| 1 Jul 2024 |
 K900 | If no one snipes | 08:41:53 |
| K900 | In reply to @emilazy:matrix.org
I'm building already & can do the PR but I don't know if there's specific procedure around assigning an advisory or whatever No, just send it | 08:41:57 |
| K900 | And mention the CVE in the description | 08:42:04 |
 emily | alright, I'm on it | 08:42:17 |
 Alyssa Ross | Is there even a CVE? | 08:42:52 |
| emily | seems like there's not actually a CVE | 08:42:54 |
| Alyssa Ross | release notes don't mention one | 08:42:57 |
| emily | but I'll mention it | 08:42:57 |
| Alyssa Ross | ugh | 08:42:58 |
| emily | did they even give any prior notice of this? | 08:44:09 |
 tgerbet | No it looks like it was reported by Qualys, they likely will publish an advisory later today I guess | 08:44:47 |
 ari ❄ | gentoo patch mentions CVE-2024-6387 https://github.com/gentoo/gentoo/commit/083d7d12832b91073f5cac94df2ba067495857a7 | 08:45:41 |
| emily | https://github.com/NixOS/nixpkgs/pull/323753 | 08:45:45 |
| emily | In reply to @ar:is-a.cat
gentoo patch mentions CVE-2024-6387 https://github.com/gentoo/gentoo/commit/083d7d12832b91073f5cac94df2ba067495857a7 thanks, I'll add that | 08:45:55 |
| emily | can someone check the build on linux if ofborg doesn't get to it first? | 08:48:18 |
| Alyssa Ross | already on it | 08:48:23 |
| emily | don't have my VM up right now | 08:48:24 |
| Alyssa Ross | 23.11 is EOL as of yesterday btw | 08:48:25 |
| emily | I figured we might as well throw people a bone when it's a root RCE | 08:48:43 |
| emily | I was considering backporting to 23.05, even | 08:48:47 |
| Alyssa Ross | yeah fair enough | 08:48:49 |
| Alyssa Ross | I've had RMs yell at me for backporting too far before, to avoid giving a false sense of security to users on ancient releases, so I wouldn't do 23.05. | 08:49:17 |
| Alyssa Ross | but it's probably still 30 June somewhere in the world :P | 08:49:41 |
| emily | not every day you get a bug this bad in a package this ubiquitous. but I'll let someone else decide to 23.05 if they feel like it then | 08:50:20 |
| tgerbet | 23.11 seems fair, 23.05 I would not bother | 08:51:34 |
| emily | macOS build is on checkPhase, can probably just merge when that finishes and the NixOS test passes | 08:53:45 |
| emily | yeah it finished | 08:53:50 |
| Alyssa Ross | I'm 14 minutes into checkPhase on aarch64-linux | 08:54:21 |
| Alyssa Ross | * 14 minutes into the build | 08:54:42 |
| emily | do we care about waiting for Gentoo's fix backport for stable or should we just do the major bump? | 08:56:03 |
