| 15 Jun 2024 |
 bedridden | https://github.com/NixOS/nixpkgs/pull/320093
current bootstrap tools for darwin seem to ship with an old version of curl (and was updated 2 months ago), affected by https://www.tenable.com/plugins/nessus/182874
I suppose this change should first go into staging and then backported to other staging-<version> branches... is this correct? (first contribution, so apologies if I am at the wrong place!) | 21:34:17 |
 hexa | can you poke #macos:nixos.org? | 21:35:09 |
|  @fack:cyberia.club left the room. | 21:51:56 |
| 16 Jun 2024 |
 vcunat | Isn't that affecting only if you use the libcurl as a SOCKS5 proxy? (server side) Or am I reading it wrong? | 06:10:00 |
| bedridden | I believe so, but I am no security expert. https://www.tenable.com/cve/CVE-2023-38545 has a references to few different updates (even ones from Apple updating curl version), so it seems rather important. | 09:58:11 |
| bedridden | That said, I was told in #macos:nixos.org that this issue doesn't affect nixos-24.05 (which I also verified and seems to be the case), so it might be an issue only on nixos-23.11 darwin (haven't yet verified this one). | 09:59:28 |
 ilex | https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-4 | 13:07:30 |
| hexa | @emily
| 13:26:27 |
 emily | ? | 13:26:53 |
| hexa | Forgejo | 13:27:52 |
| emily | already in nixos-unstable-small and nixos-24.05-small. so what is left to do besides marking forgejo as insecure in 23.11?
(though it can be argued over if that CVE is actually all that bad)
| 13:29:50 |
 adamcstephens | they did cut a 1.21 release too, but marking as insecure in 23.11 is fine with me :) | 13:33:10 |
| emily | 23.11 is on 1.20, not 1.21.
and in the old gitea versioning those are major releases.
| 13:35:11 |
| emily | do you have time to open a PR for this? EOL+vulnerable? | 13:35:44 |
| adamcstephens | yeah i have a few minutes | 13:36:32 |
| 17 Jun 2024 |
 Mic92 | Electron security fix in deltachat-desktop: https://github.com/NixOS/nixpkgs/pull/320554 | 15:09:49 |
| 18 Jun 2024 |
|  ubbabeck joined the room. | 08:15:55 |
|  blitz left the room. | 08:59:11 |
| 19 Jun 2024 |
 raitobezarius | cryptsetup security update: https://github.com/NixOS/nixpkgs/pull/308340 -- will run a simple smoketest and merge for staging. | 11:49:25 |
| hexa | and backport, please | 11:53:51 |
| 20 Jun 2024 |
|  nyanbinary 🏳️⚧️ joined the room. | 00:09:38 |
 teutat3s | https://www.heise.de/en/news/Nextcloud-Attackers-can-bypass-two-factor-authentication-9766141.html | 10:10:56 |
| hexa | old news | 10:11:23 |
| teutat3s | All versions in nixpkgs already have the fixes AFAICT, not sure if vulnerability warnings should be added? | 10:11:37 |
| hexa | we expect users to upgrade to get fixed packages always | 10:11:57 |
| 21 Jun 2024 |
|  @yuka:yuka.dev left the room. | 10:25:22 |
|  @linus:schreibt.jetzt left the room. | 14:05:51 |
|  Jason Blackwell joined the room. | 19:06:16 |
|  tlaurion aka Insurgo [ Timezone: ET ] changed their display name from Insurgo aka tlaurion [UTC-4] to Insurgo aka tlaurion [UTC-4] (Happy long Québec national long weekend! back Tuesday). | 22:09:33 |
| 22 Jun 2024 |
|  @bumperboat:matrix.org changed their display name from bumperboat (UTC+1) to bumperboat (UTC+2). | 16:48:09 |
