!ZRgXNaHrdpGqwUnGnj:nixos.org

NixOS Security Triage

690 Members
Coordination and triage of security issues in nixpkgs215 Servers

Load older messages

SenderMessageTime
1 Jul 2021
@synthetica:matrix.orgSyntheticaoof11:36:55
@synthetica:matrix.orgSyntheticasorry 11:36:57
@balsoft:balsoft.rubalsoftOh11:37:36
@balsoft:balsoft.rubalsoftNo liveusb needed11:37:39
@balsoft:balsoft.rubalsoftNixOS is fairly self-repairing actually11:37:55
@synthetica:matrix.orgSyntheticawait, a reisub-reboot fixed it?11:38:35
@balsoft:balsoft.rubalsoftWhat if I do it in the activation script? :P11:38:43
@r_i_s:matrix.orgris_could i get some eyes on https://github.com/NixOS/nixpkgs/pull/126280 before permanent bitrot sets in?19:31:37
@hexa:lossy.networkhexathanks, lgtm19:43:36
2 Jul 2021
@irenes:matrix.orgIrenes joined the room.09:22:13
@hexa:lossy.networkhexahttps://www.djangoproject.com/weblog/2021/jul/01/security-releases/14:18:35
@obfusk:matrix.orgๅนธ็Œซ joined the room.16:07:01
@_xmpp_julm=40sourcephile.fr:matrix.orgjulm left the room.18:11:39
@r_i_s:matrix.orgris_CVE-2021-34552 seems to map to https://github.com/python-pillow/Pillow/pull/5567, which looks pretty hard to expose18:28:53
@hexa:lossy.networkhexaotoh it looks pretty easy to backport18:29:57
@r_i_s:matrix.orgris_ you'd have to be passing in mode from untrusted input 18:29:59
@r_i_s:matrix.orgris_sure18:30:02
@hexa:lossy.networkhexauh, should post security advisories here and โœ… them when PR is up or so18:30:58
@hexa:lossy.networkhexajust so that the state of these things becomes more visible18:31:15
@philipp:xndr.dephilippMaybe a separate room just for them?18:32:25
@hexa:lossy.networkhexamaybe a separate room for the chit chat? ๐Ÿ˜Š18:32:52
@balsoft:balsoft.rubalsoftI would love a room with advisories18:32:54
@hexa:lossy.networkhexaI don't mind either18:33:06
@hexa:lossy.networkhexa
getxmp() was added in Pillow 8.2.0. It will now use defusedxml instead. If the dependency is not present, an empty dictionary will be returned and a warning raised.
18:33:28
@hexa:lossy.networkhexaalas we are not propagating defusedxml there18:33:53
@hexa:lossy.networkhexauh, not ours strictly I guess18:34:08
@hexa:lossy.networkhexajust things we find18:34:12
@hexa:lossy.networkhexa * just things we find, and need to remember to take care of18:34:20
@hexa:lossy.networkhexabut sure, we could have an advisory channel, with moderated posts to the pr trackers I guess18:44:38
@hexa:lossy.networkhexaso not advisories per se, but "here is this security related pr, take note"18:45:14

There are no newer messages yet.

Back to Room ListRoom Version: 6