| 22 Aug 2024 |
 Jassuko | Previously semi-concerning FFmpeg CVEs seem to now have POC RCE published. Probably worth bumping the versions to the safe side rather soon.
https://securityonline.info/cve-2024-7272-critical-heap-overflow-vulnerability-discovered-in-ffmpeg-poc-published/
CVE-2024-7272: Critical Heap Overflow Vulnerability Discovered in FFmpeg, PoC Published | 13:08:28 |
 hexa | emily maybe? | 13:09:29 |
 emily | I think we have all the versions up to date | 13:36:10 |
| emily | at least in staging 🫠 | 13:36:14 |
| emily | I'll check… | 13:36:24 |
| emily | urgh this blogspam, where's the actual upstream announcement | 13:37:10 |
| emily | okay so FFmpeg 4 is actually known vulnerable now?? | 13:37:30 |
| Jassuko | Sorry, didn't find proper announcement, just the new releases on the release page: https://ffmpeg.org/download.html#releases | 13:38:59 |
| emily | ok, so https://github.com/NixOS/nixpkgs/pull/333021 is waiting for staging | 13:41:20 |
| emily | we're on the latest 4 but the CVE says "A vulnerability, which was classified as critical, was found in FFmpeg up to 5.1.5" | 13:41:31 |
| emily | so there's no patch for 4? | 13:41:49 |
| emily | let's see if we can backport the commit. anyway, taking this to #security-discuss:nixos.org I guess | 13:42:09 |
|  nyanbinary 🏳️⚧️ left the room. | 17:19:37 |
 tgerbet | networkException: https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html | 20:53:38 |
| hexa | networkException, emily | 20:55:46 |
| hexa | bah, too slow | 20:56:00 |
| hexa | excuse me | 20:56:07 |
 networkException | we already have a build running | 20:56:21 |
| hexa | enjoy | 20:56:30 |
| 24 Aug 2024 |
|  cafkafk changed their profile picture. | 07:02:16 |
|  @adbjesus:matrix.org left the room. | 15:53:46 |
| 25 Aug 2024 |
 ris_ | https://github.com/NixOS/nixpkgs/pull/274965 | 17:21:31 |
| 27 Aug 2024 |
 Markus Theil | New OpenSSL versions incoming in September. Fixes unclear.
The OpenSSL project team would like to announce the upcoming release of
OpenSSL versions 3.3.2, 3.2.3, 3.1.7 and 3.0.15.
These are security-fix releases. The highest severity issue fixed in
each of these four releases is Moderate:
https://openssl-library.org/policies/general/security-policy/
We will be also releasing extended support OpenSSL versions
1.1.1za and 1.0.2zk which will be available to premium support
customers.
These are also security-fix releases. The highest severity issue fixed
in each of these two releases is Low:
https://openssl-library.org/policies/general/security-policy/
These releases will be made available on Tuesday 3rd September 2024
between 1300-1700 UTC.
Yours
The OpenSSL Project Team
| 19:00:37 |
| ris_ | lots of fun presents in the security review queue | 20:22:00 |
| 28 Aug 2024 |
|  Kerstin (she/her) changed their display name from kerstin to Kerstin (she/her). | 13:21:37 |
| 1 Sep 2024 |
|  @zzantares:matrix.org removed their display name Hamlet'sPiedPlumber. | 19:19:29 |
| @zzantares:matrix.org left the room. | 19:19:50 |
| 2 Sep 2024 |
 Sandro | https://github.com/hedgedoc/hedgedoc/releases/tag/1.10.0
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pjf2-269h-cx7p | 15:02:03 |
| 3 Sep 2024 |
| Markus Theil | OpenSSL relesed today: https://github.com/openssl/openssl/blob/openssl-3.3/CHANGES.md#changes-between-331-and-332-3-sep-2024 | 18:45:49 |
| Markus Theil | I'll probably open a PR with some more Cleanups tomorrow (e.g. OpenSSL now only uses Github-Releases). | 18:46:17 |
