13 Oct 2024 |
emily | is that the reason to extend the support, or are they only committing to fixes for Windows/macOS? | 18:27:22 |
emily | https://support.mozilla.org/en-US/kb/firefox-users-windows-7-8-and-81-moving-extended-support | 18:27:39 |
hexa | sounds like harm reduction | 18:27:40 |
emily |
Mozilla is providing critical security updates through the Firefox ESR channel up until the end of ESR version 115, March 2025.
| 18:27:47 |
emily | it will go EOL before 25.05 anyway | 18:29:07 |
emily | so probably best not to ship | 18:29:11 |
hexa | we yank releases mid-cycle all the time for firefox | 18:30:13 |
hexa | but yeah, I don't want the additional load | 18:30:23 |
14 Oct 2024 |
hexa | https://github.com/NixOS/nixpkgs/pull/348396 coturn hardening, any takers? | 01:46:33 |
hexa | https://github.com/NixOS/nixpkgs/pull/348406 avahi maybe? | 02:25:52 |
hexa | 💤 | 02:26:26 |
mattleon | I recently learned about this, but you can prevent access to any binaries not in the dependency closure with the `confinement.enable` setting, which should be step #1 for just about any service imho. | 12:27:03 |
mattleon | https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/systemd-confinement.nix | 12:27:09 |
Sandro 🐧 | In reply to @hexa:lossy.network https://github.com/NixOS/nixpkgs/pull/348406 avahi maybe? If I don't forget I can try later with pulse network discovery | 13:49:43 |
15 Oct 2024 |
hexa | https://matrix.org/blog/2024/10/security-disclosure-matrix-js-sdk-and-matrix-react-sdk/ | 12:02:09 |
hexa |
We are disclosing two high-severity vulnerabilities in matrix-js-sdk and matrix-react-sdk related to MSC3061, which specifies sharing room keys with newly invited users for message history access.
| 12:02:25 |
Valodim | ugh | 12:02:36 |
hexa | did you? | 12:03:08 |
emily | In reply to @hexa:lossy.network
We are disclosing two high-severity vulnerabilities in matrix-js-sdk and matrix-react-sdk related to MSC3061, which specifies sharing room keys with newly invited users for message history access.
"in the legacy (pre-Rust) encryption implementation" 🫠 | 18:12:28 |
emily | not libolm itself, but still | 18:12:38 |
hexa | Where would we store a shared list of bogon cidrs used across various modules? | 18:18:58 |
hexa | nixos/lib somewhere | 18:19:36 |
hexa | But I wonder if we have prior art | 18:19:43 |
ma27 | don't we have some networking functions from gsoc in lib? perhaps there? | 18:22:13 |
hexa | not sure if that ever landed | 19:10:27 |
hexa | lib/network apparently | 19:11:03 |
hexa | lib/network/const.nix it'll be | 19:14:50 |
f0x | https://github.com/NixOS/nixpkgs/pull/348779 I think this also patches element-web correctly (separate security advisory). Just wanted to confirm since it wasn't mentioned in the PR | 22:35:13 |
f0x | and if something was done to Hydra for element-desktop, maybe the same also needs to happen for -web? I'm not really sure how that aspect of nixpkgs works, especially for security/backport related stuff | 22:37:18 |
hexa | good catch | 22:41:11 |