| 5 Oct 2024 |
 emily | (doesn't work, but maybe it's useful to you) | 03:17:31 |
 ElvishJerricco | thanks | 03:17:53 |
| emily | relevant comment about timing / multiple sessions https://matrix.to/#/!NBBFPbiuttRgTqbrcY:nixos.org/$-nf3vPAiCozFLiNCXkzyvCjEZ9W57MT7dOBOLu9ee_U?via=nixos.org&via=matrix.org&via=nixos.dev | 03:18:05 |
| emily | and pointer to earlier discussion from there | 03:18:10 |
| ElvishJerricco | yea, so my guess is that there is some vulnerability here, that's probably quite difficult to take advantage of | 03:18:26 |
| ElvishJerricco | part of it depends on when exactly pam_sm_open_session happens. | 03:21:29 |
| ElvishJerricco | But I think you can make that not matter by having a non-gdm session open before gdm-autologin happens | 03:27:53 |
| ElvishJerricco | which is probably plausible with systemd user lingering | 03:28:04 |
| ElvishJerricco | oh that was easier than I thought | 03:55:46 |
| ElvishJerricco | emily: you around? | 03:55:49 |
|  magic_rb changed their profile picture. | 22:18:06 |
| 6 Oct 2024 |
| emily | https://github.com/NixOS/nixpkgs/pull/346797 could probably use more opinions/discussion (for once I lean slightly against) | 12:47:22 |
|  @sofo:matrix.org left the room. | 15:28:06 |
 Winter | yeah i don't like this... i'll write up something | 17:53:22 |
| emily | i think we have decent consensus to not mark it right now at this point | 17:57:03 |
| 7 Oct 2024 |
|  Sam Lehman changed their profile picture. | 14:24:09 |
| 9 Oct 2024 |
 Nick Cao | firefox RCE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/ | 14:12:28 |
 Valodim | whew | 14:20:57 |
| emily | @hexa:lossy.network
| 14:30:23 |
 hexa | cool. | 14:30:33 |
 Vika Shleina (she/her) | In reply to @nickcao:nichi.co
firefox RCE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/ Is firefox-devedition (131.0b9) vulnerable? Not entirely familiar with Firefox versioning | 14:34:54 |
| hexa | very likely | 14:35:09 |
| hexa | https://github.com/NixOS/nixpkgs/pull/347500 | 14:38:25 |
| Vika Shleina (she/her) | In reply to @hexa:lossy.network
very likely There is apparently Firefox 132 beta. I could try my hand at bumping this. | 14:47:08 |
| hexa | uh, I can push more to my branch | 14:47:22 |
| hexa | ok, bumped | 14:51:20 |
| Vika Shleina (she/her) | Thank you! 💖 | 14:51:39 |
| hexa | the expensive thing is to test the stuff 🙂 | 14:52:06 |
| hexa | ok, firefox is bumped, tested and backported | 18:13:40 |
| hexa | I'm kicking the hydra jobsets next | 18:13:57 |
