nemo | Wonka: hm. I guess the downside to blocking all HTTP is by default Devuan uses HTTP for packages ☺ | 15:49 |
---|---|---|
nemo | Wonka: so I have to remember to disable it to run updates | 15:49 |
nemo | not a huge problem ofc | 15:49 |
nemo | little wrapper script | 15:49 |
Wonka | uid based? | 15:50 |
nemo | another good idea! | 15:51 |
onefang | apt-transport-https, and some of our mirrors use HTTPS. | 15:51 |
nemo | true. why would I ever run a browser as root | 15:51 |
onefang | https://pkgmaster.devuan.org/mirror_list.txt will help you pick a HTTPS mirror. | 15:52 |
nemo | onefang: ah. that is helpful anyway. due to stoooopid work filter that occasionally randomly blocks packages as malicious | 15:52 |
nemo | hm... DNAT to 255.255.255.255 still hangs I guess 'cause the client doesn't know it's invalid. REJECT rule has noticeable lag | 16:02 |
nemo | oh well. REJECT it is | 16:02 |
nemo | iptables -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT | 16:02 |
nemo | iptables -A OUTPUT -p tcp --dport 80 -j REJECT | 16:03 |
nemo | huh. weird | 16:04 |
nemo | apt-get update drops root privs? | 16:05 |
nemo | getting network unreachable | 16:05 |
nemo | even though a wget as root works | 16:05 |
nemo | ah. indeed it does. let's see what the user is | 16:07 |
Leander | nemo: to avoid the "starbucks scenario" I always connect to my home VPN (I have a static IP address), it makes firewall rules much simpler to deal with | 17:13 |
nemo | Leander: hm. that's a good point | 18:37 |
nemo | Leander: I should perhaps relay everything | 18:38 |
nemo | Leander: I'm not a huge fan adding extra lag, but I'm also not a huge fan of exploits | 18:38 |
nemo | *of adding | 18:38 |
nemo | ofc HTTP also requires trusting the hops in between, but at least there the attacker is maybe a bit less likely... | 18:38 |
nemo | hm. after reboot and upgrade my devuan ascii intel work laptop is still vulnerable to 6 CVEs | 20:31 |
nemo | 5 from 2018 | 20:32 |
nemo | and the most recent one | 20:32 |
onefang | That most recent fix from Intel didn't fix everything, AND it's still fixing things from May. | 20:34 |
nemo | onefang: but stuff from 2018? | 20:40 |
nemo | CVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO | 20:41 |
mason | nemo: Do you have microcode installed? Some things can't be fixed without it. | 20:42 |
mason | nemo: https://github.com/speed47/spectre-meltdown-checker is useful | 20:42 |
james1138 | https://packages.debian.org/search?keywords=intel-microcode | 20:53 |
nemo | mason: the checker was what I was running | 20:53 |
nemo | mason: I kinda assumed that patches would be pushed with the standard kernel updates | 20:54 |
nemo | but ok. checking now | 20:54 |
mason | Nah, it's the intel-microcode package. | 20:54 |
nemo | so... most debian users are insecure by default? that's worrying | 20:55 |
mason | Debian doesn't tend to ship nonfree software by default. | 20:55 |
furrywolf | most debian users are single-user systems, and thus not realisticly affected by any of the cpu-level vulnerabilities. | 21:07 |
cehteh | huh | 21:11 |
cehteh | most debian systems are prolly servers in the internet | 21:11 |
furrywolf | I'd figure most are desktops... and even for servers, most have only a single administrator, or otherwise have all users on the system expected to be non-evil. | 21:14 |
furrywolf | most of those cpu bugs really only apply to systems where untrusted users can execute arbitrary code. | 21:14 |
mason | furrywolf: I strongly suspect desktops are in the minority. | 21:21 |
mason | furrywolf: And web services offer an opportunity for outsiders to get code executed, either by design or through flaws. | 21:22 |
mason | furrywolf: The big bash vulnerability wasn't all that long ago. | 21:22 |
cehteh | a webserver wtih PHP is an untrusted user | 21:25 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!