| 19 Nov 2025 |
 tgerbet | https://www.openwall.com/lists/oss-security/2025/11/18/1
I will deal with it and continue to expand the never ending list of patches of grub2 🫠
| 19:58:53 |
| 20 Nov 2025 |
|  fernsehmuell (☎️ 3376 he/him) changed their display name from fernsehmuell (he/his) to fernsehmuell (☎️ 3376 he/him). | 00:19:06 |
|  John joined the room. | 05:11:05 |
|  cve joined the room. | 13:42:24 |
| cve | Would someone mind having a look at 462970 and 463034?
Both pull requests are open for close to two days by now and they fix a medium-severity security vulnerability in Tor, potentially leading to a remote crash.
Besides, relays on the old version are also no longer advertised in the current Tor consensus, meaning they now display a scary red warning too.
| 13:53:22 |
| cve | * Would someone mind having a look at 462970 and 463034?
Both pull requests fix a medium-severity security vulnerability in Tor, potentially leading to a remote crash.
Besides, relays on the old version are also no longer advertised in the current Tor consensus, meaning they now display a scary red warning too.
| 13:53:38 |
|  Yevhen Zhyhalo joined the room. | 16:09:00 |
 hexa | https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-11-18 gnutls vcunat | 19:21:32 |
| hexa | 3.8.11 basically | 19:21:44 |
 vcunat | https://github.com/NixOS/nixpkgs/pull/463470 | 19:21:55 |
| 21 Nov 2025 |
|  amadaluzia changed their display name from amadaluzia to amadaluzia (in 🇹🇷 til 25). | 14:44:25 |
| amadaluzia changed their display name from amadaluzia (in 🇹🇷 til 25) to amadaluzia (🇹🇷 til 25th). | 14:45:11 |
| 22 Nov 2025 |
| hexa | https://seclists.org/oss-sec/2025/q4/204 libpng | 13:31:44 |
| hexa | http://github.com/nixos/nixpkgs/pull/463987 | 13:32:11 |
| 23 Nov 2025 |
|  @easel:matrix.org left the room. | 01:50:39 |
| 24 Nov 2025 |
| amadaluzia changed their display name from amadaluzia (🇹🇷 til 25th) to amadaluzia. | 12:57:50 |
| 25 Nov 2025 |
|  @steeringwheelrules:tchncs.de left the room. | 18:12:22 |
| 26 Nov 2025 |
 mdaniels5757 | These PRs with security updates to packages (or their dependencies) have been approved by their respective maintainers, but still need to be merged. https://github.com/NixOS/nixpkgs/pull/463918 https://github.com/NixOS/nixpkgs/pull/464033 https://github.com/NixOS/nixpkgs/pull/464451 | 02:38:48 |
 dish [Fox/It/She] | In reply to @mdaniels5757:matrix.org
These PRs with security updates to packages (or their dependencies) have been approved by their respective maintainers, but still need to be merged. https://github.com/NixOS/nixpkgs/pull/463918 https://github.com/NixOS/nixpkgs/pull/464033 https://github.com/NixOS/nixpkgs/pull/464451 queued all, thank you | 02:52:06 |
| hexa | https://www.cve.org/CVERecord?id=CVE-2025-45311 | 19:41:10 |
| hexa | * https://www.cve.org/CVERecord?id=CVE-2025-45311 fail2ban rce | 19:41:16 |
| hexa | * https://www.cve.org/CVERecord?id=CVE-2025-45311 fail2ban | 19:42:54 |
| hexa | https://lobste.rs/s/p5k6aa/fail2ban_rce open discussion here | 19:43:01 |
 K900 | Something something petard | 19:43:02 |
| vcunat | Why is it called RCE? They write
attackers with limited sudo privileges
| 19:43:47 |
| vcunat | That's like a completely different level of severity. | 19:44:12 |
| hexa | posted it before reading it fully, doesn't make sense to me yet, sorry | 19:44:51 |
| mdaniels5757 | The "vuln"s listed are different. On https://packetstorm.news/files/id/189989, the "vuln" is that when you set an arbitrary shell command to run when an IP is banned, and then an IP is banned, the arbitrary shells script runs. But on https://gist.github.com/R-Security/1c707a08f9c7f9a91d9d84b5010aaed2, it claims that there is "insufficient sanitization of variables", I see no evidence of that provided. CVE slop? | 20:42:47 |
| mdaniels5757 | I'll file an issue with upstream and see what they say. | 20:43:35 |
| mdaniels5757 | https://github.com/fail2ban/fail2ban/issues/4110 | 20:58:18 |
