| 14 Aug 2025 |
 Grimmauld (any/all) | * GStreamer:
https://nvd.nist.gov/vuln/detail/CVE-2025-47807
https://nvd.nist.gov/vuln/detail/CVE-2025-47806
https://nvd.nist.gov/vuln/detail/CVE-2025-47219
https://nvd.nist.gov/vuln/detail/CVE-2025-47183
https://nvd.nist.gov/vuln/detail/CVE-2025-47808
https://github.com/NixOS/nixpkgs/pull/420649
(was already merged, but still putting this here for documentations sake) | 19:42:42 |
 Lun | https://github.com/NixOS/nixpkgs/pull/433769 | 22:45:10 |
| 15 Aug 2025 |
|  @flipperskip:matrix.org left the room. | 04:11:40 |
|  sorrel joined the room. | 09:52:27 |
| 16 Aug 2025 |
| Grimmauld (any/all) | ImageMagick:
CVE-2025-55005: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v393-38qx-v8fp
CVE-2025-55004: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cjc8-g9w8-chfw
CVE-2025-55160: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hgw-6x87-578x
https://github.com/NixOS/nixpkgs/pull/433249 | 13:01:19 |
|  17lifers (Ryan) joined the room. | 21:34:16 |
| 17 Aug 2025 |
|  @maridonkers:matrix.org left the room. | 19:07:13 |
| 22 Aug 2025 |
|  June joined the room. | 02:57:43 |
|  @julian:nekover.se left the room. | 03:09:18 |
 leona | valkey security release https://github.com/valkey-io/valkey/releases/tag/8.0.5 | 15:00:50 |
| leona | as far as i see only affects 25.05. https://github.com/NixOS/nixpkgs/pull/435905 | 15:06:30 |
|  elikoga changed their profile picture. | 17:28:13 |
|  odoom joined the room. | 21:33:14 |
| 24 Aug 2025 |
|  Honnip joined the room. | 13:29:06 |
| 25 Aug 2025 |
 lennart | hej, could someone who is allowed to delete Issues in NixOS/nixpkgs write me directly? I found a vulnerability in a software, made an issue in nixpkgs which partly was about that vuln. upstream asks to please delete the ticket. | 09:31:16 |
| lennart | my fuckupā¦ | 09:31:33 |
| lennart | already wrote hexa, I guess he's sleeping or busy :) https://github.com/orgs/NixOS/people/security_managers | 09:33:22 |
| lennart | lassulus did the dead, thanks | 09:35:17 |
 SigmaSquadron | we should consider that security vulnerability leaked to the public already, as there may be an archive of the deleted issue. | 09:49:01 |
| SigmaSquadron | * | 09:49:15 |
 tgerbet | Upstream should consider the issue public. Information is likely still accessible in GitHub events
Full disclosure is better than half disclosed (and apparently the tendency these days is to publish emboarged issues on public ML š« ) | 10:27:45 |
| lennart | It's not related to nixpkgs, only upstream. | 10:28:01 |
| lennart | I see your point, but it'd let upstream cover and decide on that. | 10:28:27 |
| lennart | Nonetheless, they'll apply for an CVE number :b | 10:28:38 |
 raitobezarius | If upstream doesn't do full disclosure, this is a very bad look on them for what seems to be a minor issue. | 10:28:56 |
| lennart | What do you mean by half and full disclosure? Lets move to the discussion channel? | 10:29:44 |
| 27 Aug 2025 |
|  martijn joined the room. | 13:58:51 |
| 28 Aug 2025 |
 hexa | https://github.com/storaged-project/udisks/security/advisories/GHSA-742q-gggc-473g udisks Jan Tojnar | 20:55:32 |
