| 4 Jul 2025 |
 Grimmauld (any/all) | * https://nvd.nist.gov/vuln/detail/CVE-2025-6817 | https://github.com/HDFGroup/hdf5/issues/5572
https://nvd.nist.gov/vuln/detail/CVE-2025-6816 | https://github.com/HDFGroup/hdf5/issues/5571
https://nvd.nist.gov/vuln/detail/CVE-2025-6750 | https://github.com/HDFGroup/hdf5/issues/5549
https://nvd.nist.gov/vuln/detail/CVE-2025-6516 | https://github.com/HDFGroup/hdf5/issues/5581
https://nvd.nist.gov/vuln/detail/CVE-2025-6270 | https://github.com/HDFGroup/hdf5/issues/5580
https://nvd.nist.gov/vuln/detail/CVE-2025-6269 | https://github.com/HDFGroup/hdf5/issues/5579
hdf5 doesn't have a new release, and none of these CVEs have patches yet either. I'll be watching the issues, i have my own projects that depend on hdf5 (bachelors thesis) but figured i might as well post these here too. Fix will likely only come out in September.
| 08:00:54 |
| Grimmauld (any/all) | assimp: https://github.com/NixOS/nixpkgs/pull/422357
CVE-2025-2751: GHSA-345v-qrhv-w227
CVE-2025-2757: GHSA-4p6w-747g-444c
CVE-2025-2750: GHSA-6x45-4j6r-r8x8
CVE-2025-3158: GHSA-6r79-vpvw-rfjj | 10:42:06 |
 K900 | 
Download image.png | 10:42:56 |
 emily | K900: oh yeah I ran into a fun thing | 11:06:15 |
| emily | er | 11:06:24 |
| emily | wrong room sorry | 11:06:26 |
| 6 Jul 2025 |
|  @jammie:matrix.org left the room. | 02:28:02 |
|  Cathal changed their display name from CJ to Cathal. | 17:17:33 |
| 7 Jul 2025 |
 leona | https://github.com/NixOS/nixpkgs/pull/421805 keycloak security update | 06:51:59 |
|  Katalin 🔪 changed their display name from Katalin ⚧︎ to Katalin 🔪. | 23:27:41 |
| 9 Jul 2025 |
|  jonhermansen joined the room. | 01:01:41 |
 syd installs gentoo (they/them) | https://dgl.cx/2025/07/git-clone-submodule-cve-2025-48384
git clone --recursive RCE
CVE-2025-48384 | 11:10:20 |
| K900 | Known, we're deciding how to best handle it | 11:21:38 |
| 10 Jul 2025 |
 vcunat | I just noticed our intel-media-sdk; upstream says
This project will no longer be maintained by Intel.
This project has been identified as having known security escapes.
We use it in particular in ffmpeg-full. No idea how big a risk it is in there.
| 08:32:52 |
 hexa | https://security-tracker.debian.org/tracker/source-package/intel-mediasdk | 12:14:24 |
| hexa | removed from debian in 2024-10 | 12:15:01 |
| hexa | other distros, e.g. fedora, are still shipping it | 12:15:10 |
| hexa | -> #security-discuss:nixos.org | 12:16:15 |
| vcunat | gnutls had a security release yesterday:
https://lists.gnupg.org/pipermail/gnutls-help/2025-July/004883.html
Maybe I could have a look within several hours.
| 12:17:14 |
| vcunat | 25.05 will probably need to pick the CVE patches. For staging:
https://github.com/NixOS/nixpkgs/pull/424095 | 16:38:33 |
|  Fred Lahde joined the room. | 18:48:25 |
| 11 Jul 2025 |
|  importantblimp joined the room. | 09:54:49 |
|  Felix Schröter joined the room. | 16:58:53 |
| 12 Jul 2025 |
| hexa | https://github.com/NixOS/nix/security/advisories/GHSA-qc7j-jgf3-qmhg | 12:15:00 |
| emily | handling nixVersions.git | 13:22:35 |
| emily | https://github.com/NixOS/nixpkgs/pull/424593 | 13:33:13 |
| emily | testing build on Darwin, if someone could get Linux that would be cool | 13:33:24 |
|  Sergei Zimmerman (xokdvium) joined the room. | 14:08:27 |
| Sergei Zimmerman (xokdvium) | Backport bot having issues on emily's PR. Manual backport I've opened at the same time https://github.com/NixOS/nixpkgs/pull/424592.
Will merge when darwin build finishes. | 14:10:48 |
| 14 Jul 2025 |
| Grimmauld (any/all) | * https://nvd.nist.gov/vuln/detail/CVE-2025-6817 | https://github.com/HDFGroup/hdf5/issues/5572
https://nvd.nist.gov/vuln/detail/CVE-2025-6816 | https://github.com/HDFGroup/hdf5/issues/5571
https://nvd.nist.gov/vuln/detail/CVE-2025-6750 | https://github.com/HDFGroup/hdf5/issues/5549
https://nvd.nist.gov/vuln/detail/CVE-2025-6516 | https://github.com/HDFGroup/hdf5/issues/5581
https://nvd.nist.gov/vuln/detail/CVE-2025-6270 | https://github.com/HDFGroup/hdf5/issues/5580
https://nvd.nist.gov/vuln/detail/CVE-2025-6269 | https://github.com/HDFGroup/hdf5/issues/5579
https://nvd.nist.gov/vuln/detail/CVE-2025-7069 | https://github.com/HDFGroup/hdf5/issues/5550
https://nvd.nist.gov/vuln/detail/CVE-2025-7068 | https://github.com/HDFGroup/hdf5/issues/5578
https://nvd.nist.gov/vuln/detail/CVE-2025-7067 | https://github.com/HDFGroup/hdf5/issues/5577
hdf5 doesn't have a new release, and none of these CVEs have patches yet either. I'll be watching the issues, i have my own projects that depend on hdf5 (bachelors thesis) but figured i might as well post these here too. Fix will likely only come out in September.
| 07:07:15 |
