ubuntu-motd

Merge lp://staging/~lsandecki/ubuntu-motd/cve-2023-2650 into lp://staging/ubuntu-motd

cve-2023-2650
Merge into trunk

Proposed by Lech Sandecki on 2023-07-06

Status:	Merged
Merged at revision:	96
Proposed branch:	lp://staging/~lsandecki/ubuntu-motd/cve-2023-2650
Merge into:	lp://staging/ubuntu-motd
Diff against target:	19 lines (+4/-4) 1 file modified aptnews.json (+4/-4)
To merge this branch:	bzr merge lp://staging/~lsandecki/ubuntu-motd/cve-2023-2650
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
Steve Langasek	2023-07-06	Approve on 2023-07-10
Dean Henrichsmeyer (community)		Approve on 2023-07-06
Review via email: mp+446205@code.staging.launchpad.net

Description of the change

adding a new apt-news message regarding the recently fixed OpenSSL vulnerability

Revision history for this message

Dean Henrichsmeyer (dean) on 2023-07-06:

review: Approve

Revision history for this message

Steve Langasek (vorlon) on 2023-07-06:

review: Needs Fixing

lp://staging/~lsandecki/ubuntu-motd/cve-2023-2650 updated on 2023-07-07

97. By lech <email address hidden> on 2023-07-07: addressed the review suggestion

Revision history for this message

Steve Langasek (vorlon) wrote on 2023-07-10:

Should we be revving the start date now that the listed date is in the past?

review: Approve

Revision history for this message

Renan Rodrigo (renanrodrigo) wrote on 2023-07-10:

I would say there is no need to. The past date is fine - the client will understand that this should be active immediately.

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2023-07-10:

I'm not sure either of these is really "recently fixed", 18 days and 41 days old:

30 May 2023 https://ubuntu.com/security/notices/USN-6119-1
22 June 2023 https://ubuntu.com/security/notices/USN-6188-1

These banners will be better received if they're relevant.

I expect that this will instead be read as "oh no a new openssl issue? why isn't the update available yet?" followed by a few minutes looking for more information, and then finding out that this is old news and unattended-upgrades handled it weeks ago. That's not likely to leave a pleasant impression.

Thanks

Revision history for this message

Julian Andres Klode (juliank) wrote on 2023-07-11:

The message doesn't make all that much sense because the context you see it in is when you are upgrading, so it's somewhat redundant, either it was already upgraded before or the call you see the message in is upgrading it.

There's effectively no way to see the message without getting an upgraded OpenSSL.

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2023-07-13:

In addition, the CVE mentioned is a pretty benign issue, I'm not sure why it is relevant...

Revision history for this message

Julian Andres Klode (juliank) wrote on 2023-07-13:

This message was reported as a bug inhttps://bugs.launchpad.net/bugs/2027674