| 4 Nov 2025 |
 vcunat | Severity isn't mentioned yet? | 13:38:00 |
| vcunat | * Severity isn't mentioned yet? (I fail to see it) | 13:38:06 |
| vcunat | Ah, now I see "Moderate". | 13:39:04 |
| vcunat | Either way, 25.05 seems more of a concern than master/unstable. | 13:40:37 |
|  somasis joined the room. | 19:08:23 |
|  whispers (it/fae) joined the room. | 20:15:04 |
|  Alex Stephan joined the room. | 20:17:01 |
|  PhiliPdB joined the room. | 22:13:31 |
|  nf changed their profile picture. | 23:55:16 |
| 9 Nov 2025 |
 dotlambda | https://github.com/NixOS/nixpkgs/pull/452743 arguably patches a denial of service vulnerability, no CVE assigned though | 05:59:45 |
|  ghpzin (moved to @ghpzin:envs.net) changed their display name from ghpzin to ghpzin (moved to @ghpzin:envs.net). | 15:03:37 |
|  Vincent joined the room. | 22:43:09 |
| 10 Nov 2025 |
|  Felix Schröter changed their display name from Felix Schröter (🌄 27.10. – 09.11.) to Felix Schröter. | 10:23:42 |
| 11 Nov 2025 |
 hexa | https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20251111 | 18:08:51 |
| hexa | cc flx | 18:08:58 |
 flx | https://github.com/NixOS/nixpkgs/pull/460731 | 18:18:16 |
|  oak 🏳️🌈♥️ changed their profile picture. | 19:20:42 |
| 12 Nov 2025 |
|  Inayet changed their display name from inayet to Inayet. | 12:38:28 |
| hexa | https://www.openwall.com/lists/oss-security/2025/11/12/1
https://www.openwall.com/lists/oss-security/2025/11/12/2 | 16:42:28 |
| hexa | both cups-filters | 16:42:36 |
| 14 Nov 2025 |
 Fabián Heredia | https://github.com/NixOS/nixpkgs/pull/461446 | 05:06:43 |
| Fabián Heredia | Seems like a security related fix is the only change, next staging-next is about to begin soonish. | 05:07:15 |
|  Florian set a profile picture. | 18:40:56 |
| 15 Nov 2025 |
|  Martin Joerg joined the room. | 09:02:41 |
 tgerbet | libxml2 CVE-2025-12863
https://gitlab.gnome.org/GNOME/libxml2/-/issues/1012
Grimmauld (any/all) Approved MR, not merged yet https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/349
Debian applied the change https://salsa.debian.org/xml-sgml-team/libxml2/-/blob/master/debian/patches/CVE-2025-12863.diff?ref_type=heads
| 18:52:17 |
 Grimmauld (any/all) | That is a high severity CVE (as is practically always the case with libxml2).
If debian picked the patch, we should too. That said, libxml2 is a BIG rebuild, and the staging-next cycle is on the way already.
I'll defer to @vcunat whether we want to scrap builds or just do this the next cycle (with hopefully an upstream merged patch by then) | 19:00:40 |
| Grimmauld (any/all) | thanks for the heads up though! | 19:01:02 |
 leona | When we scrap the cycle we need to move the release almost certainly. I really really want this cycle to be finished as early as possible, otherwise this will break our neck. | 19:12:21 |
| Grimmauld (any/all) | then i vote to wait with this until the next cycle and backport to get it into 25.11 | 19:31:01 |
| hexa | the issue with that is that we'll have three staging branches at that point 😄 | 19:53:10 |
