| 25 Aug 2021 |
 hexa | looking for feedback about the impact of the CVEs and the appropriate target branch | 00:23:25 |
|  ErPepone changed their display name from pepe to ErPepone. | 10:06:32 |
 Sandro | if we had some scores for the CVE it would be easier to assess how sever it is | 10:09:21 |
 andi- | The first one allows input to define 62 bytes of stack space. That could be disasterous. The other allows to exfiltrate key material at worst. I'd just dump both of them onto an otherwise empty staging-next jobset or just master if we don't have a staging job that is otherwise not occupied. The last thing you want is some other upgrade slowing this down. | 10:14:17 |
| hexa | rebased on top of master | 12:24:03 |
 ris_ | yeah basically "it's bad". it hinges on how many applications are actually set up to accept SM2 in their cipher suites, because it's pretty obscure. but we probably don't want to rely on that too much. the "medium" one is almost as bad i'd say seeing as this is a situation where private memory contents are likely to be sensitive, containing cryptographic materials | 18:00:46 |
| hexa | feel free to merge | 18:15:44 |
| hexa | * feel free to merge. Dear darwin.... | 20:39:55 |
| hexa | * feel free to merge. Dear darwin.... | 20:40:03 |
|  6aa4fd joined the room. | 23:11:00 |
| 26 Aug 2021 |
| Sandro | CVE-2021-3634 https://ubuntu.com/security/notices/USN-5053-1 | 17:17:12 |
| Sandro | * CVE-2021-3634 https://ubuntu.com/security/CVE-2021-3634 | 17:17:32 |
| Sandro | good, finally found some real information on Debian tracker https://security-tracker.debian.org/tracker/CVE-2021-3634
- https://www.libssh.org/2021/08/26/libssh-0-9-6-security-release/
- https://www.libssh.org/security/advisories/CVE-2021-3634.txt
and the patch https://git.libssh.org/projects/libssh.git/commit/?id=d3060bc84ed4e160082e819b4d404f76df7c8063
| 17:18:37 |
| hexa | working on it | 17:28:19 |
| Sandro | Thanks! It has a 5.3 score. Not sure if we go through master or staging. Maybe staging next? | 17:28:59 |
| hexa | == Versions: 0.9.1 - 0.9.5 | 17:29:24 |
| hexa | we were on 0.8.9, are we even affected? | 17:29:32 |
| Sandro | Sounds like no but then we should think about updating | 17:30:03 |
| Sandro | * Sounds like no but then we should think about updating nevertheless | 17:30:15 |
| hexa | yup, via staging | 17:30:19 |
| hexa | yup, unaffected | 17:30:53 |
| Sandro | I would do that in a bit if you don't mind | 17:36:14 |
| hexa | https://github.com/NixOS/nixpkgs/pull/135821 | 17:39:06 |
| hexa | sorry, that was a few minutes too late | 17:39:22 |
| Sandro | no problem, easy bump anyway | 19:08:17 |
| 27 Aug 2021 |
| hexa | ris_: can you give openssl another shot? | 23:15:58 |
| ris_ | ah ok | 23:16:11 |
| hexa | https://github.com/NixOS/nixpkgs/pull/135611 | 23:16:19 |
| ris_ | the "early" version of it has built fine, but the "real" version needs the full "curl bootstrap" to build, which includes llvm on macos | 23:44:43 |
| ris_ | though it was the early version that failed last time | 23:44:59 |
