| 21 May 2025 |
|  oddlama changed their display name from Malte to oddlama. | 17:42:18 |
 hexa | https://github.com/NixOS/nixpkgs/pull/409445 | 23:56:59 |
| 23 May 2025 |
 stigo | Red Hat CNA-LR responded yesterday that they will process the issues | 11:04:13 |
 Markus Theil | https://openssl-library.org/news/vulnerabilities/#CVE-2025-4575 | 13:18:08 |
| Markus Theil | I commented the CVE in https://github.com/NixOS/nixpkgs/pull/397123. | 13:19:24 |
|  Alison Jenkins changed their profile picture. | 16:05:41 |
| 25 May 2025 |
| hexa | https://www.openwall.com/lists/oss-security/2025/05/23/2 | 15:50:31 |
| hexa | * https://www.openwall.com/lists/oss-security/2025/05/23/2 ghostscript | 15:50:49 |
| 26 May 2025 |
|  ximnoise left the room. | 02:57:15 |
| ximnoise joined the room. | 02:57:30 |
| 27 May 2025 |
|  matrixrooms.info mod bot (does NOT read/send messages and/or invites; used for checking reported rooms) joined the room. | 07:49:31 |
|  @irenes:matrix.org left the room. | 09:00:51 |
|  mdaniels5757 joined the room. | 23:45:31 |
| 28 May 2025 |
 Morgan (@numinit) | https://www.openwall.com/lists/oss-security/2025/05/28/4
https://curl.se/docs/CVE-2025-4947.html
curl (only wolfssl as a backend though) | 05:53:27 |
 vcunat | That seems to be only opt-in in nixpkgs. So a patch can be applied conditionally without any rebuild (and users of it will probably be rare here). | 06:03:22 |
| vcunat | Merged, but honestly I don't know what to do about stable nixpkgs. | 09:57:17 |
 emily | seems backportable? is there anything breaking I'm missing? | 11:10:30 |
 Zhaofeng Li | Is the concern about the new features?
(not sure if replying in a thread will cause notifications - if so, let's move to #security-discuss:nixos.org )
| 15:42:37 |
| 29 May 2025 |
 Grimmauld (any/all) | https://github.com/NixOS/nixpkgs/issues/411881
so uh - do we pick commits into our jq? one of the two doesn't even have a fix commit, and i'd be surprised if the fix for the other actually applies properly... | 09:26:03 |
 K900 | What the lol | 09:26:48 |
| Grimmauld (any/all) | jq had no release since 2023, but now the second 7.5+ cve | 09:27:21 |
| K900 | Has anyone rewritten it in rust yet | 09:27:37 |
| Alison Jenkins | https://github.com/MiSawa/xq | 09:28:18 |
| Grimmauld (any/all) | https://github.com/yamafaktory/jql
not sure how compatible it is though
also #security-discuss:nixos.org if we'll discuss that | 09:28:34 |
| Morgan (@numinit) | Kea has a few https://www.openwall.com/lists/oss-security/2025/05/28/7 | 16:26:42 |
| Morgan (@numinit) | Also https://www.openwall.com/lists/oss-security/2025/05/27/2
Heap buffer overflow in GNU Coreutils sort that's been there since version 7.2 (we're on 9.7, and apparently it's still there) | 16:28:58 |
| Grimmauld (any/all) | seems simple enough to update, but why are we on 2.6.x if there exists 2.7x? | 16:29:23 |
| Grimmauld (any/all) | * seems simple enough to update, but why are we on 2.6.x if there exists 2.7.x? | 16:29:27 |
| Morgan (@numinit) | not sure | 16:29:52 |
 Arian | https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598
https://github.com/systemd/systemd/releases/tag/v257.6
| 17:28:46 |
