| 8 May 2026 |
 dish [Fox/It/She] | sigh | 21:40:41 |
| dish [Fox/It/She] | tl;dr io_uring ZCRX freelist LPE | 21:40:50 |
| dish [Fox/It/She] | * tl;dr io_uring ZCRX freelist LPE, affects 6.15 -> 6.19 | 21:41:13 |
| dish [Fox/It/She] | but also requires CAP_NET_ADMIN so shouldn't be too much of an issue | 21:41:34 |
| dish [Fox/It/She] | * but also requires CAP_NET_ADMIN and a NIC that supports zero copy recieve(ZCRX) so shouldn't be too much of an issue | 21:42:03 |
| dish [Fox/It/She] | * but also requires CAP_NET_ADMIN, a NIC that supports zero copy recieve(ZCRX), and kernel configured with io_uring zcrx enabled so shouldn't be too much of an issue | 21:42:30 |
 Morgan (@numinit) | Nice, io_uring, the source of like over half of Android bug bounties over the past couple years | 21:42:59 |
| dish [Fox/It/She] | okay i think this is pretty much a nonissue since you need all the above to write OOB, but then CAP_SYS_ADMIN to execute so... seems like you basically need root and/or elevated privs so... | 21:43:54 |
| Morgan (@numinit) | https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
Wish there was a dumpster fire emoji anyway | 21:44:55 |
| dish [Fox/It/She] | π₯
ποΈ | 21:46:25 |
| Morgan (@numinit) | "we paid out around 1 million USD for io_uring alone"
πΈπ₯ | 21:47:06 |
 Sandro π§ | One of the oauth2-proxy CVEs was only partically addressed and one of the recommended arguments to set was impossible to be defined
https://github.com/NixOS/nixpkgs/pull/518211 | 23:16:07 |
| Sandro π§ | * One of the oauth2-proxy CVEs was only partically addressed and one of the recommended arguments to set was impossible to be defined in the nixos module
https://github.com/NixOS/nixpkgs/pull/518211 | 23:17:56 |
| 9 May 2026 |
| dish [Fox/It/She] | Gitpython security bump: https://github.com/NixOS/nixpkgs/pull/518443 | 17:20:00 |
| 11 May 2026 |
 kuflierl | 'high' severtiy cve in python library
https://github.com/NixOS/nixpkgs/pull/518798 | 02:28:11 |
 tgerbet | DNSMasq coordinated release (cache poisoning, privesc...) https://www.kb.cert.org/vuls/id/471747
https://github.com/NixOS/nixpkgs/pull/519082 | 17:34:09 |
 hexa |
dnsmasq has released version 2.93 to fix the above vulnerabilities
| 17:36:23 |
| hexa |
dnsmasq: 2.92 -> 2.92rel2
| 17:36:33 |
| hexa | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html | 17:37:29 |
| hexa |
With luck, 2.93 could be out in a week or so.
| 17:37:33 |
| tgerbet | Requested an update of the CERT/CC advisory in the internal case... | 17:40:14 |
 flx | https://github.com/NixOS/nixpkgs/pull/518430 | 23:24:08 |
| 12 May 2026 |
|  Harinn joined the room. | 18:14:40 |
| flx | https://github.com/NixOS/nixpkgs/pull/519502 | 18:32:28 |
| 13 May 2026 |
| flx | https://github.com/NixOS/nixpkgs/pull/519882 | 19:12:05 |
| Morgan (@numinit) | https://depthfirst.com/nginx-rift
FYI, nginx π¬, seems to trigger with captures in rewrite | 19:15:16 |
| tgerbet | https://nginx.org/en/CHANGES
https://nginx.org/en/CHANGES-1.30
There are also other sec issues in the releases
nginxMainline will need a 1.29 -> 1.31 bump.
It would be nice if someone could handle it, I have done the last nginx upgrades but I'm not close to a laptop until tomorrow night | 19:23:09 |
| Morgan (@numinit) | It's looking like a "tonight" thing for me (so several hours) | 19:23:44 |
| hexa | https://blog.packagist.com/composer-2-9-8-and-2-2-28-fix-github-actions-token-disclosure-in-error-messages/ | 19:35:01 |
| hexa | ma27 | 19:35:22 |
