erictape1 has joined #nixos-security
erictapen has quit [Ping timeout: 244 seconds]
pie___ has joined #nixos-security
pie__ has quit [Ping timeout: 268 seconds]
lassulus has quit [Ping timeout: 246 seconds]
lassulus has joined #nixos-security
tv has quit [Ping timeout: 272 seconds]
erictape1 has quit [Ping timeout: 272 seconds]
tv has joined #nixos-security
erictapen has joined #nixos-security
ckauhaus has joined #nixos-security
erictapen has quit [Ping timeout: 268 seconds]
erictapen has joined #nixos-security
<ckauhaus> another vulnerability roundup is on the way...
<ckauhaus> quite a lot of stuff this time
<ckauhaus> cairo #55384
<{^_^}> (by ckauhaus, 16 minutes ago, open): Vulnerability roundup 61: cairo-1.16.0: 1 advisory
<ckauhaus> elfutils #55385
<{^_^}> (by ckauhaus, 15 minutes ago, open): Vulnerability roundup 61: elfutils-0.175: 3 advisories
<ckauhaus> flex #55386
<{^_^}> (by ckauhaus, 14 minutes ago, open): Vulnerability roundup 61: flex-2.6.4: 1 advisory
<ckauhaus> gnome-keyring #55387
<{^_^}> (by ckauhaus, 14 minutes ago, open): Vulnerability roundup 61: gnome-keyring-3.28.2: 1 advisory
<ckauhaus> jasper #55388
<{^_^}> (by ckauhaus, 13 minutes ago, open): Vulnerability roundup 61: jasper-2.0.14: 1 advisory
<ckauhaus> openjpeg #55389
<{^_^}> (by ckauhaus, 11 minutes ago, open): Vulnerability roundup 61: openjpeg-2.3.0: 1 advisory
<ckauhaus> openssl #55390
<{^_^}> (by ckauhaus, 9 minutes ago, open): Vulnerability roundup 61: openssl-1.0.2p: 1 advisory
<ckauhaus> polkit #55391
<{^_^}> (by ckauhaus, 8 minutes ago, open): Vulnerability roundup 61: polkit-0.115: 1 advisory
<ckauhaus> samba #55392
<{^_^}> (by ckauhaus, 8 minutes ago, open): Vulnerability roundup 61: samba-4.7.10: 4 advisories
<ckauhaus> uw-imap #55393
<{^_^}> (by ckauhaus, 2 minutes ago, open): Vulnerability roundup 61: uw-imap-2007f: 1 advisory
<ckauhaus> as always: please consider to help fixing the vulns
<Foxboron> ckauhaus: How do you keep track of new CVE ids and what tools do you use?
<ckauhaus> the scan itself is performed with vulnix
<ckauhaus> check out the tooling around at
<Foxboron> Does it just download the feed for CVE-$currentyear or do you also watch CVE reservation from 2018 as an example?
<Foxboron> reservations(
<ckauhaus> no, vulnix just uses the official feed
<ckauhaus> the reservations don't include useful metadata most of the times
<Foxboron> ack. Curious as we need to try get some feed into the arch security tracker and there are a few teams that take different approaches
<gchristensen> I knew I recognized your nick from somewhere, Foxboron
<Foxboron> Oh :p
<Foxboron> gchristensen: from where?
<gchristensen> I went to the Arch security channel ~1yr ago asking similar questions
<Foxboron> ohh
<gchristensen> :D
<Foxboron> Well, I'm hanging out here as we are chatting with a few other sec teams to try organize better collaboration
<Foxboron> as we think all security teams can benefit instead of doing duplicate work
<ckauhaus> gathering structured information about which pkgs are affected is perhaps the hardest part
<Foxboron> Yes, along and figuring out correct patches
<ckauhaus> would really appreciate some sort of unified feed
<Foxboron> Getting different team under the roof and try create a forum to easier share and discuss such things is what we want to try
<Foxboron> a unified feed, or atleast API standarization would be great. But might be a bit early to discuss that
<Foxboron> There are also aspects to this such as getting embargoed security issues sorted.
