| 20 Aug 2024 |
|  @a12l:matrix.org left the room. | 12:45:09 |
 teutat3s | https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm
https://github.com/NixOS/nixpkgs/pull/336058 | 13:22:49 |
 emily | aha, knownVulnerabilities was just prescience! (taking a look and will merge after confirming aarch64-linux build) | 13:46:07 |
|  ⛧-440729 [sophie raven] (it/its) changed their display name from sophie to ⛧-440729 [sophie] (it/its). | 20:59:39 |
| 22 Aug 2024 |
|  Jared Baur set a profile picture. | 02:07:15 |
 Jassuko | Previously semi-concerning FFmpeg CVEs seem to now have POC RCE published. Probably worth bumping the versions to the safe side rather soon.
https://securityonline.info/cve-2024-7272-critical-heap-overflow-vulnerability-discovered-in-ffmpeg-poc-published/
CVE-2024-7272: Critical Heap Overflow Vulnerability Discovered in FFmpeg, PoC Published | 13:08:28 |
 hexa | emily maybe? | 13:09:29 |
| emily | I think we have all the versions up to date | 13:36:10 |
| emily | at least in staging 🫠 | 13:36:14 |
| emily | I'll check… | 13:36:24 |
| emily | urgh this blogspam, where's the actual upstream announcement | 13:37:10 |
| emily | okay so FFmpeg 4 is actually known vulnerable now?? | 13:37:30 |
| Jassuko | Sorry, didn't find proper announcement, just the new releases on the release page: https://ffmpeg.org/download.html#releases | 13:38:59 |
| emily | ok, so https://github.com/NixOS/nixpkgs/pull/333021 is waiting for staging | 13:41:20 |
| emily | we're on the latest 4 but the CVE says "A vulnerability, which was classified as critical, was found in FFmpeg up to 5.1.5" | 13:41:31 |
| emily | so there's no patch for 4? | 13:41:49 |
| emily | let's see if we can backport the commit. anyway, taking this to #security-discuss:nixos.org I guess | 13:42:09 |
|  nyanbinary 🏳️⚧️ left the room. | 17:19:37 |
 tgerbet | networkException: https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html | 20:53:38 |
| hexa | networkException, emily | 20:55:46 |
| hexa | bah, too slow | 20:56:00 |
| hexa | excuse me | 20:56:07 |
 networkException | we already have a build running | 20:56:21 |
| hexa | enjoy | 20:56:30 |
| 24 Aug 2024 |
|  cafkafk changed their profile picture. | 07:02:16 |
|  @adbjesus:matrix.org left the room. | 15:53:46 |
| 25 Aug 2024 |
 ris_ | https://github.com/NixOS/nixpkgs/pull/274965 | 17:21:31 |
| 27 Aug 2024 |
 Markus Theil | New OpenSSL versions incoming in September. Fixes unclear.
The OpenSSL project team would like to announce the upcoming release of
OpenSSL versions 3.3.2, 3.2.3, 3.1.7 and 3.0.15.
These are security-fix releases. The highest severity issue fixed in
each of these four releases is Moderate:
https://openssl-library.org/policies/general/security-policy/
We will be also releasing extended support OpenSSL versions
1.1.1za and 1.0.2zk which will be available to premium support
customers.
These are also security-fix releases. The highest severity issue fixed
in each of these two releases is Low:
https://openssl-library.org/policies/general/security-policy/
These releases will be made available on Tuesday 3rd September 2024
between 1300-1700 UTC.
Yours
The OpenSSL Project Team
| 19:00:37 |
| ris_ | lots of fun presents in the security review queue | 20:22:00 |
| 28 Aug 2024 |
|  Kerstin (she/her) changed their display name from kerstin to Kerstin (she/her). | 13:21:37 |
