Time  Nick       Message
09:12 sfan5      website updated
09:27 sfan5      with the current situation I think we may have to recommend against distro packages with stronger language. debian (and by extension ubuntu) are stuck on 5.10, with no new version even in 'testing' <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127012>; gentoo never updated after the rename apparently
12:38 rubenwardy should maybe mention that this vulnerability requires you to install a malicious mod and isn't like a RCE
12:42 rubenwardy In announcements that is
12:59 sfan5      how would you work that?
12:59 sfan5      word*
13:03 sfan5      "Note that the critical/high-level vulnerabilities exist in the mod API and there is no known risk of remote exploitation (client <-> server)" ?
13:04 sfan5      if we get that sorted we should also tweet/toot about the release
17:25 sfan5      yes? no? any input?
18:01 MTDiscord  <luatic> I would propose something along the lines of "Note that the attack vector is installing and enabling malicious mods locally. Joining servers is not affected."
18:01 Krock      The wording sounds good
18:02 sfan5      one worry I wanted to prevent is server owners thinking their servers will be hacked
18:05 MTDiscord  <luatic> Hmm. "These vulnerabilities are not exploitable remotely (by clients joining malicious servers, or by malicious clients connecting to a server)."?
18:09 sfan5      ...and to be pedantic I avoided referring to "these vulnerabilities" because we also have a fix for a remotely-triggerable crash in the release
18:11 MTDiscord  <luatic> i mean if you refer just to the critical ones, that excludes a simple crash?
18:12 MTDiscord  <luatic> (just to be clear, you're referring to the bounds check PR by sofar?)
18:13 sfan5      yes
18:14 sfan5      so the full wording you propose is more like "Note that the attack vector for the critical/high-level vulnerabilities is installing and enabling malicious mods locally. These vulnerabilities are not exploitable remotely (by clients joining malicious servers, or by malicious clients connecting to a server)." ?
18:16 MTDiscord  <luatic> Something like that, yes. What's important to me is that it's easy for non-technical end users to understand which actions are entirely unaffected.
20:08 [MatrxMT]  <Zughy> According to Windows 10, Luanti 5.15.2 contains malicious softwtare (Trojan:Win32/Wacatac.H!ml)
20:08 [MatrxMT]  <Zughy> The installer
20:09 sfan5      aren't heuristics great?
20:09 sfan5      when I tested it yesterday windows didn't complain about it
21:03 pgimeno    fixing security problems makes microsoft think it's less secure than when it had those? oh, the irony
21:17 sfan5      added clarification to changelog, gh release and forum post