!ZRgXNaHrdpGqwUnGnj:nixos.org

NixOS Security Triage

690 Members
Coordination and triage of security issues in nixpkgs214 Servers

Load older messages

SenderMessageTime
18 Aug 2024
@getchoo:matrix.orggetchoo https://github.com/advisories/GHSA-w3h3-4rj7-4ph4 fixed in https://github.com/NixOS/nixpkgs/pull/334522 07:45:32
@hexa:lossy.networkhexaimage.png
Download image.png		08:58:14
@hexa:lossy.networkhexaimage.png
Download image.png		08:58:24
@hexa:lossy.networkhexaI think we're good 😄 08:58:33
@getchoo:matrix.orggetchooAh yeah you're right. I just thought it was fixed this release since for some reason upstream included it in the newer changelog as well lol08:59:43
@lai-n:matrix.orglain joined the room.13:17:52
19 Aug 2024
@vcunat:matrix.orgvcunat nixos-unstable channel blocked due to applying security patches:
https://github.com/NixOS/nixpkgs/pull/334899#issuecomment-2295912602 		08:00:08
@qyliss:fairydust.spaceAlyssa RossLooking.08:04:56
@vcunat:matrix.orgvcunatThe channel has been unlucky with blockers, and thus it's on a 5 days old commit already.08:07:20
@qyliss:fairydust.spaceAlyssa RossI can't get this test to pass locally even on the last commit Hydra built it on.08:26:56
@vcunat:matrix.orgvcunat Some that passed locally now hang for me when --rebuild on the same machine. Not easy to just bisect. 08:30:29
@vcunat:matrix.orgvcunat * Some that passed locally now hang for me when --rebuild on the same machine. Not easy to just bisect. Anyway, this channel most likely isn't a good place for the topic now. I'm sorry. 08:31:14
@alejandrosame:matrix.org@alejandrosame:matrix.org left the room.08:51:37
@cafkafk:gitter.imcafkafk changed their profile picture.12:45:29
20 Aug 2024
@a12l:matrix.org@a12l:matrix.org left the room.12:45:09
@teutat3s:pub.solarteutat3shttps://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm https://github.com/NixOS/nixpkgs/pull/33605813:22:49
@emilazy:matrix.orgemily aha, knownVulnerabilities was just prescience! (taking a look and will merge after confirming aarch64-linux build) 13:46:07
@sophie:catgirl.cloud⛧-440729 [sophie raven] (it/its) changed their display name from sophie to ⛧-440729 [sophie] (it/its).20:59:39
22 Aug 2024
@jaredbaur:matrix.orgJared Baur set a profile picture.02:07:15
@jassu:kumma.juttu.asiaJassukoPreviously semi-concerning FFmpeg CVEs seem to now have POC RCE published. Probably worth bumping the versions to the safe side rather soon. https://securityonline.info/cve-2024-7272-critical-heap-overflow-vulnerability-discovered-in-ffmpeg-poc-published/ CVE-2024-7272: Critical Heap Overflow Vulnerability Discovered in FFmpeg, PoC Published13:08:28
@hexa:lossy.networkhexa emily maybe? 13:09:29
@emilazy:matrix.orgemilyI think we have all the versions up to date13:36:10
@emilazy:matrix.orgemilyat least in staging 🫠13:36:14
@emilazy:matrix.orgemilyI'll check…13:36:24
@emilazy:matrix.orgemilyurgh this blogspam, where's the actual upstream announcement13:37:10
@emilazy:matrix.orgemilyokay so FFmpeg 4 is actually known vulnerable now??13:37:30
@jassu:kumma.juttu.asiaJassukoSorry, didn't find proper announcement, just the new releases on the release page: https://ffmpeg.org/download.html#releases13:38:59
@emilazy:matrix.orgemilyok, so https://github.com/NixOS/nixpkgs/pull/333021 is waiting for staging13:41:20
@emilazy:matrix.orgemilywe're on the latest 4 but the CVE says "A vulnerability, which was classified as critical, was found in FFmpeg up to 5.1.5"13:41:31
@emilazy:matrix.orgemilyso there's no patch for 4?13:41:49

Show newer messages

Back to Room ListRoom Version: 6