| 28 Jun 2025 |
 Grimmauld (any/all) | https://github.com/advisories/GHSA-c2mm-9c32-xc37
https://github.com/NixOS/nixpkgs/pull/413267
cc primeos | 15:08:20 |
| Grimmauld (any/all) | according to repology, perl also has an update for security, though i am too unfamiliar with our perl to judge whether we already patched it or not | 15:18:33 |
 tgerbet | Yep it is, was done in https://github.com/NixOS/nixpkgs/pull/398359 | 15:21:20 |
 stigo | nixpkgs was one of the first distros to get patched, and our security team has been added to the pre-release disclosure list for perl-security since then | 17:11:55 |
| 30 Jun 2025 |
| Grimmauld (any/all) | libxml2 (cc Jan Tojnar i guess...):
https://github.com/NixOS/nixpkgs/pull/418280
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.4
https://access.redhat.com/security/cve/CVE-2025-6021 | 09:10:26 |
| Grimmauld (any/all) | * libxml2 (cc Jan Tojnar i guess...):
https://github.com/NixOS/nixpkgs/pull/418280
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.4
https://access.redhat.com/security/cve/CVE-2025-6021
(apparently our bump to tip-of-branch got lucky and includes the cve fix, oh well) | 09:16:24 |
 bwlf | https://www.openwall.com/lists/oss-security/2025/06/30/3 https://www.openwall.com/lists/oss-security/2025/06/30/2
| 16:32:22 |
|  dan_nrw changed their profile picture. | 17:16:27 |
| dan_nrw changed their profile picture. | 17:17:27 |
| tgerbet | https://github.com/NixOS/nixpkgs/pull/421314 | 19:31:01 |
 h0nig2k | python setuptools CVE 7.7 (only 25.05): https://github.com/NixOS/nixpkgs/pull/421343 | 21:18:40 |
| h0nig2k | * python setuptools CVE 7.7 (only 25.05): https://github.com/NixOS/nixpkgs/pull/421350 | 21:48:50 |
| 1 Jul 2025 |
|  djacu joined the room. | 03:29:06 |
| djacu | Hey Security Team
In case you haven't seen the recent post on discourse, the Marketing Team is preparing this year's community survey. I am reaching out to teams to see if there are any questions they would like to add to the survey to better serve the work you all do. More details in the post linked below.
https://discourse.nixos.org/t/community-feedback-requested-2025-nix-community-survey-planning/66155 | 03:29:17 |
|  Pratham Patel changed their display name from Pratham Patel (you can mention me) to Pratham Patel. | 05:10:22 |
 hexa | https://openssl-library.org/news/secadv/20250522.txt Markus Theil | 12:17:09 |
 Markus Theil | Thx for the hint. Will add a PR this evening. | 13:57:22 |
| Markus Theil | All mentioned CVEs are also fixed in the PR for 3.5.0 already merged to staging. Currently used version 3.4.x are not affected. | 13:58:26 |
 SigmaSquadron | XSA #470: https://github.com/NixOS/nixpkgs/pull/421514 | 14:19:12 |
| SigmaSquadron | * XSA #470: https://github.com/NixOS/nixpkgs/pull/421514 | 14:19:50 |
 emily | on it. does it need backporting? | 14:39:36 |
|  zororg joined the room. | 14:55:33 |
| Markus Theil | https://github.com/NixOS/nixpkgs/pull/421531 is still compiling on my side. Will ping here, when ready and some smoke tests are done. | 15:33:21 |
| SigmaSquadron | In reply to @emilazy:matrix.org
on it. does it need backporting? yep, forgot the label, sorry. | 15:57:16 |
|  Damian Poddebniak joined the room. | 20:54:51 |
| 2 Jul 2025 |
| Markus Theil | OpenSSL is ready. Update for 25.05 in https://github.com/NixOS/nixpkgs/pull/421735 | 09:43:52 |
| 4 Jul 2025 |
| Grimmauld (any/all) | https://nvd.nist.gov/vuln/detail/CVE-2025-6817 | https://github.com/HDFGroup/hdf5/issues/5572
https://nvd.nist.gov/vuln/detail/CVE-2025-6816 | https://github.com/HDFGroup/hdf5/issues/5571
https://nvd.nist.gov/vuln/detail/CVE-2025-6750 | https://github.com/HDFGroup/hdf5/issues/5549
hdf5 doesn't have a new release, and none of these CVEs have patches yet either. I'll be watching the issues, i have my own projects that depend on hdf5 (bachelors thesis) but figured i might as well post these here too. Fix will likely only come out in September.
| 07:53:03 |
| Grimmauld (any/all) | * https://nvd.nist.gov/vuln/detail/CVE-2025-6817 | https://github.com/HDFGroup/hdf5/issues/5572
https://nvd.nist.gov/vuln/detail/CVE-2025-6816 | https://github.com/HDFGroup/hdf5/issues/5571
https://nvd.nist.gov/vuln/detail/CVE-2025-6750 | https://github.com/HDFGroup/hdf5/issues/5549
https://nvd.nist.gov/vuln/detail/CVE-2025-6516 | https://github.com/HDFGroup/hdf5/issues/5581
hdf5 doesn't have a new release, and none of these CVEs have patches yet either. I'll be watching the issues, i have my own projects that depend on hdf5 (bachelors thesis) but figured i might as well post these here too. Fix will likely only come out in September.
| 07:54:17 |
| Grimmauld (any/all) | * https://nvd.nist.gov/vuln/detail/CVE-2025-6817 | https://github.com/HDFGroup/hdf5/issues/5572
https://nvd.nist.gov/vuln/detail/CVE-2025-6816 | https://github.com/HDFGroup/hdf5/issues/5571
https://nvd.nist.gov/vuln/detail/CVE-2025-6750 | https://github.com/HDFGroup/hdf5/issues/5549
https://nvd.nist.gov/vuln/detail/CVE-2025-6516 | https://github.com/HDFGroup/hdf5/issues/5581
https://nvd.nist.gov/vuln/detail/CVE-2025-6270 | https://github.com/HDFGroup/hdf5/issues/5580
https://nvd.nist.gov/vuln/detail/CVE-2025-6269 | https://nvd.nist.gov/vuln/detail/CVE-2025-6269
hdf5 doesn't have a new release, and none of these CVEs have patches yet either. I'll be watching the issues, i have my own projects that depend on hdf5 (bachelors thesis) but figured i might as well post these here too. Fix will likely only come out in September.
| 07:55:50 |
| Grimmauld (any/all) | there might well be more, seems some new people started actually fuzzing that lib. There is POCs and all, but assigned severity is all somewhat low. Still safe to say the next release is security-relevant | 07:57:13 |
