!ZRgXNaHrdpGqwUnGnj:nixos.org

NixOS Security Triage

702 Members
Coordination and triage of security issues in nixpkgs210 Servers

You have reached the beginning of time (for this room).

SenderMessageTime
28 Sep 2023
@hexa:lossy.networkhexahttps://www.openwall.com/lists/oss-security/2023/09/28/518:42:58
@hexa:lossy.networkhexa * libvpx https://www.openwall.com/lists/oss-security/2023/09/28/518:43:01
@uep:matrix.orguepfirefox too https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/21:51:15
29 Sep 2023
@hexa:lossy.networkhexaoh come on01:46:37
@hexa:lossy.networkhexaRedacted or Malformed Event01:47:08
@hexa:lossy.networkhexaRedacted or Malformed Event01:47:10
@openssl_rand:projectsegfau.lt@openssl_rand:projectsegfau.lt left the room.02:04:43
@hexa:lossy.networkhexa
In reply to @hexa:lossy.network
libvpx https://www.openwall.com/lists/oss-security/2023/09/28/5
fixed on master/release-23.05, will be part of the next channel bumps, but we still need to take care of all the vendored instances. effort similar to libwebp coordinated in #security-discuss:nixos.org 		13:50:51
@lotte:chir.rs@lotte:chir.rs changed their profile picture.17:14:59
30 Sep 2023
@felschr:matrix.orgfelschr

https://github.com/NixOS/nixpkgs/pull/258137

https://github.com/NixOS/nixpkgs/pull/258138

05:28:11
@cafkafk:gitter.imcafkafk changed their profile picture.15:56:10
@hexa:lossy.networkhexa exim https://lwn.net/Articles/946004/ ajs124 21:54:28
@hexa:lossy.networkhexa

""Fixes are available in a protected repository and are ready to be applied by the distribution maintainers""

21:55:09
@hexa:lossy.networkhexa *

Fixes are available in a protected repository and are ready to be applied by the distribution maintainers

21:55:14
@hexa:lossy.networkhexa👏21:55:23
@tomberek:matrix.orgtombereki misread that as "exif" at first and thought, oh no.. here we go21:55:28
@hexa:lossy.networkhexahaha, please no more audio/vidoe/image format vulnerabilities this year 😄 21:55:46
* @raitobezarius:matrix.orgraitobezarius gets the libFuzzer out of the pocket and runs it on libcaca21:56:06
@hexa:lossy.networkhexa
In reply to @hexa:lossy.network
haha, please no more audio/vidoe/image format vulnerabilities this year 😄
https://github.com/NixOS/nixpkgs/pull/258295 		23:16:55
1 Oct 2023
@vcunat:matrix.orgvcunat
In reply to @hexa:lossy.network
https://github.com/NixOS/nixpkgs/pull/258295
Wait, yet another libvpx CVE in a few days? 		05:20:49
@vcunat:matrix.orgvcunat I mean, I'm in particular interested if the PR is urgent or could be staged instead, as doing those rebuilds again (on 2-3 branches) isn't cheap and it will slow down the staging-next* cycles - which also contain (milder) security fixes. 05:27:13
@vcunat:matrix.orgvcunat It is a different bug, but when public descriptions say only "crash", I can't tell severity at a glance (and no CVSS yet). 05:38:49

Show newer messages

Back to Room ListRoom Version: 6