| 12 Dec 2024 |
|  @metanoic:matrix.org left the room. | 19:06:45 |
| 15 Dec 2024 |
|  @maridonkers:matrix.org joined the room. | 08:24:36 |
| 16 Dec 2024 |
|  @ksonj:matrix.org left the room. | 14:59:37 |
| 17 Dec 2024 |
 SigmaSquadron | Hi all. Today, the Xen Project has publicly released CVE-2024-53240 (Xen Security Advisory #465) and CVE-2024-53241 (Xen Security Advisory #466).
We are not affected by the latter: It's a Linux guest issue regarding ret speculations. The Xen patch is just documentation, not hypervisor code. The Linux patches for #466, to the best of my knowledge, are unnecessary, as our kernels are not built with CONFIG_RETHUNK enabled, which mitigates this vulnerability.
We are, however, affected by the former vulnerability (#455) — a hypervisor crash caused by a malicious Linux 6.1+ guest who is allowed to suspend and resume. The issue lies in Xen's Linux guest drivers, not with the hypervisor itself. It's a single patch to drivers/net/xen-netfront.c. Can we get this patched in our kernels? (I know nothing about nixpkgs' kernel infrastructure. Do I just add a patch here?)
| 12:26:40 |
|  tlaurion aka Insurgo [ Timezone: ET ] changed their display name from tlaurion aka Insurgo [UTC-4] to tlaurion aka Insurgo [UTC-4] - last crush before holidays!. | 19:19:38 |
| 18 Dec 2024 |
 hexa | https://github.com/FiloSottile/age/releases/tag/v1.2.1 | 15:35:48 |
| hexa | https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c | 15:35:52 |
 adamcstephens | https://github.com/NixOS/nixpkgs/pull/366207 | 16:07:28 |
|  @dmiskovic:matrix.org joined the room. | 19:37:45 |
| 19 Dec 2024 |
| hexa | Redacted or Malformed Event | 15:54:23 |
| hexa | https://www.openwall.com/lists/oss-security/2024/12/19/1 sssd illustris | 15:56:07 |
| hexa | misskey
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-675w-hf2m-qwmj
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-5q3h-wpfw-hjjw
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-m2gq-69fp-6hv4
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-7vgr-p3vc-p4h2
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-5h8r-gq97-xv69
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-gq5q-c77c-v236
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-5q3h-wpfw-hjjw
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-675w-hf2m-qwmj
| 15:57:55 |
| hexa | * misskey needs update to 2024.11.0-alpha.3 (sigh)
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-675w-hf2m-qwmj
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-5q3h-wpfw-hjjw
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-m2gq-69fp-6hv4
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-7vgr-p3vc-p4h2
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-5h8r-gq97-xv69
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-gq5q-c77c-v236
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-5q3h-wpfw-hjjw
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-675w-hf2m-qwmj
| 15:58:27 |
| hexa | * misskey needs update to 2024.11.0
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-675w-hf2m-qwmj
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-5q3h-wpfw-hjjw
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-m2gq-69fp-6hv4
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-7vgr-p3vc-p4h2
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-5h8r-gq97-xv69
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-gq5q-c77c-v236
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-5q3h-wpfw-hjjw
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-675w-hf2m-qwmj
| 15:58:58 |
| hexa | https://github.com/NixOS/nixpkgs/pull/366588 | 16:20:10 |
 osnyx (he/him) | Percona update, that fixes the CVEs of the corresponding oracle mysql: https://github.com/NixOS/nixpkgs/pull/366579 | 18:10:02 |
| 20 Dec 2024 |
 Niklas Korz | Matomo 4 has reached EOL yesterday | 16:34:53 |
| hexa | osnyx (he/him): ^ | 16:35:25 |
| hexa | * osnyx (he/him), ma27 ^ | 16:35:46 |
 ma27 | I'm perfectly fine with marking it as insecure on stable, just don't have the time to review now. | 17:06:17 |
 leona | I will have a look in a few mins | 17:42:30 |
|  labataxe joined the room. | 18:47:16 |
| 21 Dec 2024 |
|  @stablejoy:matrix.org left the room. | 05:08:23 |
| @dmiskovic:matrix.org left the room. | 05:13:45 |
| tlaurion aka Insurgo [ Timezone: ET ] changed their display name from tlaurion aka Insurgo [UTC-4] - last crush before holidays! to tlaurion aka Insurgo [UTC-4] - Back 2025-01-06. | 21:20:18 |
|  ·☽•Nameless☆•777 · ± changed their profile picture. | 21:37:43 |
| 22 Dec 2024 |
|  allrealmsoflife joined the room. | 15:55:06 |
| hexa | https://vikunja.io/changelog/vikunja-v0.24.6-was-released leona | 21:05:01 |
| leona | https://github.com/NixOS/nixpkgs/pull/367467 | 21:30:37 |
| hexa | leona: as 0.23.0 is affected, can you make the package vulnerable on 24.05? | 21:48:08 |
