4 Jul 2025 |
Grimmauld (any/all) | * https://nvd.nist.gov/vuln/detail/CVE-2025-6817 | https://github.com/HDFGroup/hdf5/issues/5572 https://nvd.nist.gov/vuln/detail/CVE-2025-6816 | https://github.com/HDFGroup/hdf5/issues/5571 https://nvd.nist.gov/vuln/detail/CVE-2025-6750 | https://github.com/HDFGroup/hdf5/issues/5549 https://nvd.nist.gov/vuln/detail/CVE-2025-6516 | https://github.com/HDFGroup/hdf5/issues/5581 https://nvd.nist.gov/vuln/detail/CVE-2025-6270 | https://github.com/HDFGroup/hdf5/issues/5580 https://nvd.nist.gov/vuln/detail/CVE-2025-6269 | https://github.com/HDFGroup/hdf5/issues/5579
hdf5 doesn't have a new release, and none of these CVEs have patches yet either. I'll be watching the issues, i have my own projects that depend on hdf5 (bachelors thesis) but figured i might as well post these here too. Fix will likely only come out in September.
| 08:00:54 |
Grimmauld (any/all) | assimp: https://github.com/NixOS/nixpkgs/pull/422357
CVE-2025-2751: GHSA-345v-qrhv-w227
CVE-2025-2757: GHSA-4p6w-747g-444c
CVE-2025-2750: GHSA-6x45-4j6r-r8x8
CVE-2025-3158: GHSA-6r79-vpvw-rfjj | 10:42:06 |
K900 |  Download image.png | 10:42:56 |
emily | K900: oh yeah I ran into a fun thing | 11:06:15 |
emily | er | 11:06:24 |
emily | wrong room sorry | 11:06:26 |
6 Jul 2025 |
| @jammie:matrix.org left the room. | 02:28:02 |
| Cathal changed their display name from CJ to Cathal. | 17:17:33 |
7 Jul 2025 |
leona | https://github.com/NixOS/nixpkgs/pull/421805 keycloak security update | 06:51:59 |
| Katalin 🔪 changed their display name from Katalin ⚧︎ to Katalin 🔪. | 23:27:41 |
9 Jul 2025 |
| jonhermansen joined the room. | 01:01:41 |
syd installs gentoo (they/them) | https://dgl.cx/2025/07/git-clone-submodule-cve-2025-48384
git clone --recursive RCE
CVE-2025-48384 | 11:10:20 |
K900 | Known, we're deciding how to best handle it | 11:21:38 |
10 Jul 2025 |
vcunat | I just noticed our intel-media-sdk ; upstream says
This project will no longer be maintained by Intel. This project has been identified as having known security escapes.
We use it in particular in ffmpeg-full . No idea how big a risk it is in there.
| 08:32:52 |
hexa | https://security-tracker.debian.org/tracker/source-package/intel-mediasdk | 12:14:24 |
hexa | removed from debian in 2024-10 | 12:15:01 |
hexa | other distros, e.g. fedora, are still shipping it | 12:15:10 |
hexa | -> #security-discuss:nixos.org | 12:16:15 |
vcunat | gnutls had a security release yesterday: https://lists.gnupg.org/pipermail/gnutls-help/2025-July/004883.html
Maybe I could have a look within several hours.
| 12:17:14 |
vcunat | 25.05 will probably need to pick the CVE patches. For staging:
https://github.com/NixOS/nixpkgs/pull/424095 | 16:38:33 |
| Fred Lahde joined the room. | 18:48:25 |
11 Jul 2025 |
| importantblimp joined the room. | 09:54:49 |
| Felix Schröter joined the room. | 16:58:53 |
12 Jul 2025 |
hexa | https://github.com/NixOS/nix/security/advisories/GHSA-qc7j-jgf3-qmhg | 12:15:00 |
emily | handling nixVersions.git | 13:22:35 |
emily | https://github.com/NixOS/nixpkgs/pull/424593 | 13:33:13 |
emily | testing build on Darwin, if someone could get Linux that would be cool | 13:33:24 |
| Sergei Zimmerman (xokdvium) joined the room. | 14:08:27 |
Sergei Zimmerman (xokdvium) | Backport bot having issues on emily's PR. Manual backport I've opened at the same time https://github.com/NixOS/nixpkgs/pull/424592. Will merge when darwin build finishes. | 14:10:48 |
14 Jul 2025 |
Grimmauld (any/all) | * https://nvd.nist.gov/vuln/detail/CVE-2025-6817 | https://github.com/HDFGroup/hdf5/issues/5572 https://nvd.nist.gov/vuln/detail/CVE-2025-6816 | https://github.com/HDFGroup/hdf5/issues/5571 https://nvd.nist.gov/vuln/detail/CVE-2025-6750 | https://github.com/HDFGroup/hdf5/issues/5549 https://nvd.nist.gov/vuln/detail/CVE-2025-6516 | https://github.com/HDFGroup/hdf5/issues/5581 https://nvd.nist.gov/vuln/detail/CVE-2025-6270 | https://github.com/HDFGroup/hdf5/issues/5580 https://nvd.nist.gov/vuln/detail/CVE-2025-6269 | https://github.com/HDFGroup/hdf5/issues/5579 https://nvd.nist.gov/vuln/detail/CVE-2025-7069 | https://github.com/HDFGroup/hdf5/issues/5550 https://nvd.nist.gov/vuln/detail/CVE-2025-7068 | https://github.com/HDFGroup/hdf5/issues/5578 https://nvd.nist.gov/vuln/detail/CVE-2025-7067 | https://github.com/HDFGroup/hdf5/issues/5577
hdf5 doesn't have a new release, and none of these CVEs have patches yet either. I'll be watching the issues, i have my own projects that depend on hdf5 (bachelors thesis) but figured i might as well post these here too. Fix will likely only come out in September.
| 07:07:15 |