<Foxboron> So yeah. I hope you are interested :) The Arch team is atleast fully invested, and we have gotten positive reception from SUSE, RedHat and Alpine. Hopefully sending out an email in a few weeks
<ckauhaus> yes of course :-)
<Foxboron> cool :) I have noted your email atleast ^^
<Foxboron> emails*
<ckauhaus> perhaps a meeting in person would be great to get things started... unfortunatly FOSDEM is just over
<Foxboron> The Arch sec team is well represented at FOSDEM :)
<Foxboron> but i lost my phone at delirium, so physical security needs some work :p
<ckauhaus> heh
<gchristensen> totally agreed, Foxboron w.r.t. getting us together
<Foxboron> gchristensen: Awesome. Glad to hear :)
<gchristensen> the approach I see some distros taking (and I took for a bit) was "subscribe to every other distro's tracker"
<Foxboron> Ah, thats a bit of an information overload
<gchristensen> it was a nightmare
<Foxboron> I'd personally look at
<gchristensen> I made this horrible thing based on notmuch
<Foxboron> :p
<Foxboron> heh
<gchristensen> I wrote a ton of automation around but ...
<gchristensen> that was really nice and easy :P
<Foxboron> I actually used the subscription thingie and made a script looking up all CVEs we had not indexed in our tracker using the API
<Foxboron> but the workload just increased so it was a bit unwieldly
<Foxboron> My main issue with tracking the nvd is that i doubt youll get all of it
<gchristensen> yeap
<Foxboron> product names wont match all the time, and I'm unsure how you'd handle that without some manual work
<gchristensen> ...yeap
<ekleog> It looks like there's a #oss-security channel, FWIW
<Foxboron> Yes, but oss-security has somewhat centered around the OSS projects themselves, and reporting issues.
<ekleog> “Founder : freenode-staff” <- I would hope freenode didn't let someone register this nick, so it should be legit, but the chan appears mostly empty… maybe now is a good time to revitalize it? :)
<Foxboron> but yes, its the official channel for the oss-sec list
<Foxboron> the idea is not to replace oss-sec, but to supplement.
<Foxboron> oss-sec is more about reporting and creating the reports. But the discussion afterwards is equally important and not a focus
erictapen has quit [Ping timeout: 268 seconds]
erictapen has joined #nixos-security
<gchristensen> hey
<gchristensen> I have a secretproject, I'd like a program to submit some data to a service of mine, where the data is signed by their public key
<gchristensen> but not _their_ public key, a service-purpose public key
<gchristensen> I'd like it to be 100% unattended -- the program would generate a public key automatically, and then sign and upload the data
<gchristensen> any suggestions on tools?
<ekleog> joepie has some interesting thoughts on similar topics (and you may want to invite them here)
<pie___> gchristensen, you mean...upload data and have it signed by the service public key?
<pie___> im confused xD
<LnL> not sure I understand the flow
<gchristensen> right.
<gchristensen> I have a service which is a data collector
<gchristensen> that is on a far away server
<gchristensen> on my local computer, I have a program which generates data to submit to the service, and I want my local computer to have a unique public/private key pair it uses to sign the data prior to publishing
<gchristensen> is that clearer?
<LnL> that's just public key signing, what's the rest about the service key?
<gchristensen> no service key ;)
<gchristensen> but looking for specific tools to do the signing
<gchristensen> is gpg the thing to use? is there an automation-friendly way to do gpg? it should not be the same as the user's key.
<gchristensen> the user shouldn't have anything to do with it
<LnL> I'd probably just use openssl
<gchristensen> oh! nice idea
<LnL> but you can also pass a passphrase to gpg if you prefer that
<gchristensen> that is symmetric, isn't it?
<gchristensen> openssl is probably perfect
ckauhaus is now known as ckauhus[afk]
ckauhus[afk] is now known as ckauhaus[afk]
erictapen has quit [Ping timeout: 240 seconds]