!ZRgXNaHrdpGqwUnGnj:nixos.org

NixOS Security Triage

687 Members
Coordination and triage of security issues in nixpkgs | Discussions in #security-discuss:nixos.org | Open PRs: https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+is%3Aopen+sort%3Aupdated-desc+label%3A%221.severity%3A+security%22211 Servers

You have reached the beginning of time (for this room).

SenderMessageTime
18 Oct 2025
@grimmauld:grapevine.grimmauld.deGrimmauld (migrated to @grimmauld:m.grimmauld.de) *

binutils 2.45 has a few CVEs, though as we are still on 2.44 it is unclear (to me) whether we are affected (likely the answer is yes, but i didn't go look).
Patches seem to exist though, not sure whether they apply on 2.44 base though.

https://nvd.nist.gov/vuln/detail/CVE-2025-11412
https://nvd.nist.gov/vuln/detail/CVE-2025-11413
https://nvd.nist.gov/vuln/detail/CVE-2025-11414
https://nvd.nist.gov/vuln/detail/CVE-2025-11494
https://nvd.nist.gov/vuln/detail/CVE-2025-11495

cc John Ericson i guess

21:08:19
@grimmauld:grapevine.grimmauld.deGrimmauld (migrated to @grimmauld:m.grimmauld.de) *

binutils 2.45 has a few CVEs, though as we are still on 2.44 it is unclear (to me) whether we are affected (likely the answer is yes, but i didn't go look).
Patches seem to exist though, not sure whether they apply on 2.44 base.

https://nvd.nist.gov/vuln/detail/CVE-2025-11412
https://nvd.nist.gov/vuln/detail/CVE-2025-11413
https://nvd.nist.gov/vuln/detail/CVE-2025-11414
https://nvd.nist.gov/vuln/detail/CVE-2025-11494
https://nvd.nist.gov/vuln/detail/CVE-2025-11495

cc John Ericson i guess

21:08:32
19 Oct 2025
@vcunat:matrix.orgvcunatNo new updates in the branch, so far: https://sourceware.org/git/?p=binutils-gdb.git;a=shortlog;h=refs/heads/binutils-2_44-branch07:00:55
@vcunat:matrix.orgvcunat * binutils: no new updates in the branch, so far: https://sourceware.org/git/?p=binutils-gdb.git;a=shortlog;h=refs/heads/binutils-2_44-branch 07:01:15
@k900:0upti.meK900We merged some backports for this10:31:21
@k900:0upti.meK900Not sure if all10:31:23
@azahi:azahi.ccazahi left the room.15:46:56
@azahi:azahi.ccazahi joined the room.19:54:25
20 Oct 2025
@felix.schroeter:scs.ems.host@felix.schroeter:scs.ems.host changed their display name from Felix Schröter to Felix Schröter (🌄 27.10. – 09.11.).08:34:02
21 Oct 2025
@robert:funklause.dedotlambdahttps://github.com/NixOS/nixpkgs/pull/45434621:00:18
@robert:funklause.dedotlambda

I don't want people to use this library in production environments...

It's a teaching tool, it's a testing tool, it's absolutely not an production grade implementation.
I maintain it to have support for ECDH and ECDSA in tlsfuzzer, which I need to be first and foremost portable. Security does not even enter a picture for that tool.

If you need enterprise grade implementation you should use pyca/cryptography.

https://github.com/tlsfuzzer/python-ecdsa/issues/330

21:10:27

Show newer messages

Back to Room ListRoom Version: 6