| 10 Dec 2024 |
 hexa | we need some kind of remediation here | 21:24:56 |
| hexa | worst case we mark 4.x as knownvulnerable and make people migrate to 5 | 21:25:14 |
| hexa | * worst case we mark 4.x as knownvulnerable "eol" and make people migrate to 5 | 21:25:22 |
| 11 Dec 2024 |
 Scrumplex | https://github.com/NixOS/nixpkgs/pull/364160
https://curl.se/docs/CVE-2024-11053.html | 08:09:30 |
| hexa | https://about.gitlab.com/releases/2024/12/11/patch-release-gitlab-17-6-2-released/ | 16:00:02 |
| hexa | xanderio, leona ^ | 16:01:05 |
| hexa | Redacted or Malformed Event | 16:01:47 |
| hexa | I'm too slow 🙂 | 16:01:49 |
 leona | In reply to @hexa:lossy.network
https://about.gitlab.com/releases/2024/12/11/patch-release-gitlab-17-6-2-released/ there are already two open PRs for that: https://github.com/NixOS/nixpkgs/pull/364213 https://github.com/NixOS/nixpkgs/pull/364219 (24.05 as 'hotter' fix) | 16:01:52 |
|  stick left the room. | 18:36:40 |
|  fernsehmuell (☎️ 3376 he/him) changed their display name from fernsehmuell to fernsehmuell (he/his) DECT: 3376 (fern). | 18:57:11 |
| 12 Dec 2024 |
 Niklas Korz | unless someone's already on it, I'd create two (or three) PRs today:
- unstable: move
matomo to 5.1.2 and alias matomo_5 to matomo (+ release notes)
- 24.11: add knownVulnerabilities to
matomo about EOL and recommend an upgrade to matomo_5 (+ release notes)
- same for 24.05 or should it be skipped because it's EOL in three weeks?
| 08:30:47 |
 tgerbet | Ideally same for 24.05 | 08:33:49 |
 Sandro | If we only would build packages with knowVulnerabilities then we wouldn't need to weigh usability and security against each other | 09:50:42 |
| Niklas Korz | as someone relying on a handful of libolm based services and applications, I tend to agree | 10:05:17 |
 Frank Lanitz | All software is full of unfixed, known issues ;) | 10:09:19 |
 syd installs gentoo (they/them) | Reminder there is also #security-discuss:nixos.org (though I can't join the channel for some reason) | 10:15:55 |
|  Ahurac left the room. | 10:16:08 |
|  ·☽•Nameless☆•777 · ± changed their profile picture. | 14:33:59 |
| Niklas Korz |
- unstable: https://github.com/NixOS/nixpkgs/pull/364627
- 24.11: https://github.com/NixOS/nixpkgs/pull/364633
- 24.05: https://github.com/NixOS/nixpkgs/pull/364642
| 16:17:22 |
|  @metanoic:matrix.org left the room. | 19:06:45 |
| 15 Dec 2024 |
|  @maridonkers:matrix.org joined the room. | 08:24:36 |
| 16 Dec 2024 |
|  @ksonj:matrix.org left the room. | 14:59:37 |
| 17 Dec 2024 |
 SigmaSquadron | Hi all. Today, the Xen Project has publicly released CVE-2024-53240 (Xen Security Advisory #465) and CVE-2024-53241 (Xen Security Advisory #466).
We are not affected by the latter: It's a Linux guest issue regarding ret speculations. The Xen patch is just documentation, not hypervisor code. The Linux patches for #466, to the best of my knowledge, are unnecessary, as our kernels are not built with CONFIG_RETHUNK enabled, which mitigates this vulnerability.
We are, however, affected by the former vulnerability (#455) — a hypervisor crash caused by a malicious Linux 6.1+ guest who is allowed to suspend and resume. The issue lies in Xen's Linux guest drivers, not with the hypervisor itself. It's a single patch to drivers/net/xen-netfront.c. Can we get this patched in our kernels? (I know nothing about nixpkgs' kernel infrastructure. Do I just add a patch here?)
| 12:26:40 |
|  tlaurion aka Insurgo [ Timezone: ET ] changed their display name from tlaurion aka Insurgo [UTC-4] to tlaurion aka Insurgo [UTC-4] - last crush before holidays!. | 19:19:38 |
| 18 Dec 2024 |
| hexa | https://github.com/FiloSottile/age/releases/tag/v1.2.1 | 15:35:48 |
| hexa | https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c | 15:35:52 |
 adamcstephens | https://github.com/NixOS/nixpkgs/pull/366207 | 16:07:28 |
|  @dmiskovic:matrix.org joined the room. | 19:37:45 |
| 19 Dec 2024 |
| hexa | Redacted or Malformed Event | 15:54:23 |
