!ZRgXNaHrdpGqwUnGnj:nixos.org

NixOS Security Triage

691 Members
Coordination and triage of security issues in nixpkgs212 Servers

You have reached the beginning of time (for this room).

SenderMessageTime
16 Jul 2025
@me:indeednotjames.comemily25.05 is still vulnerable to the zero-day from 2025-06-30 for which electron released https://github.com/electron/electron/releases/tag/v37.2.0 on 2025-07-02. meaning electron_37 on 25.05 is affected by two different chromium zero-days. one zero-day that should have landed two weeks ago and another, the newer one, for which electron upstream no release yet. just to be clear, 138.0.7204.100, the release and PR you linked to, does not fix the newer zero-day from yesterday. this is a reoccurring pattern with electron in nixpkgs. do you want me to flag electron_37 on 25.05 as vulnerable until you find the time to fix the zero-day from two weeks ago?13:14:31
@winston:milli.ng@winston:milli.ng left the room.13:36:59
@leona:leona.isleonamatrix (servers+maybe clients) security update on 2025-07-22 https://matrix.org/blog/2025/07/security-predisclosure/16:16:40
@grimmauld:grapevine.grimmauld.deGrimmauld (migrated to @grimmauld:m.grimmauld.de) https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.5
More libxml2! YAY.... 		16:40:51
@lennart:0520.chlennart joined the room.17:23:22
@grimmauld:grapevine.grimmauld.deGrimmauld (migrated to @grimmauld:m.grimmauld.de)https://github.com/NixOS/nixpkgs/pull/425863 Fixes CVE-2025-49794, CVE-2025-49796, CVE-2025-49795, CVE-2025-6170 Four CVEs this time!!18:14:20
@grimmauld:grapevine.grimmauld.deGrimmauld (migrated to @grimmauld:m.grimmauld.de)* https://github.com/NixOS/nixpkgs/pull/425863 Fixes CVE-2025-49794, CVE-2025-49796, CVE-2025-49795, CVE-2025-6170 Four CVEs this time :)18:14:32
@grimmauld:grapevine.grimmauld.deGrimmauld (migrated to @grimmauld:m.grimmauld.de)Also nodejs: https://github.com/NixOS/nixpkgs/pull/425602 Two CVEs, but the CVE that affects older versions (including our default, 22.x) is windows-only and therefore not super bad for us.18:34:23
18 Jul 2025
@ma27:nicht-so.sexyma27 grafana xss fixes: https://github.com/NixOS/nixpkgs/pull/426345 11:33:04
19 Jul 2025
@jonhermansen:matrix.orgjonhermansenI updated MS Edge, then saw it addresses recent Chromium vuln: https://github.com/NixOS/nixpkgs/pull/42671417:31:42
@jonhermansen:matrix.orgjonhermansenI've never raised any security issue, but I think I have all my ducks in a row. Let me know if not17:34:05

Show newer messages

Back to Room ListRoom Version: 6