!ZRgXNaHrdpGqwUnGnj:nixos.org

NixOS Security Triage

685 Members
Coordination and triage of security issues in nixpkgs214 Servers

Load older messages

SenderMessageTime
16 Oct 2025
@j-k:matrix.orgj-kBump + maintenance, resolves a moderate https://github.com/NixOS/nixpkgs/pull/452678 https://github.com/in-toto/go-witness/security/advisories/GHSA-72c7-4g63-hpw518:49:33
@spiralp:matrix.orgSpiralP left the room.18:54:23
@spiralp:matrix.orgSpiralP joined the room.18:55:06
18 Oct 2025
@kevincox:matrix.orgkevincox left the room.10:23:21
@joerg:thalheim.ioMic92https://github.com/NixOS/nixpkgs/pull/452376 libgit20:59:30
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all)

binutils 2.45 has a few CVEs, though as we are still on 2.44 it is unclear whether we are affected (likely the answer is yes, but i didn't go look).
Patches seem to exist though, not sure whether they apply on 2.44 base though.

https://nvd.nist.gov/vuln/detail/CVE-2025-11412
https://nvd.nist.gov/vuln/detail/CVE-2025-11413
https://nvd.nist.gov/vuln/detail/CVE-2025-11414
https://nvd.nist.gov/vuln/detail/CVE-2025-11494
https://nvd.nist.gov/vuln/detail/CVE-2025-11495

cc John Ericson i guess

21:08:08
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all) *

binutils 2.45 has a few CVEs, though as we are still on 2.44 it is unclear (to me) whether we are affected (likely the answer is yes, but i didn't go look).
Patches seem to exist though, not sure whether they apply on 2.44 base though.

https://nvd.nist.gov/vuln/detail/CVE-2025-11412
https://nvd.nist.gov/vuln/detail/CVE-2025-11413
https://nvd.nist.gov/vuln/detail/CVE-2025-11414
https://nvd.nist.gov/vuln/detail/CVE-2025-11494
https://nvd.nist.gov/vuln/detail/CVE-2025-11495

cc John Ericson i guess

21:08:19
@grimmauld:grapevine.grimmauld.deGrimmauld (any/all) *

binutils 2.45 has a few CVEs, though as we are still on 2.44 it is unclear (to me) whether we are affected (likely the answer is yes, but i didn't go look).
Patches seem to exist though, not sure whether they apply on 2.44 base.

https://nvd.nist.gov/vuln/detail/CVE-2025-11412
https://nvd.nist.gov/vuln/detail/CVE-2025-11413
https://nvd.nist.gov/vuln/detail/CVE-2025-11414
https://nvd.nist.gov/vuln/detail/CVE-2025-11494
https://nvd.nist.gov/vuln/detail/CVE-2025-11495

cc John Ericson i guess

21:08:32
19 Oct 2025
@vcunat:matrix.orgvcunatNo new updates in the branch, so far: https://sourceware.org/git/?p=binutils-gdb.git;a=shortlog;h=refs/heads/binutils-2_44-branch07:00:55
@vcunat:matrix.orgvcunat * binutils: no new updates in the branch, so far: https://sourceware.org/git/?p=binutils-gdb.git;a=shortlog;h=refs/heads/binutils-2_44-branch 07:01:15
@k900:0upti.meK900We merged some backports for this10:31:21
@k900:0upti.meK900Not sure if all10:31:23
@azahi:azahi.ccazahi left the room.15:46:56
@azahi:azahi.ccazahi joined the room.19:54:25
20 Oct 2025
@felix.schroeter:scs.ems.hostFelix Schröter changed their display name from Felix Schröter to Felix Schröter (🌄 27.10. – 09.11.).08:34:02
21 Oct 2025
@robert:funklause.dedotlambdahttps://github.com/NixOS/nixpkgs/pull/45434621:00:18
@robert:funklause.dedotlambda

I don't want people to use this library in production environments...

It's a teaching tool, it's a testing tool, it's absolutely not an production grade implementation.
I maintain it to have support for ECDH and ECDSA in tlsfuzzer, which I need to be first and foremost portable. Security does not even enter a picture for that tool.

If you need enterprise grade implementation you should use pyca/cryptography.

https://github.com/tlsfuzzer/python-ecdsa/issues/330

21:10:27
@emilazy:matrix.orgemilyare the users actually using it in security-sensitive contexts or is it just test/fuzzer stuff?21:21:55
@robert:funklause.dedotlambdaLots of crypto coin-related packages seem to use it, I assume that's security-sensitive. Also duplicity, a backup tool. I'm currently looking at how home-assistant is using it21:25:51
@niklaskorz:matrix.orgniklaskorzhome-assistant project chip only seems to use it for testing indeed21:28:47
@robert:funklause.dedotlambda
In reply to @niklaskorz:matrix.org
home-assistant project chip only seems to use it for testing indeed
You're sure about that?
https://matrix.to/#/!TMHsziEPKwNiZHIoRO:lossy.network/$e12yLxQo1zTojp77HVo2qnv_CpXQaP-PRSndOSHpo3Q?via=nixos.dev 		21:34:10
@pyrox:pyrox.devdish [Fox/It/She] of course its crypto coins >.> can never trust those projects to do anything right 22:17:52
@hexa:lossy.networkhexa 👉️ #security-discuss:nixos.org 23:02:04
22 Oct 2025
@robert:funklause.dedotlambdahttps://github.com/NixOS/nixpkgs/pull/45430302:02:25
@hexa:lossy.networkhexahttps://seclists.org/oss-sec/2025/q4/68 bind916:14:45
23 Oct 2025
@ramblurr:outskirtslabs.comramblurr joined the room.08:55:38
@hexa:lossy.networkhexahttps://www.openwall.com/lists/oss-security/2025/10/23/1 pdns16:13:53
@hexa:lossy.networkhexa* https://www.openwall.com/lists/oss-security/2025/10/23/1 pdns-recursor16:13:55
24 Oct 2025
@sophie:catgirl.cloud⛧-440729 [sophie raven] (it/its) changed their display name from ⛧-440729 [sophie] (it/its) to ⛧-440729 [sophie raven] (it/its).06:10:51
@hexa:lossy.networkhexahttps://nvd.nist.gov/vuln/detail/CVE-2025-62813 lz410:26:42

Show newer messages

Back to Room ListRoom Version: 6