| 29 Sep 2023 |
 hexa | Redacted or Malformed Event | 01:47:08 |
| hexa | Redacted or Malformed Event | 01:47:10 |
|  @openssl_rand:projectsegfau.lt left the room. | 02:04:43 |
| hexa | In reply to @hexa:lossy.network
libvpx https://www.openwall.com/lists/oss-security/2023/09/28/5 fixed on master/release-23.05, will be part of the next channel bumps, but we still need to take care of all the vendored instances. effort similar to libwebp coordinated in #security-discuss:nixos.org | 13:50:51 |
|  @lotte:chir.rs changed their profile picture. | 17:14:59 |
| 30 Sep 2023 |
 felschr | https://github.com/NixOS/nixpkgs/pull/258137 https://github.com/NixOS/nixpkgs/pull/258138 | 05:28:11 |
|  cafkafk changed their profile picture. | 15:56:10 |
| hexa | exim https://lwn.net/Articles/946004/ ajs124 | 21:54:28 |
| hexa |
""Fixes are available in a protected repository and are ready to be applied by the distribution maintainers""
| 21:55:09 |
| hexa | *
Fixes are available in a protected repository and are ready to be applied by the distribution maintainers
| 21:55:14 |
| hexa | 👏 | 21:55:23 |
 tomberek | i misread that as "exif" at first and thought, oh no.. here we go | 21:55:28 |
| hexa | haha, please no more audio/vidoe/image format vulnerabilities this year 😄 | 21:55:46 |
| *  raitobezarius gets the libFuzzer out of the pocket and runs it on libcaca | 21:56:06 |
| hexa | In reply to @hexa:lossy.network
haha, please no more audio/vidoe/image format vulnerabilities this year 😄 https://github.com/NixOS/nixpkgs/pull/258295 | 23:16:55 |
| 1 Oct 2023 |
 vcunat | In reply to @hexa:lossy.network
https://github.com/NixOS/nixpkgs/pull/258295 Wait, yet another libvpx CVE in a few days? | 05:20:49 |
| vcunat | I mean, I'm in particular interested if the PR is urgent or could be staged instead, as doing those rebuilds again (on 2-3 branches) isn't cheap and it will slow down the staging-next* cycles - which also contain (milder) security fixes. | 05:27:13 |
| vcunat | It is a different bug, but when public descriptions say only "crash", I can't tell severity at a glance (and no CVSS yet). | 05:38:49 |
| vcunat | I really hate when importance is not stated and bug report links are private, so what one could do is only analyze the commit. Sure, no need to publish how to exploit it, but if you don't indicate severity... | 05:51:17 |
| vcunat | Maybe just wait, e.g. Firefox only released for the previous bug (VP8, not VP9 yet) | 05:57:31 |
| vcunat | * Maybe just wait, e.g. Firefox only released for the previous bug (VP8, not VP9 yet)
EDIT: now I noticed the topic on #security-discuss:nixos.org but even there these questions aren't answered yet.
| 06:23:22 |
|  @errornointernet:envs.net joined the room. | 08:32:35 |
|  Mikael Fangel joined the room. | 09:31:50 |
| 2 Oct 2023 |
 ajs124 | https://github.com/NixOS/nixpkgs/pull/258581
haven't tested much, but will do so now. if I don't draft it in the next hour or so, this can probably be merged. | 13:25:15 |
|  ·☽•Nameless☆•777 · ± changed their profile picture. | 15:49:55 |
| ·☽•Nameless☆•777 · ± changed their profile picture. | 15:56:16 |
| 3 Oct 2023 |
 Domen Kožar | https://twitter.com/bagder/status/1709103920914526525 | 14:14:43 |
