| 7 Jul 2025 |
 leona | https://github.com/NixOS/nixpkgs/pull/421805 keycloak security update | 06:51:59 |
|  @saiko:knifepoint.net changed their display name from Katalin ⚧︎ to Katalin 🔪. | 23:27:41 |
| 9 Jul 2025 |
|  jonhermansen joined the room. | 01:01:41 |
 syd installs gentoo (they/them) | https://dgl.cx/2025/07/git-clone-submodule-cve-2025-48384
git clone --recursive RCE
CVE-2025-48384 | 11:10:20 |
 K900 | Known, we're deciding how to best handle it | 11:21:38 |
| 10 Jul 2025 |
 vcunat | I just noticed our intel-media-sdk; upstream says
This project will no longer be maintained by Intel.
This project has been identified as having known security escapes.
We use it in particular in ffmpeg-full. No idea how big a risk it is in there.
| 08:32:52 |
 hexa | https://security-tracker.debian.org/tracker/source-package/intel-mediasdk | 12:14:24 |
| hexa | removed from debian in 2024-10 | 12:15:01 |
| hexa | other distros, e.g. fedora, are still shipping it | 12:15:10 |
| hexa | -> #security-discuss:nixos.org | 12:16:15 |
| vcunat | gnutls had a security release yesterday:
https://lists.gnupg.org/pipermail/gnutls-help/2025-July/004883.html
Maybe I could have a look within several hours.
| 12:17:14 |
| vcunat | 25.05 will probably need to pick the CVE patches. For staging:
https://github.com/NixOS/nixpkgs/pull/424095 | 16:38:33 |
|  Fred Lahde joined the room. | 18:48:25 |
| 11 Jul 2025 |
|  importantblimp joined the room. | 09:54:49 |
|  Felix Schröter joined the room. | 16:58:53 |
| 12 Jul 2025 |
| hexa | https://github.com/NixOS/nix/security/advisories/GHSA-qc7j-jgf3-qmhg | 12:15:00 |
 emily | handling nixVersions.git | 13:22:35 |
| emily | https://github.com/NixOS/nixpkgs/pull/424593 | 13:33:13 |
| emily | testing build on Darwin, if someone could get Linux that would be cool | 13:33:24 |
|  Sergei Zimmerman (xokdvium) joined the room. | 14:08:27 |
| Sergei Zimmerman (xokdvium) | Backport bot having issues on emily's PR. Manual backport I've opened at the same time https://github.com/NixOS/nixpkgs/pull/424592.
Will merge when darwin build finishes. | 14:10:48 |
| 14 Jul 2025 |
 Grimmauld (any/all) | * https://nvd.nist.gov/vuln/detail/CVE-2025-6817 | https://github.com/HDFGroup/hdf5/issues/5572
https://nvd.nist.gov/vuln/detail/CVE-2025-6816 | https://github.com/HDFGroup/hdf5/issues/5571
https://nvd.nist.gov/vuln/detail/CVE-2025-6750 | https://github.com/HDFGroup/hdf5/issues/5549
https://nvd.nist.gov/vuln/detail/CVE-2025-6516 | https://github.com/HDFGroup/hdf5/issues/5581
https://nvd.nist.gov/vuln/detail/CVE-2025-6270 | https://github.com/HDFGroup/hdf5/issues/5580
https://nvd.nist.gov/vuln/detail/CVE-2025-6269 | https://github.com/HDFGroup/hdf5/issues/5579
https://nvd.nist.gov/vuln/detail/CVE-2025-7069 | https://github.com/HDFGroup/hdf5/issues/5550
https://nvd.nist.gov/vuln/detail/CVE-2025-7068 | https://github.com/HDFGroup/hdf5/issues/5578
https://nvd.nist.gov/vuln/detail/CVE-2025-7067 | https://github.com/HDFGroup/hdf5/issues/5577
hdf5 doesn't have a new release, and none of these CVEs have patches yet either. I'll be watching the issues, i have my own projects that depend on hdf5 (bachelors thesis) but figured i might as well post these here too. Fix will likely only come out in September.
| 07:07:15 |
| 15 Jul 2025 |
|  ginkogruen joined the room. | 22:54:11 |
|  Chris Norman joined the room. | 22:54:12 |
| 16 Jul 2025 |
 teutat3s | https://github.com/electron/electron/releases/tag/v37.2.2 | Updated Chromium to 138.0.7204.100
https://github.com/NixOS/nixpkgs/pull/425750 | 10:45:31 |
| teutat3s | https://github.com/NLnetLabs/unbound/releases/tag/release-1.23.1 | fixes the Rebirthday Attack CVE-2025-5994 | 11:35:11 |
| hexa | ECS is disabled by default in nixpkgs | 11:38:48 |
| hexa | * ECS is not compiled in by default in nixpkgs | 11:38:56 |
 emily | 25.05 is still vulnerable to the zero-day from 2025-06-30 for which electron released https://github.com/electron/electron/releases/tag/v37.2.0 on 2025-07-02. meaning electron_37 on 25.05 is affected by two different chromium zero-days. one zero-day that should have landed two weeks ago and another, the newer one, for which electron upstream no release yet.
just to be clear, 138.0.7204.100, the release and PR you linked to, does not fix the newer zero-day from yesterday.
this is a reoccurring pattern with electron in nixpkgs. do you want me to flag electron_37 on 25.05 as vulnerable until you find the time to fix the zero-day from two weeks ago? | 13:14:31 |
|  @winston:milli.ng left the room. | 13:36:59 |
