| 25 Nov 2023 |
 stigo | In reply to @stigo:matrix.org
https://metacpan.org/release/PEVANS/perl-5.38.1/changes -Fixes CVE-2023-47038 and CVE-2023-47039, i'm creating PRs for those (affects perl538 and perl536) https://github.com/NixOS/nixpkgs/pull/269996 | 22:02:23 |
| stigo | In reply to @stigo:matrix.org
https://metacpan.org/release/PEVANS/perl-5.38.1/changes -Fixes CVE-2023-47038 and CVE-2023-47039, i'm creating PRs for those (affects perl538 and perl536) * https://github.com/NixOS/nixpkgs/pull/269996 (currently targeted to master, let me know if you need it targeted to another branch) | 22:03:16 |
 hexa | will probably be a mass-rebuild, so unless this is an RCE I'd say we stage it 😄 | 22:07:11 |
| hexa |
CVE-2023-47038 - Write past buffer end via illegal user-defined Unicode property
| 22:07:37 |
| hexa | apparently limited to one-byte | 22:07:52 |
| hexa |
CVE-2023-47039 - Perl for Windows binary hijacking vulnerability
| 22:07:57 |
| hexa | 🪟 | 22:08:00 |
| hexa | * 🪟s | 22:08:08 |
| stigo | In reply to @hexa:lossy.network
will probably be a mass-rebuild, so unless this is an RCE I'd say we stage it 😄 Done. (sigh sorry for the mass ping) | 23:28:41 |
| 26 Nov 2023 |
 ris_ | https://nvd.nist.gov/vuln/detail/CVE-2023-41419 and our gevent is really out of date | 00:20:13 |
| ris_ | https://github.com/NixOS/nixpkgs/pull/270019 | 00:39:08 |
| ris_ | not sure what to do about 23.11 | 00:41:05 |
 raitobezarius | imho backport | 00:41:32 |
| raitobezarius | the issue seems quite problematic | 00:41:38 |
| raitobezarius | I mean, it would be nice to know about the blast radius though | 00:41:53 |
| ris_ | well, last change to gevent was 5001+ rebuilds | 00:47:11 |
| ris_ | guess we could either merge it to staging-next to find out how many breakages it causes or request a hydra job | 00:54:13 |
| ris_ | will have a go at the patch in the morning | 00:58:28 |
| ris_ | have done a lot of rebuilding with the above and haven't found any failures so far | 13:16:07 |
| 27 Nov 2023 |
|  @scm:sven.cc joined the room. | 01:29:30 |
|  @ThorHop:matrix.org changed their display name from hopland (nixpkgs-rolling when) to hopland (valorent vicky). | 14:31:01 |
| 28 Nov 2023 |
|  @a-n-n-a-l-e-e:matrix.org joined the room. | 03:17:52 |
| hexa | https://forgejo.org/2023-11-release-v1-20-5-1/ | 12:06:24 |
| hexa | master on 1.21.1-0, release-23.11 on 1.20.5-1, release-23.05 on 1.19.4-0 | 12:07:48 |
| hexa | only worried about release-23.05 here | 12:08:17 |
| hexa | https://github.com/go-gitea/gitea/releases/tag/v1.20.6
master and release-23.11 on 1.20.5, release-23.05 on 1.19.4 | 12:27:27 |
| hexa | ma27: for gitea | 12:28:56 |
 ma27 | will try to take a look today | 13:21:00 |
 emily | In reply to @hexa:lossy.network
only worried about release-23.05 here All versions back to gogs are affected (depending on the endpoint)
source: https://matrix.to/#/!qjPHwFPdxhpLkXMkyP:matrix.org/$ONM9CMUFMAnJjhtvbaStCoYoWS2lkazKxgfsDjwQzg4?via=matrix.org&via=tchncs.de | 18:04:55 |
| 29 Nov 2023 |
 Julien | https://jellyfin.org/posts/jellyfin-security-and-you/ | 13:11:29 |
