| 8 Jun 2024 |
|  @alina:kescher.at changed their display name from alina to alina🏳️⚧️🐾. | 10:38:05 |
| @alina:kescher.at changed their profile picture. | 10:39:44 |
 Markus Theil | https://github.com/NixOS/nixpkgs/pull/318322 | 17:29:11 |
| 9 Jun 2024 |
| Markus Theil | FRR just tagged 10.0.1, which fixes multiple security critical bugs, e.g. CVE-2024-31951. The auto update bot already took notice of this tag: https://github.com/NixOS/nixpkgs/pull/318496 | 16:07:06 |
| 10 Jun 2024 |
| Markus Theil | frr 10.0.1 and 9.0.3 probably fix at least:
- CVE-2024-31948
- CVE-2024-31949
- CVE-2024-31950
- CVE-2024-31951
I added a PR for 23.11 here: https://github.com/NixOS/nixpkgs/pull/318758
| 10:33:46 |
 Minijackson | Jellyfin update that has a small security fix on first time setup: https://github.com/NixOS/nixpkgs/pull/318873 | 19:04:56 |
| 11 Jun 2024 |
|  wxnzemof joined the room. | 09:53:35 |
| wxnzemof | Hi, this is probably benign but maybe worth looking into: https://github.com/nix-community/nix-installers/issues/49 | 09:54:13 |
 Sandro | This is what the GitHub Action does https://github.com/nix-community/nix-installers/blob/master/.github/workflows/gh-pages.yml | 11:40:17 |
|  @aynish:sealight.xyz left the room. | 14:56:41 |
|  @networkexception:chat.upi.li changed their display name from networkException to networkException (moving to @networkexception:nwex.de). | 18:34:30 |
|  Sashanoraa.gay (she/her, ze/zir) changed their display name from Sashanoraa.gay (ze/zir) to Sashanoraa.gay (ze/zir, she/her). | 21:46:14 |
| 12 Jun 2024 |
 hexa | https://conduit.rs/changelog/#v0-8-0-2024-06-12
(and conduwuit/grapevine for whoever uses those) | 19:09:11 |
|  networkException joined the room. | 19:28:47 |
| hexa | https://github.com/NixOS/nixpkgs/pull/319362 | 19:57:39 |
| hexa | will backport to release-24.05, given that the breaking changes in 0.7.0 don't affect us | 19:57:52 |
| hexa | * will backport to release-24.05 and release-23.11, given that the breaking changes in 0.7.0 don't affect us | 19:58:11 |
| hexa | marked as vulnerable on 23.11, backport was not possible | 20:57:43 |
| 13 Jun 2024 |
|  OahzEgroeg changed their display name from George to OahzEgroeg. | 10:49:08 |
| 14 Jun 2024 |
| OahzEgroeg left the room. | 09:43:26 |
| OahzEgroeg joined the room. | 09:47:22 |
|  cnm joined the room. | 18:16:58 |
| 15 Jun 2024 |
 felschr | https://github.com/NixOS/nixpkgs/pull/319315 | 11:13:57 |
|  bedridden joined the room. | 21:27:14 |
| bedridden | https://github.com/NixOS/nixpkgs/pull/320093
current bootstrap tools for darwin seem to ship with an old version of curl (and was updated 2 months ago), affected by https://www.tenable.com/plugins/nessus/182874
I suppose this change should first go into staging and then backported to other staging-<version> branches... is this correct? (first contribution, so apologies if I am at the wrong place!) | 21:34:17 |
| hexa | can you poke #macos:nixos.org? | 21:35:09 |
|  @fack:cyberia.club left the room. | 21:51:56 |
| 16 Jun 2024 |
 vcunat | Isn't that affecting only if you use the libcurl as a SOCKS5 proxy? (server side) Or am I reading it wrong? | 06:10:00 |
| bedridden | I believe so, but I am no security expert. https://www.tenable.com/cve/CVE-2023-38545 has a references to few different updates (even ones from Apple updating curl version), so it seems rather important. | 09:58:11 |
| bedridden | That said, I was told in #macos:nixos.org that this issue doesn't affect nixos-24.05 (which I also verified and seems to be the case), so it might be an issue only on nixos-23.11 darwin (haven't yet verified this one). | 09:59:28 |
