!ZRgXNaHrdpGqwUnGnj:nixos.org

NixOS Security Triage

635 Members
Coordination and triage of security issues in nixpkgs | Discussions in #security-discuss:nixos.org | Open PRs: https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+is%3Aopen+sort%3Aupdated-desc+label%3A%221.severity%3A+security%22200 Servers

Load older messages


SenderMessageTime
30 May 2025
@bytebandit:tac.lolDerivationDingus changed their profile picture.19:55:16
31 May 2025
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)https://github.com/jqlang/jq/issues/3327#issuecomment-2924552289 So uh - do we discard builds for this? Or do we fix that next cycle?07:15:02
@k900:0upti.meK900We barely have builds07:17:19
@k900:0upti.meK900Send it07:17:20
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)I mean, its bootstrap, soo.....07:29:11
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)but will do07:29:19
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)https://github.com/NixOS/nixpkgs/pull/41259007:37:21
@fhluit87:freiburg.socialfhluit87 joined the room.12:53:13
2 Jun 2025
@bweeks:matrix.org@bweeks:matrix.org left the room.06:01:47
3 Jun 2025
@hexa:lossy.networkhexahttps://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 @ma27 https://github.com/NixOS/nixpkgs/pull/41294001:11:03
@ma27:nicht-so.sexyma27expect a merge today. sorry was in the traveling last weekend and it didn't fit yesterday.05:13:17
@yadov3k:matrix.orgyadov3k joined the room.12:12:31
@themadbit:matrix.orgthemadbit joined the room.18:26:39
@numinit:matrix.orgMorgan (@numinit) Samba https://www.samba.org/samba/security/CVE-2025-0620.html 20:02:40
@numinit:matrix.orgMorgan (@numinit) Seems to only apply to 4.21, though. So we may be fine? 20:04:44
4 Jun 2025
@teutat3s:pub.solarteutat3sNew electron releases with fixes for CVE-2025-5419 are available, I'll get to creating a PR later today.13:13:22
@hexa:lossy.networkhexahttps://curl.se/docs/CVE-2025-5399.html 8.14.114:07:26
@hexa:lossy.networkhexa * https://curl.se/docs/CVE-2025-5399.html 8.14.1 Scrumplex 14:07:33
@scrumplex:duckhub.ioScrumplexhttps://github.com/NixOS/nixpkgs/pull/41389614:08:13
@hexa:lossy.networkhexaare you preparing patches for 25.05 and 24.11?14:09:55
@scrumplex:duckhub.ioScrumplexBackports should work for both releases, if I am not mistaken14:31:04
@scrumplex:duckhub.ioScrumplex24.11 is a little behind actually. We would need a manual patch there14:31:36
@teutat3s:pub.solarteutat3shttps://github.com/NixOS/nixpkgs/pull/41399517:53:16
@hexa:lossy.networkhexacurl updates are imo risky and introduce regressions every now and then18:03:25
@hexa:lossy.networkhexa23.11 looked like this18:04:13
@hexa:lossy.networkhexa
  patches = [
    # fix ipv6 autodetect compile error in configure script
    # remove once https://github.com/curl/curl/pull/12607 released (8.6.0)
    ./configure-ipv6-autodetect.diff
    # https://curl.se/docs/CVE-2023-46219.html
    ./0001-CVE-2023-42619.patch
    # https://curl.se/docs/CVE-2023-46218.html
    ./0002-CVE-2023-42618.patch
    # https://curl.se/docs/CVE-2024-2398.html
    ./0003-CVE-2024-2398.patch
    # https://curl.se/docs/CVE-2024-2004.html
    ./0004-CVE-2024-2004.patch
  ];
18:04:18
@hexa:lossy.networkhexafrankly not sure why that practice changed18:04:36
@hedgemage:unredacted.orgHedgeMage joined the room.19:26:55
5 Jun 2025
@h0nig2k:matrix.orgh0nig2k joined the room.07:36:47
@h0nig2k:matrix.orgh0nig2kHi, is there any planned triage for https://www.cve.org/CVERecord?id=CVE-2025-4517 - python with CVE 9,4?07:40:52

Show newer messages


Back to Room ListRoom Version: 6