| Time |
Nick |
Message |
| 02:18 |
|
crazylad joined #luanti-dev |
| 02:40 |
|
crazylad joined #luanti-dev |
| 03:47 |
|
AliasStillTaken joined #luanti-dev |
| 04:00 |
|
MTDiscord joined #luanti-dev |
| 06:42 |
|
madwifi_ joined #luanti-dev |
| 06:44 |
|
madwifi_ joined #luanti-dev |
| 09:12 |
sfan5 |
website updated |
| 09:27 |
sfan5 |
with the current situation I think we may have to recommend against distro packages with stronger language. debian (and by extension ubuntu) are stuck on 5.10, with no new version even in 'testing' <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127012>; gentoo never updated after the rename apparently |
| 12:38 |
rubenwardy |
should maybe mention that this vulnerability requires you to install a malicious mod and isn't like a RCE |
| 12:42 |
rubenwardy |
In announcements that is |
| 12:59 |
sfan5 |
how would you work that? |
| 12:59 |
sfan5 |
word* |
| 13:03 |
sfan5 |
"Note that the critical/high-level vulnerabilities exist in the mod API and there is no known risk of remote exploitation (client <-> server)" ? |
| 13:04 |
sfan5 |
if we get that sorted we should also tweet/toot about the release |
| 14:42 |
|
crazylad joined #luanti-dev |
| 14:42 |
|
crazylad joined #luanti-dev |
| 17:25 |
sfan5 |
yes? no? any input? |
| 18:01 |
MTDiscord |
<luatic> I would propose something along the lines of "Note that the attack vector is installing and enabling malicious mods locally. Joining servers is not affected." |
| 18:01 |
Krock |
The wording sounds good |
| 18:02 |
sfan5 |
one worry I wanted to prevent is server owners thinking their servers will be hacked |
| 18:05 |
MTDiscord |
<luatic> Hmm. "These vulnerabilities are not exploitable remotely (by clients joining malicious servers, or by malicious clients connecting to a server)."? |
| 18:09 |
sfan5 |
...and to be pedantic I avoided referring to "these vulnerabilities" because we also have a fix for a remotely-triggerable crash in the release |
| 18:11 |
MTDiscord |
<luatic> i mean if you refer just to the critical ones, that excludes a simple crash? |
| 18:12 |
MTDiscord |
<luatic> (just to be clear, you're referring to the bounds check PR by sofar?) |
| 18:13 |
sfan5 |
yes |
| 18:14 |
sfan5 |
so the full wording you propose is more like "Note that the attack vector for the critical/high-level vulnerabilities is installing and enabling malicious mods locally. These vulnerabilities are not exploitable remotely (by clients joining malicious servers, or by malicious clients connecting to a server)." ? |
| 18:16 |
MTDiscord |
<luatic> Something like that, yes. What's important to me is that it's easy for non-technical end users to understand which actions are entirely unaffected. |
| 18:55 |
|
repetitivestrain joined #luanti-dev |
| 20:08 |
[MatrxMT] |
<Zughy> According to Windows 10, Luanti 5.15.2 contains malicious softwtare (Trojan:Win32/Wacatac.H!ml) |
| 20:08 |
[MatrxMT] |
<Zughy> The installer |
| 20:09 |
sfan5 |
aren't heuristics great? |
| 20:09 |
sfan5 |
when I tested it yesterday windows didn't complain about it |
| 21:03 |
pgimeno |
fixing security problems makes microsoft think it's less secure than when it had those? oh, the irony |
| 21:17 |
sfan5 |
added clarification to changelog, gh release and forum post |
| 22:32 |
|
panwolfram joined #luanti-dev |
| 23:02 |
|
calculon joined #luanti-dev |
| 23:15 |
|
calculon joined #luanti-dev |
