Re: apache2 update for semi-critical "optionsbleed" bug

2017-09-20 Thread Marc Deslauriers 
On 2017-09-19 10:30 AM, Glen Willmot wrote:
> Good morning,
> 
> Just curious on when we'll see an update on the apache2 release to version
> 2.4.28 to patch against the "Optionsbleed" bug detailed by CVE-2017-9798.
> 
> More info on the severity of this bug can be seen at:
> https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
> 
> Thank you,
> Glen
> 
> 

https://usn.ubuntu.com/usn/usn-3425-1/

Marc.


-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Looking for Contact for OpenSSL on Trusty to be updated

2017-09-20 Thread Thomas Ward 
Based solely on the CVE information, I'd surmise we aren't affected by
CVE-2017-3733, because we don't have any OpenSSL 1.1.0 in the
repositories - anywhere.  The original Apache announcement also
indicated that 1.0.2 is not affected, and the Security Team made a note
that only OpenSSL 1.1.x is affected.

Since that's what's there, I'm pretty sure there's no need to worry
about this CVE with regards to any current Ubuntu releases.


Thomas


On 09/20/2017 06:38 PM, Robie Basak wrote:
> On Tue, Sep 19, 2017 at 03:31:22AM +, Eric Yuen wrote:
>> I am looking for a contact to reach out in regards 
>> https://packages.ubuntu.com/trusty/openssl on Trusty and having an update to 
>> the OpenSSL package updated with CVE-2017-3733
> The CVE database reports that Trusty is not affected by CVE-2017-3733:
> https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-3733.html
>
> If this is incorrect, please contact the security team:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>
> Hope that helps,
>
> Robie
>
>

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Looking for Contact for OpenSSL on Trusty to be updated

2017-09-20 Thread Robie Basak 
On Tue, Sep 19, 2017 at 03:31:22AM +, Eric Yuen wrote:
> I am looking for a contact to reach out in regards 
> https://packages.ubuntu.com/trusty/openssl on Trusty and having an update to 
> the OpenSSL package updated with CVE-2017-3733

The CVE database reports that Trusty is not affected by CVE-2017-3733:
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-3733.html

If this is incorrect, please contact the security team:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

Hope that helps,

Robie


signature.asc
Description: PGP signature
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: apache2 update for semi-critical "optionsbleed" bug

2017-09-20 Thread Robie Basak 
On Tue, Sep 19, 2017 at 10:30:20AM -0400, Glen Willmot wrote:
> Just curious on when we'll see an update on the apache2 release to
> version 2.4.28 to patch against the "Optionsbleed" bug detailed by
> CVE-2017-9798.

Already done, but by backporting the fix (as usual for Linux
distributions) rather than updating to 2.4.28.

See:

https://usn.ubuntu.com/usn/usn-3425-1/
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9798.html


signature.asc
Description: PGP signature
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Looking for Contact for OpenSSL on Trusty to be updated

2017-09-20 Thread Eric Yuen 
Hi folks,

I am looking for a contact to reach out in regards 
https://packages.ubuntu.com/trusty/openssl on Trusty and having an update to 
the OpenSSL package updated with CVE-2017-3733

Please kindly forward a contact, appreciated it.


I reached this contact via
Maintainer:

  *   Ubuntu Developers (Mail 
Archive)


Thank you,
Eric.


---
This email message is for the sole use of the intended recipient(s) and may 
contain
confidential information.  Any unauthorized review, use, disclosure or 
distribution
is prohibited.  If you are not the intended recipient, please contact the 
sender by
reply email and destroy all copies of the original message.
---
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

apache2 update for semi-critical "optionsbleed" bug

2017-09-20 Thread Glen Willmot 
Good morning,

Just curious on when we'll see an update on the apache2 release to version
2.4.28 to patch against the "Optionsbleed" bug detailed by CVE-2017-9798.

More info on the severity of this bug can be seen at:
https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

Thank you,
Glen
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: systemd and openvpn

2017-09-20 Thread Xen 

Robie Basak schreef op 18-09-2017 0:40:

On Mon, Sep 18, 2017 at 12:32:26AM +0200, Göran Hasse wrote:

They must have "forgot it".


In that case, in the first instance upstream should be contacted
directly with this report. Then the problem can be fixed for everyone
without risking confusion to Ubuntu users by having OpenVPN behave
differently on Ubuntu as compared to everywhere else.

Are you able to do this, please?


On the other hand it is a distribution's responsibility that an integral 
component of that distribution functions as needed towards its end 
users, and you can't offload that responsibility to users; you can try, 
but it won't work, because users won't have the time/resources to do so.


Of course a distribution can often only amend default configuration 
scripts and files and not change any source code. But still.


Configuration should also be a distribution's task, IMO.

--
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: systemd and openvpn

2017-09-20 Thread Xen 

Göran Hasse schreef op 18-09-2017 0:32:


They must have "forgot it".

An openvpn client service have the same importance as the login 
program.

So it should be restarted (with some backoff strategy maybe).

A system service of this importance should *always* be restarted after
a krash! We had to send out service personell to all our client 
machines

(about 20) just because of this. Costly!


Like I said, if this is to do with auth-retry nointeract, it would be 
wise to send a message to


openvpn-us...@lists.sourceforge.net

After subscribing I guess, and ask why the option is not default.

--
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss