| 25 Mar 2024 |
|  @admin:nixos.org left the room. | 00:30:35 |
 ris_ | https://github.com/NixOS/nixpkgs/pull/297547 | 20:14:15 |
 hexa | wow, this looks like code copy pasted from home-assistant 😄 | 20:30:09 |
| hexa | which can be explained because bdraco was involved | 20:30:32 |
| 26 Mar 2024 |
| hexa | https://webkitgtk.org/security/WSA-2024-0002.html Jan Tojnar | 03:22:18 |
|  @linucifer:envs.net joined the room. | 19:09:13 |
 pinpox | Not sure if this is the right place to ask, but are current NixOS versions impacted by https://github.com/Notselwyn/CVE-2024-1086 ? | 20:33:53 |
 K900 | Mo | 20:34:38 |
| K900 | * No | 20:34:45 |
| K900 |
The exploit affects versions from (including) v5.14 to (including) v6.6, excluding patched branches v5.15.149>, v6.1.76>, v6.6.15>
| 20:35:11 |
| ris_ | at last https://github.com/NixOS/nixpkgs/pull/295967 | 23:05:56 |
| 27 Mar 2024 |
 Jan Tojnar | https://github.com/NixOS/nixpkgs/pull/299417 | 05:44:09 |
 tgerbet | https://www.openwall.com/lists/oss-security/2024/03/27/5
util-linux 2.40 was released with the fix
https://github.com/util-linux/util-linux/commit/404b0781f52f7c045ca811b2dceec526408ac253 | 21:06:20 |
| tgerbet | And curl 8.7.1 https://github.com/NixOS/nixpkgs/pull/299580 | 21:07:22 |
| tgerbet | Well https://www.openwall.com/lists/oss-security/2024/03/27/7 😅 | 21:48:07 |
| 29 Mar 2024 |
|  SebTM joined the room. | 04:23:38 |
 vcunat | https://github.com/NixOS/nixpkgs/commit/c2b0bf3dd525#commitcomment-140365634 | 06:36:33 |
| vcunat | (in case someone's interested in .mlflow for NixOS 23.11) | 06:37:06 |
 clefru | Redacted or Malformed Event | 08:53:25 |
| clefru | * FYI from what I see, the two 0 days for Google Chrome published on Tuesday are still unpatched in release-23.11. | 08:53:45 |
| clefru | Redacted or Malformed Event | 09:00:49 |
| clefru | Sorry ignore that.. I am tracking nixos-23.11 and not release-23.11 | 09:05:50 |
| hexa | https://www.openwall.com/lists/oss-security/2024/03/29/4 | 16:12:46 |
 syd installs gentoo (they/them) | In reply to @hexa:lossy.network
https://www.openwall.com/lists/oss-security/2024/03/29/4 b) argv[0] needs to be /usr/sbin/sshd | 16:15:35 |
| syd installs gentoo (they/them) | In reply to @hexa:lossy.network
https://www.openwall.com/lists/oss-security/2024/03/29/4 * b) argv[0] needs to be /usr/sbin/sshd
ldd $(which sshd) | grep -i lzma doesn't link against lzma
| 16:19:17 |
| syd installs gentoo (they/them) | * b) argv[0] needs to be /usr/sbin/sshd
ldd $(which sshd) | grep -i lzma doesn't link against lzma
https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/compression/xz/default.nix
is on the affected version 5.6.1
| 16:20:24 |
| syd installs gentoo (they/them) | * b) argv[0] needs to be /usr/sbin/sshd
ldd $(which sshd) | grep -i lzma doesn't link against lzma
https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/compression/xz/default.nix
is on the affected version 5.6.1 (5.4.4 on 23.11)
| 16:21:00 |
| syd installs gentoo (they/them) | * b) argv[0] needs to be /usr/sbin/sshd
ldd $(which sshd) | grep -i lzma doesn't link against lzma
https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/compression/xz/default.nix
is on the affected version 5.6.1 (5.4.4 on 23.11)
Thank you hexa https://github.com/NixOS/nixpkgs/pull/300028
| 16:22:08 |
 Julien | Just saw that as well, is there a specific reason we are not building xz from the "source code" links generated from github ? If I understand correctly part of the backdoor is not present in there | 16:38:11 |
| vcunat | Because release tarballs need less dependencies to build. | 16:39:31 |
