---------------------------------------
-- Devuan meet 2024-05-09 @20:30 UTC --
---------------------------------------
Present: golinux, fsmithred, Hendrik, plasma41, bandali
Regrets:
Old Business
============
plasma41
~~~~~~~~
- bgstack15 and I were able to come up with a fix for this systemctl-
service-shim bug[1] which has now been released as part of version
0.0.7. This had the nice side benefit of being able to remove some
rather gnarly workaround code that had been mitigating part of the
issue before.
Old Actions
===========
New Business
============
hendrik
~~~~~~~
Maximum-severity GitLab flaw allowing account hijacking under active
exploitation[2] I hope we have an updated gitlab. Gitlab says[3]:
An issue has been discovered in GitLab CE/EE affecting all versions
from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7,
16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and
16.7 prior to 16.7.2 in which user account password reset emails could
be delivered to an unverified email address. This is a Critical
severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, 10.0). It
is now mitigated in the latest release and is assigned CVE-2023-7028.
- (plasma41) Thankfully, we migrated from GitLab to Gitea quite some
time ago. We may at some point want to consider if it would be worth it
to migrate to the Forgejo fork as that seems to me to have more
community involvement these days. Ref: [4]
- (gl) I created my account on Jun 04, 2020. That would be very close
to the transition date from github.
LeePen
~~~~~~
Jenkins
-------
- Installed new graphical pipeline visualisation plugin.
- Update installed plugins
- Updated buildscript to support limiting a particular build
to multiple architectures.
Packaging
---------
- ceres
+ debootstrap (fix autopkgtests)
+ pcsc-lite (✕2)
+ base-files
- daedalus-proposed-updates:
+ policykit-1 (with backported upstream fix for longstanding.
(GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session
for cookie [5] issue.)
New Actions
===========
[1]
https://bugs.devuan.org/723
[2]
https://arstechnica.com/security/2024/05/0-click-gitlab-hijacking-flaw-under-active-exploit-with-thousands-still-unpatched/
[3]
https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
[4]
https://lwn.net/Articles/963095/
[5]
https://gitlab.freedesktop.org/polkit/polkit/-/issues/17
⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⣾⣿⣿⡀⠀⠀⠀⠀⢠⣶⣶⡄⠀⠀⠀
⠀⠀⠀⠀⠀⣀⣀⠀⢹⣿⣿⡇⠀⠀⠀⠀⣾⣿⣿⠃⠀⠀⠀
⠀⠀⠀⠀⢸⣿⣿⣇⠈⣿⣿⣧⠀⠀⠀⢠⣿⣿⡏⠀⣰⣶⡄
⠀⠀⠀⠀⠘⣿⣿⣿⠀⢹⣿⣿⡀⠀⠀⣾⣿⣿⠃⢰⣿⣿⡇
⠀⠀⠀⠀⠀⢹⣿⣿⡆⠘⣿⣿⡇⠀⢠⣿⣿⡏⠀⣾⣿⣿⠁
⠀⠀⠀⠀⠀⠈⣿⣿⣿⠀⢹⣿⣧⣀⣾⣿⣿⣇⣸⣿⣿⣿⠀
⠀⠀⠀⠀⠀⠀⢻⣿⣿⣷⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀
⣴⣿⣿⣷⣤⡀⠈⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀
⠻⣿⣿⣿⣿⣿⣷⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠀⠀
⠀⠈⠙⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⠀
⠀⠀⠀⠀⠙⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡟⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠉⠛⠿⠿⠿⠿⠿⠿⠿⠿⠿⠟⠋⠀⠀⠀⠀