1 Jul 2025 |
SigmaSquadron | In reply to @emilazy:matrix.org on it. does it need backporting? yep, forgot the label, sorry. | 15:57:16 |
| Damian Poddebniak joined the room. | 20:54:51 |
2 Jul 2025 |
Markus Theil | OpenSSL is ready. Update for 25.05 in https://github.com/NixOS/nixpkgs/pull/421735 | 09:43:52 |
4 Jul 2025 |
Grimmauld (any/all) | https://nvd.nist.gov/vuln/detail/CVE-2025-6817 | https://github.com/HDFGroup/hdf5/issues/5572 https://nvd.nist.gov/vuln/detail/CVE-2025-6816 | https://github.com/HDFGroup/hdf5/issues/5571 https://nvd.nist.gov/vuln/detail/CVE-2025-6750 | https://github.com/HDFGroup/hdf5/issues/5549
hdf5 doesn't have a new release, and none of these CVEs have patches yet either. I'll be watching the issues, i have my own projects that depend on hdf5 (bachelors thesis) but figured i might as well post these here too. Fix will likely only come out in September.
| 07:53:03 |
Grimmauld (any/all) | * https://nvd.nist.gov/vuln/detail/CVE-2025-6817 | https://github.com/HDFGroup/hdf5/issues/5572 https://nvd.nist.gov/vuln/detail/CVE-2025-6816 | https://github.com/HDFGroup/hdf5/issues/5571 https://nvd.nist.gov/vuln/detail/CVE-2025-6750 | https://github.com/HDFGroup/hdf5/issues/5549 https://nvd.nist.gov/vuln/detail/CVE-2025-6516 | https://github.com/HDFGroup/hdf5/issues/5581
hdf5 doesn't have a new release, and none of these CVEs have patches yet either. I'll be watching the issues, i have my own projects that depend on hdf5 (bachelors thesis) but figured i might as well post these here too. Fix will likely only come out in September.
| 07:54:17 |
Grimmauld (any/all) | * https://nvd.nist.gov/vuln/detail/CVE-2025-6817 | https://github.com/HDFGroup/hdf5/issues/5572 https://nvd.nist.gov/vuln/detail/CVE-2025-6816 | https://github.com/HDFGroup/hdf5/issues/5571 https://nvd.nist.gov/vuln/detail/CVE-2025-6750 | https://github.com/HDFGroup/hdf5/issues/5549 https://nvd.nist.gov/vuln/detail/CVE-2025-6516 | https://github.com/HDFGroup/hdf5/issues/5581 https://nvd.nist.gov/vuln/detail/CVE-2025-6270 | https://github.com/HDFGroup/hdf5/issues/5580 https://nvd.nist.gov/vuln/detail/CVE-2025-6269 | https://nvd.nist.gov/vuln/detail/CVE-2025-6269
hdf5 doesn't have a new release, and none of these CVEs have patches yet either. I'll be watching the issues, i have my own projects that depend on hdf5 (bachelors thesis) but figured i might as well post these here too. Fix will likely only come out in September.
| 07:55:50 |
Grimmauld (any/all) | there might well be more, seems some new people started actually fuzzing that lib. There is POCs and all, but assigned severity is all somewhat low. Still safe to say the next release is security-relevant | 07:57:13 |
Grimmauld (any/all) | * https://nvd.nist.gov/vuln/detail/CVE-2025-6817 | https://github.com/HDFGroup/hdf5/issues/5572 https://nvd.nist.gov/vuln/detail/CVE-2025-6816 | https://github.com/HDFGroup/hdf5/issues/5571 https://nvd.nist.gov/vuln/detail/CVE-2025-6750 | https://github.com/HDFGroup/hdf5/issues/5549 https://nvd.nist.gov/vuln/detail/CVE-2025-6516 | https://github.com/HDFGroup/hdf5/issues/5581 https://nvd.nist.gov/vuln/detail/CVE-2025-6270 | https://github.com/HDFGroup/hdf5/issues/5580 https://nvd.nist.gov/vuln/detail/CVE-2025-6269 | https://github.com/HDFGroup/hdf5/issues/5579
hdf5 doesn't have a new release, and none of these CVEs have patches yet either. I'll be watching the issues, i have my own projects that depend on hdf5 (bachelors thesis) but figured i might as well post these here too. Fix will likely only come out in September.
| 08:00:54 |
Grimmauld (any/all) | assimp: https://github.com/NixOS/nixpkgs/pull/422357
CVE-2025-2751: GHSA-345v-qrhv-w227
CVE-2025-2757: GHSA-4p6w-747g-444c
CVE-2025-2750: GHSA-6x45-4j6r-r8x8
CVE-2025-3158: GHSA-6r79-vpvw-rfjj | 10:42:06 |
K900 |  Download image.png | 10:42:56 |
emily | K900: oh yeah I ran into a fun thing | 11:06:15 |
emily | er | 11:06:24 |
emily | wrong room sorry | 11:06:26 |
6 Jul 2025 |
| @jammie:matrix.org left the room. | 02:28:02 |
| Cathal changed their display name from CJ to Cathal. | 17:17:33 |
7 Jul 2025 |
leona | https://github.com/NixOS/nixpkgs/pull/421805 keycloak security update | 06:51:59 |
| Katalin 🔪 changed their display name from Katalin ⚧︎ to Katalin 🔪. | 23:27:41 |
9 Jul 2025 |
| jonhermansen joined the room. | 01:01:41 |
syd installs gentoo (they/them) | https://dgl.cx/2025/07/git-clone-submodule-cve-2025-48384
git clone --recursive RCE
CVE-2025-48384 | 11:10:20 |
K900 | Known, we're deciding how to best handle it | 11:21:38 |
10 Jul 2025 |
vcunat | I just noticed our intel-media-sdk ; upstream says
This project will no longer be maintained by Intel. This project has been identified as having known security escapes.
We use it in particular in ffmpeg-full . No idea how big a risk it is in there.
| 08:32:52 |
hexa | https://security-tracker.debian.org/tracker/source-package/intel-mediasdk | 12:14:24 |
hexa | removed from debian in 2024-10 | 12:15:01 |
hexa | other distros, e.g. fedora, are still shipping it | 12:15:10 |
hexa | -> #security-discuss:nixos.org | 12:16:15 |
vcunat | gnutls had a security release yesterday: https://lists.gnupg.org/pipermail/gnutls-help/2025-July/004883.html
Maybe I could have a look within several hours.
| 12:17:14 |
vcunat | 25.05 will probably need to pick the CVE patches. For staging:
https://github.com/NixOS/nixpkgs/pull/424095 | 16:38:33 |
| Fred Lahde joined the room. | 18:48:25 |
11 Jul 2025 |
| importantblimp joined the room. | 09:54:49 |
| Felix Schröter joined the room. | 16:58:53 |