| 16 Jul 2025 |
 leona | matrix (servers+maybe clients) security update on 2025-07-22 https://matrix.org/blog/2025/07/security-predisclosure/ | 16:16:40 |
 Grimmauld (any/all) | https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.5
More libxml2! YAY.... | 16:40:51 |
|  lennart joined the room. | 17:23:22 |
| Grimmauld (any/all) | https://github.com/NixOS/nixpkgs/pull/425863
Fixes CVE-2025-49794, CVE-2025-49796, CVE-2025-49795, CVE-2025-6170
Four CVEs this time!! | 18:14:20 |
| Grimmauld (any/all) | * https://github.com/NixOS/nixpkgs/pull/425863
Fixes CVE-2025-49794, CVE-2025-49796, CVE-2025-49795, CVE-2025-6170
Four CVEs this time :) | 18:14:32 |
| Grimmauld (any/all) | Also nodejs: https://github.com/NixOS/nixpkgs/pull/425602
Two CVEs, but the CVE that affects older versions (including our default, 22.x) is windows-only and therefore not super bad for us. | 18:34:23 |
| 18 Jul 2025 |
 ma27 | grafana xss fixes: https://github.com/NixOS/nixpkgs/pull/426345 | 11:33:04 |
| 19 Jul 2025 |
 jonhermansen | I updated MS Edge, then saw it addresses recent Chromium vuln: https://github.com/NixOS/nixpkgs/pull/426714 | 17:31:42 |
| jonhermansen | I've never raised any security issue, but I think I have all my ducks in a row. Let me know if not | 17:34:05 |
| jonhermansen | * I've never raised any security issue, but I think I got everything right. Let me know if not | 17:36:47 |
| 20 Jul 2025 |
|  Toma joined the room. | 00:29:58 |
| 21 Jul 2025 |
 osnyx (he/him) | The coordinated matrix update has been postponed to 2025-08-11. | 08:03:55 |
 emily | In reply to @jonhermansen:matrix.org
I updated MS Edge, then saw it addresses recent Chromium vuln: https://github.com/NixOS/nixpkgs/pull/426714 looks like the automated backport failed, so stable is still vulnerable | 12:42:39 |
| 22 Jul 2025 |
| jonhermansen | Thank you @mdaniels5757 for backporting it. I tested and approved it but can't merge it. https://github.com/NixOS/nixpkgs/pull/427270 | 02:15:02 |
| jonhermansen | Thank you @mdaniels5757 for backporting it. I reviewed, tested and approved it but can't merge it. https://github.com/NixOS/nixpkgs/pull/427270 | 02:16:24 |
| emily | Redacted or Malformed Event | 02:17:50 |
| emily | oops | 02:17:52 |
| emily | 😅 there's a reason we have the "browsers have committer among maintainers" rule | 02:18:14 |
| emily | (but unfortunately the committer who volunteered for Edge hasn't reviewed/merged any PRs) | 02:18:30 |
| jonhermansen | Thanks emily. Is there anything else I should do there? | 02:20:44 |
| emily | just have to wait for someone to merge. but in the long run there'll need to be an active committer involved in the package to sustainably merge security updates; pretty much every browser update has CVEs. (should probably move to #security-discuss:nixos.org for extended discussion) | 02:23:29 |
| 23 Jul 2025 |
|  implr set a profile picture. | 10:57:46 |
| implr changed their profile picture. | 11:21:44 |
 transcaffeine | https://github.com/NixOS/nixpkgs/pull/427778 snipe-it (due to livewire's CVE-2025-54068) | 15:46:29 |
| Grimmauld (any/all) | Marking all the libsoup_2_4 vulnerabilities:
https://github.com/NixOS/nixpkgs/pull/427813
(following the conversation in #dev:nixos.org ) | 17:31:29 |
| Grimmauld (any/all) | * Marking all the libsoup_2_4 vulnerabilities, should wait for Jan to ack this:
https://github.com/NixOS/nixpkgs/pull/427813
(following the conversation in #dev:nixos.org ) | 17:31:46 |
| Grimmauld (any/all) | * Marking all the libsoup_2_4 vulnerabilities, should wait for Jan Tojnar to ack this but figured i might as well put it here:
https://github.com/NixOS/nixpkgs/pull/427813
(following the conversation in #dev:nixos.org ) | 17:32:04 |
| 24 Jul 2025 |
 tgerbet | GLIBC-SA-2025-0005 cc ma27
https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2025-0005;h=8bcccc59a546800624576e3a835b759d9ad1f1e0;hb=HEAD
| 06:53:09 |
