| 13 Oct 2024 |
 hexa | but yeah, I don't want the additional load | 18:30:23 |
| 14 Oct 2024 |
| hexa | https://github.com/NixOS/nixpkgs/pull/348396 coturn hardening, any takers? | 01:46:33 |
| hexa | https://github.com/NixOS/nixpkgs/pull/348406 avahi maybe? | 02:25:52 |
| hexa | 💤 | 02:26:26 |
 mattleon | I recently learned about this, but you can prevent access to any binaries not in the dependency closure with the `confinement.enable` setting, which should be step #1 for just about any service imho. | 12:27:03 |
| mattleon | https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/systemd-confinement.nix | 12:27:09 |
 Sandro 🐧 | In reply to @hexa:lossy.network
https://github.com/NixOS/nixpkgs/pull/348406 avahi maybe? If I don't forget I can try later with pulse network discovery | 13:49:43 |
| 15 Oct 2024 |
| hexa | https://matrix.org/blog/2024/10/security-disclosure-matrix-js-sdk-and-matrix-react-sdk/ | 12:02:09 |
| hexa |
We are disclosing two high-severity vulnerabilities in matrix-js-sdk and matrix-react-sdk related to MSC3061, which specifies sharing room keys with newly invited users for message history access.
| 12:02:25 |
 Valodim | ugh | 12:02:36 |
| hexa | did you? | 12:03:08 |
 emily | In reply to @hexa:lossy.network
We are disclosing two high-severity vulnerabilities in matrix-js-sdk and matrix-react-sdk related to MSC3061, which specifies sharing room keys with newly invited users for message history access.
"in the legacy (pre-Rust) encryption implementation" 🫠 | 18:12:28 |
| emily | not libolm itself, but still | 18:12:38 |
| hexa | Where would we store a shared list of bogon cidrs used across various modules? | 18:18:58 |
| hexa | nixos/lib somewhere | 18:19:36 |
| hexa | But I wonder if we have prior art | 18:19:43 |
 ma27 | don't we have some networking functions from gsoc in lib? perhaps there? | 18:22:13 |
| hexa | not sure if that ever landed | 19:10:27 |
| hexa | lib/network apparently | 19:11:03 |
| hexa | lib/network/const.nix it'll be | 19:14:50 |
 f0x | https://github.com/NixOS/nixpkgs/pull/348779 I think this also patches element-web correctly (separate security advisory). Just wanted to confirm since it wasn't mentioned in the PR | 22:35:13 |
| f0x | and if something was done to Hydra for element-desktop, maybe the same also needs to happen for -web? I'm not really sure how that aspect of nixpkgs works, especially for security/backport related stuff | 22:37:18 |
| hexa | good catch | 22:41:11 |
| hexa | wdym with "done to Hydra"? | 22:41:25 |
| hexa | we don't have a separate pipeline for security stuff unfortunately | 22:41:43 |
| emily | kicking Hydra to get an early channel eval maybe? | 22:46:21 |
| hexa | bumped the -small jobsets to front | 22:49:28 |
| hexa | * bumped the -small jobsets to the front of the queue | 22:49:35 |
| f0x | In reply to @hexa:lossy.network
I'm kicking the hydra jobsets next not really sure what it entails, like what you mentioned here for the firefox stuff | 22:49:42 |
| hexa | that meant triggering an evaluation | 22:49:59 |
