27 May 2025 |
| @irenes:matrix.org left the room. | 09:00:51 |
| mdaniels5757 joined the room. | 23:45:31 |
28 May 2025 |
Morgan (@numinit) | https://www.openwall.com/lists/oss-security/2025/05/28/4
https://curl.se/docs/CVE-2025-4947.html
curl (only wolfssl as a backend though) | 05:53:27 |
vcunat | That seems to be only opt-in in nixpkgs. So a patch can be applied conditionally without any rebuild (and users of it will probably be rare here). | 06:03:22 |
vcunat | Merged, but honestly I don't know what to do about stable nixpkgs. | 09:57:17 |
emily | seems backportable? is there anything breaking I'm missing? | 11:10:30 |
Zhaofeng Li | Is the concern about the new features?
(not sure if replying in a thread will cause notifications - if so, let's move to #security-discuss:nixos.org )
| 15:42:37 |
29 May 2025 |
Grimmauld (any/all) | https://github.com/NixOS/nixpkgs/issues/411881
so uh - do we pick commits into our jq? one of the two doesn't even have a fix commit, and i'd be surprised if the fix for the other actually applies properly... | 09:26:03 |
K900 | What the lol | 09:26:48 |
Grimmauld (any/all) | jq had no release since 2023, but now the second 7.5+ cve | 09:27:21 |
K900 | Has anyone rewritten it in rust yet | 09:27:37 |
Alison Jenkins | https://github.com/MiSawa/xq | 09:28:18 |
Grimmauld (any/all) | https://github.com/yamafaktory/jql not sure how compatible it is though also #security-discuss:nixos.org if we'll discuss that | 09:28:34 |
Morgan (@numinit) | Kea has a few https://www.openwall.com/lists/oss-security/2025/05/28/7 | 16:26:42 |
Morgan (@numinit) | Also https://www.openwall.com/lists/oss-security/2025/05/27/2
Heap buffer overflow in GNU Coreutils sort that's been there since version 7.2 (we're on 9.7, and apparently it's still there) | 16:28:58 |
Grimmauld (any/all) | seems simple enough to update, but why are we on 2.6.x if there exists 2.7x? | 16:29:23 |
Grimmauld (any/all) | * seems simple enough to update, but why are we on 2.6.x if there exists 2.7.x? | 16:29:27 |
Morgan (@numinit) | not sure | 16:29:52 |
Arian | https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598
https://github.com/systemd/systemd/releases/tag/v257.6
| 17:28:46 |
hexa | bceause only even minor versions are stable | 17:33:38 |
hexa | and the update is not straightforward | 17:33:43 |
hexa | https://github.com/NixOS/nixpkgs/pull/411875 | 17:34:06 |
Grimmauld (any/all) | uh oh, didn't realize the module needed changing to allow clean updates.... Indeed, not straight-forward, and thanks for explaining :) | 17:35:53 |
Grimmauld (any/all) | https://github.com/NixOS/nixpkgs/pull/412147 I was already poking systemd for udev stuff earlier today, have the bump pr :)
I tested nixos tests, i did not try to repro the vuln to see if it is truly fixed now.
| 18:41:42 |
Grimmauld (any/all) | * https://github.com/NixOS/nixpkgs/pull/412147 I was already poking systemd for udev stuff earlier today, have the bump pr :)
i did not try to repro the vuln to see if it is truly fixed now.
| 18:44:10 |
30 May 2025 |
stigo | https://github.com/NixOS/nixpkgs/pull/412233 (considered to be low-medium severity) | 03:39:03 |
leona | what about backports? just apply to 25.05 and 24.11? | 09:06:59 |
stigo | In reply to @leona:leona.is what about backports? just apply to 25.05 and 24.11? Yeah should work fine | 09:58:12 |
Grimmauld (any/all) | https://github.com/NixOS/nixpkgs/pull/412367
it has been done Was an absolute pain to make these patches apply properly, i think i didn't horribly butcher anything - review appreciated.
| 14:47:23 |
| DerivationDingus set a profile picture. | 19:53:54 |