Time Nick Message 12:06 [MatrxMT] Merging #17187 in 15m 12:06 ShadowBot https://github.com/luanti-org/luanti/issues/17187 -- Do not send translation files without a language extension by y5nw 12:29 sfan5 apparently our PPA does not yet have 5.16.1? @luatic 18:50 sfan5 does anyone have any idea what we should do about debian+ubuntu not shipping a security fix after an entire month? shame them on twitter/mastodon? add a red banner on the downloads page? 18:51 sfan5 https://ubuntu.com/security/CVE-2026-41196 "Needs evaluation" 18:52 sfan5 https://security-tracker.debian.org/tracker/CVE-2026-40959 marked as "fixed" in the 5.10.0 package (which all stable version ship), but I can't find any indication at all that they backported the patch 18:53 sfan5 I'll test if it's actually fixed in a moment 19:00 sfan5 ok I appear to be wrong. they have backported the fix to 5.10 19:09 sfan5 ubuntu 24.04.3 has no "luanti" in repos and if you install "minetest" you get 5.6.1 🤯 19:11 sfan5 not patched, of course https://x0.at/e1Mx.txt 19:13 sfan5 https://x0.at/uggB.txt 26.04 too 19:17 sfan5 and 22.04 for completeness https://x0.at/Tdgi.txt 19:21 sfan5 from the server list logs basically nobody is still using 5.10.0 19:22 cheapie sfan5: FWIW Debian has pages where you can see what patches they're applying: https://sources.debian.org/patches/luanti/5.10.0+dfsg-5+deb13u1/ 19:25 sfan5 while 5.6.1 has about ~400 DAU (daily active users) specifically on Ubuntu 19:25 sfan5 cheapie: I see. I checked the git repo they prepare releases in and couldn't find anything. 19:27 cheapie Generally the packages.debian.org page for the package you're interested in is the place to start for things like this, it has a bunch of useful links along the right side: https://packages.debian.org/trixie/luanti 19:28 cheapie "Debian Patch Tracker" is that one that lists the patches they're appling, "Developer Information" provides a page listing a whole bunch of information of varying utility, and most of the rest are fairly self-explanatory 19:29 rubenwardy probably best to start be emailing the maintainers or making an issue on their trackers 19:30 cheapie As far as I can tell, Debian is handling this as they intend to (backported the security fixes to the version in stable, and testing/sid have something almost up-to-date), Ubuntu needs some poking though 19:32 sfan5 as a software project begging distributions to please protect their own users from RCE when they have already been informed is monumentally stupid 19:33 cheapie Is there an RCE element to this? I was under the impression it's "only" privilege escalation, not that that's an excuse to not fix it 19:34 sfan5 that's stretching it a bit. the exploitation path is "download malicious mod -> run singleplayer -> oops" 19:36 cheapie Which sounds like privilege escalation (you intentionally run code and then it can do something it's not supposed to be able to do), as opposed to RCE which I'd expect to be something more like "connect to malicious server -> oops" 19:36 cheapie (or "be connected to by malicious client -> oops") 19:38 cheapie I guess it doesn't really matter what it's called though, Ubuntu needs to fix it either way 19:46 sfan5 it matters to not cause unnecessary panic. so let's not call it an RCE