!ZRgXNaHrdpGqwUnGnj:nixos.org

NixOS Security Triage

638 Members
Coordination and triage of security issues in nixpkgs | Discussions in #security-discuss:nixos.org | Open PRs: https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+is%3Aopen+sort%3Aupdated-desc+label%3A%221.severity%3A+security%22200 Servers

Load older messages


SenderMessageTime
1 Jul 2025
@sigmasquadron:matrix.orgSigmaSquadron
In reply to @emilazy:matrix.org
on it. does it need backporting?
yep, forgot the label, sorry.
15:57:16
@dues__:matrix.orgDamian Poddebniak joined the room.20:54:51
2 Jul 2025
@mtheil:scs.ems.hostMarkus TheilOpenSSL is ready. Update for 25.05 in https://github.com/NixOS/nixpkgs/pull/42173509:43:52
4 Jul 2025
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)

https://nvd.nist.gov/vuln/detail/CVE-2025-6817 | https://github.com/HDFGroup/hdf5/issues/5572
https://nvd.nist.gov/vuln/detail/CVE-2025-6816 | https://github.com/HDFGroup/hdf5/issues/5571
https://nvd.nist.gov/vuln/detail/CVE-2025-6750 | https://github.com/HDFGroup/hdf5/issues/5549

hdf5 doesn't have a new release, and none of these CVEs have patches yet either. I'll be watching the issues, i have my own projects that depend on hdf5 (bachelors thesis) but figured i might as well post these here too. Fix will likely only come out in September.

07:53:03
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all) *

https://nvd.nist.gov/vuln/detail/CVE-2025-6817 | https://github.com/HDFGroup/hdf5/issues/5572
https://nvd.nist.gov/vuln/detail/CVE-2025-6816 | https://github.com/HDFGroup/hdf5/issues/5571
https://nvd.nist.gov/vuln/detail/CVE-2025-6750 | https://github.com/HDFGroup/hdf5/issues/5549
https://nvd.nist.gov/vuln/detail/CVE-2025-6516 | https://github.com/HDFGroup/hdf5/issues/5581

hdf5 doesn't have a new release, and none of these CVEs have patches yet either. I'll be watching the issues, i have my own projects that depend on hdf5 (bachelors thesis) but figured i might as well post these here too. Fix will likely only come out in September.

07:54:17
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all) *

https://nvd.nist.gov/vuln/detail/CVE-2025-6817 | https://github.com/HDFGroup/hdf5/issues/5572
https://nvd.nist.gov/vuln/detail/CVE-2025-6816 | https://github.com/HDFGroup/hdf5/issues/5571
https://nvd.nist.gov/vuln/detail/CVE-2025-6750 | https://github.com/HDFGroup/hdf5/issues/5549
https://nvd.nist.gov/vuln/detail/CVE-2025-6516 | https://github.com/HDFGroup/hdf5/issues/5581
https://nvd.nist.gov/vuln/detail/CVE-2025-6270 | https://github.com/HDFGroup/hdf5/issues/5580
https://nvd.nist.gov/vuln/detail/CVE-2025-6269 | https://nvd.nist.gov/vuln/detail/CVE-2025-6269

hdf5 doesn't have a new release, and none of these CVEs have patches yet either. I'll be watching the issues, i have my own projects that depend on hdf5 (bachelors thesis) but figured i might as well post these here too. Fix will likely only come out in September.

07:55:50
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)there might well be more, seems some new people started actually fuzzing that lib. There is POCs and all, but assigned severity is all somewhat low. Still safe to say the next release is security-relevant07:57:13
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all) *

https://nvd.nist.gov/vuln/detail/CVE-2025-6817 | https://github.com/HDFGroup/hdf5/issues/5572
https://nvd.nist.gov/vuln/detail/CVE-2025-6816 | https://github.com/HDFGroup/hdf5/issues/5571
https://nvd.nist.gov/vuln/detail/CVE-2025-6750 | https://github.com/HDFGroup/hdf5/issues/5549
https://nvd.nist.gov/vuln/detail/CVE-2025-6516 | https://github.com/HDFGroup/hdf5/issues/5581
https://nvd.nist.gov/vuln/detail/CVE-2025-6270 | https://github.com/HDFGroup/hdf5/issues/5580
https://nvd.nist.gov/vuln/detail/CVE-2025-6269 | https://github.com/HDFGroup/hdf5/issues/5579

hdf5 doesn't have a new release, and none of these CVEs have patches yet either. I'll be watching the issues, i have my own projects that depend on hdf5 (bachelors thesis) but figured i might as well post these here too. Fix will likely only come out in September.

08:00:54
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)assimp: https://github.com/NixOS/nixpkgs/pull/422357 CVE-2025-2751: GHSA-345v-qrhv-w227 CVE-2025-2757: GHSA-4p6w-747g-444c CVE-2025-2750: GHSA-6x45-4j6r-r8x8 CVE-2025-3158: GHSA-6r79-vpvw-rfjj10:42:06
@k900:0upti.meK900image.png
Download image.png
10:42:56
@emilazy:matrix.orgemily K900: oh yeah I ran into a fun thing 11:06:15
@emilazy:matrix.orgemilyer11:06:24
@emilazy:matrix.orgemilywrong room sorry11:06:26
6 Jul 2025
@jammie:matrix.org@jammie:matrix.org left the room.02:28:02
@cathal_mullan:matrix.orgCathal changed their display name from CJ to Cathal.17:17:33
7 Jul 2025
@leona:leona.isleonahttps://github.com/NixOS/nixpkgs/pull/421805 keycloak security update06:51:59
@saiko:knifepoint.netKatalin 🔪 changed their display name from Katalin ⚧︎ to Katalin 🔪.23:27:41
9 Jul 2025
@jonhermansen:matrix.orgjonhermansen joined the room.01:01:41
@phileas:asra.grsyd installs gentoo (they/them)https://dgl.cx/2025/07/git-clone-submodule-cve-2025-48384 git clone --recursive RCE CVE-2025-4838411:10:20
@k900:0upti.meK900 Known, we're deciding how to best handle it 11:21:38
10 Jul 2025
@vcunat:matrix.orgvcunat

I just noticed our intel-media-sdk; upstream says

This project will no longer be maintained by Intel.
This project has been identified as having known security escapes.

We use it in particular in ffmpeg-full. No idea how big a risk it is in there.

08:32:52
@hexa:lossy.networkhexahttps://security-tracker.debian.org/tracker/source-package/intel-mediasdk12:14:24
@hexa:lossy.networkhexaremoved from debian in 2024-1012:15:01
@hexa:lossy.networkhexaother distros, e.g. fedora, are still shipping it12:15:10
@hexa:lossy.networkhexa -> #security-discuss:nixos.org 12:16:15
@vcunat:matrix.orgvcunat

gnutls had a security release yesterday:
https://lists.gnupg.org/pipermail/gnutls-help/2025-July/004883.html

Maybe I could have a look within several hours.

12:17:14
@vcunat:matrix.orgvcunat25.05 will probably need to pick the CVE patches. For staging: https://github.com/NixOS/nixpkgs/pull/42409516:38:33
@fr0de_0xa:matrix.orgFred Lahde joined the room.18:48:25
11 Jul 2025
@importantblimp:matrix.orgimportantblimp joined the room.09:54:49
@felix.schroeter:scs.ems.hostFelix Schröter joined the room.16:58:53

There are no newer messages yet.


Back to Room ListRoom Version: 6