and Debian and some other distros don't ship 3.x yet (in stable, at least)

ok

> My first step is identifying exactly which servers I'm in charge of 😅 MattJ, running snmpd on your servers with a contact is great practice

> General PSA: https://www.openwall.com/lists/oss-security/ is a good mailing list to be subscribed to Just did. Thanks.

I thought openwall was a router os

is the rocket launch live on internet somewhere? i might do that before footy

Does anybody else run xmpp servers on freebsd?

Trung, https://spaceflightnow.com/2022/11/01/falcon-heavy-ussf-44-mission-status-center/

nice ! thank you 😁

There is xmpp:space@conference.conversations.im?join for further discussion of this topic :)

SPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACE

yes

it's not great https://sintonen.fi/temp/openssl-3.0.7-changelog.txt

full changelog here but the above is the bad bit https://www.openssl.org/source/openssl-3.0.7.tar.gz

Äntligen?

Just as I got home.

so... it's email's fault

Well it's certainly C's fault

orrr you could look at it this way: if it weren't for C, this same code could've been written in an assembly language!!! 😱️

but today we should all be using rustls :D

yet here we are, discussing which major versions of openssl are shipped where and why

😮‍💨️