| 14 Nov 2025 |
 Fabián Heredia | Seems like a security related fix is the only change, next staging-next is about to begin soonish. | 05:07:15 |
|  Florian set a profile picture. | 18:40:56 |
| 15 Nov 2025 |
|  Martin Joerg joined the room. | 09:02:41 |
 tgerbet | libxml2 CVE-2025-12863
https://gitlab.gnome.org/GNOME/libxml2/-/issues/1012
Grimmauld (any/all) Approved MR, not merged yet https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/349
Debian applied the change https://salsa.debian.org/xml-sgml-team/libxml2/-/blob/master/debian/patches/CVE-2025-12863.diff?ref_type=heads
| 18:52:17 |
 Grimmauld (any/all) | That is a high severity CVE (as is practically always the case with libxml2).
If debian picked the patch, we should too. That said, libxml2 is a BIG rebuild, and the staging-next cycle is on the way already.
I'll defer to @vcunat whether we want to scrap builds or just do this the next cycle (with hopefully an upstream merged patch by then) | 19:00:40 |
| Grimmauld (any/all) | thanks for the heads up though! | 19:01:02 |
 leona | When we scrap the cycle we need to move the release almost certainly. I really really want this cycle to be finished as early as possible, otherwise this will break our neck. | 19:12:21 |
| Grimmauld (any/all) | then i vote to wait with this until the next cycle and backport to get it into 25.11 | 19:31:01 |
 hexa | the issue with that is that we'll have three staging branches at that point 😄 | 19:53:10 |
| hexa | there is no good choice fwiw | 19:53:22 |
| hexa | * there is no great choice fwiw | 19:53:37 |
 vcunat | I'd leave it for the next cycle. | 23:04:11 |
| 17 Nov 2025 |
|  karlericsson joined the room. | 13:14:05 |
| 18 Nov 2025 |
|  grimmauld (any/all) joined the room. | 08:16:51 |
| Grimmauld (any/all) | i have a fix in the attachment, but can't open a PR. It just cleanly applies, both on 2.15.1 and 2.13. Can't open a PR rn because github is down, will do that once its back | 20:57:13 |
| Grimmauld (any/all) | Download 0001-libxml2-fetch-patch-fixing-CVE-2025-12863-in-xmlSetT.patch | 20:57:13 |
| Grimmauld (any/all) | * i have a fix in the attachment, but can't open a PR. Upstream patch just cleanly applies, both on 2.15.1 and 2.13. Can't open a PR rn because github is down, will do that once its back | 21:12:57 |
| hexa | https://seclists.org/oss-sec/2025/q4/200 | 21:49:05 |
| hexa | already fixed on master | 21:49:23 |
| hexa | but the version on 25.05 is being put into question | 21:50:14 |
| hexa | * but the version (3.48.0) on 25.05 is being put into question | 21:50:23 |
| Grimmauld (any/all) | https://github.com/NixOS/nixpkgs/pull/463018 | 22:23:38 |
| 19 Nov 2025 |
| Grimmauld (any/all) | https://gitlab.gnome.org/GNOME/libxml2/-/issues/1012#note_2608283
So the supposed libxml2 vulnerability is now contested by the main developer, saying it isn't even a vulnerability and instead is documented behavior. We might not actually have to do anything. | 13:44:14 |
 dish [Fox/It/She] | still terrible api design though >.> | 16:13:05 |
| tgerbet | https://www.openwall.com/lists/oss-security/2025/11/18/1
I will deal with it and continue to expand the never ending list of patches of grub2 🫠
| 19:58:53 |
| 20 Nov 2025 |
|  fernsehmuell (☎️ 3376 he/him) changed their display name from fernsehmuell (he/his) to fernsehmuell (☎️ 3376 he/him). | 00:19:06 |
|  John joined the room. | 05:11:05 |
|  cve joined the room. | 13:42:24 |
| cve | Would someone mind having a look at 462970 and 463034?
Both pull requests are open for close to two days by now and they fix a medium-severity security vulnerability in Tor, potentially leading to a remote crash.
Besides, relays on the old version are also no longer advertised in the current Tor consensus, meaning they now display a scary red warning too.
| 13:53:22 |
| cve | * Would someone mind having a look at 462970 and 463034?
Both pull requests fix a medium-severity security vulnerability in Tor, potentially leading to a remote crash.
Besides, relays on the old version are also no longer advertised in the current Tor consensus, meaning they now display a scary red warning too.
| 13:53:38 |
