freenode/#devuan/ Thursday, 2019-11-14

nemoWonka: hm. I guess the downside to blocking all HTTP is by default Devuan uses HTTP for packages ☺15:49
nemoWonka: so I have to remember to disable it to run updates15:49
nemonot a huge problem ofc15:49
nemolittle wrapper script15:49
Wonkauid based?15:50
nemoanother good idea!15:51
onefangapt-transport-https, and some of our mirrors use HTTPS.15:51
nemotrue. why would I ever run a browser as root15:51
onefang will help you pick a HTTPS mirror.15:52
nemoonefang: ah. that is helpful anyway.  due to stoooopid work filter that occasionally randomly blocks packages as malicious15:52
nemohm... DNAT to still hangs I guess 'cause the client doesn't know it's invalid.  REJECT rule has noticeable lag16:02
nemooh well. REJECT it is16:02
nemoiptables -A OUTPUT -p tcp  --dport 80 -m owner --uid-owner root -j ACCEPT16:02
nemoiptables -A OUTPUT -p tcp  --dport 80 -j REJECT16:03
nemohuh. weird16:04
nemoapt-get update drops root privs?16:05
nemogetting network unreachable16:05
nemoeven though a wget as root works16:05
nemoah. indeed it does. let's see what the user is16:07
Leandernemo: to avoid the "starbucks scenario" I always connect to my home VPN (I have a static IP address), it makes firewall rules much simpler to deal with17:13
nemoLeander: hm. that's a good point18:37
nemoLeander: I should perhaps relay everything18:38
nemoLeander: I'm not a huge fan adding extra lag, but I'm also not a huge fan of exploits18:38
nemo*of adding18:38
nemoofc HTTP also requires trusting the hops in between, but at least there the attacker is maybe a bit less likely...18:38
nemohm. after reboot and upgrade my devuan ascii intel work laptop is still vulnerable to 6 CVEs20:31
nemo5 from 201820:32
nemoand the most recent one20:32
onefangThat most recent fix from Intel didn't fix everything, AND it's still fixing things from May.20:34
nemoonefang: but stuff from 2018?20:40
nemoCVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO20:41
masonnemo: Do you have microcode installed? Some things can't be fixed without it.20:42
masonnemo: is useful20:42
nemomason: the checker was what I was running20:53
nemomason: I kinda assumed that patches would be pushed with the standard kernel updates20:54
nemobut ok. checking now20:54
masonNah, it's the intel-microcode package.20:54
nemoso... most debian users are insecure by default? that's worrying20:55
masonDebian doesn't tend to ship nonfree software by default.20:55
furrywolfmost debian users are single-user systems, and thus not realisticly affected by any of the cpu-level vulnerabilities.21:07
cehtehmost debian systems are prolly servers in the internet21:11
furrywolfI'd figure most are desktops... and even for servers, most have only a single administrator, or otherwise have all users on the system expected to be non-evil.21:14
furrywolfmost of those cpu bugs really only apply to systems where untrusted users can execute arbitrary code.21:14
masonfurrywolf: I strongly suspect desktops are in the minority.21:21
masonfurrywolf: And web services offer an opportunity for outsiders to get code executed, either by design or through flaws.21:22
masonfurrywolf: The big bash vulnerability wasn't all that long ago.21:22
cehteha webserver wtih PHP is an untrusted user21:25

Generated by 2.17.0 by Marius Gedminas - find it at!