| 10 Jul 2025 |
 vcunat | 25.05 will probably need to pick the CVE patches. For staging:
https://github.com/NixOS/nixpkgs/pull/424095 | 16:38:33 |
|  Fred Lahde joined the room. | 18:48:25 |
| 11 Jul 2025 |
|  importantblimp joined the room. | 09:54:49 |
|  Felix Schröter joined the room. | 16:58:53 |
| 12 Jul 2025 |
 hexa | https://github.com/NixOS/nix/security/advisories/GHSA-qc7j-jgf3-qmhg | 12:15:00 |
 emily | handling nixVersions.git | 13:22:35 |
| emily | https://github.com/NixOS/nixpkgs/pull/424593 | 13:33:13 |
| emily | testing build on Darwin, if someone could get Linux that would be cool | 13:33:24 |
|  Sergei Zimmerman (xokdvium) joined the room. | 14:08:27 |
| Sergei Zimmerman (xokdvium) | Backport bot having issues on emily's PR. Manual backport I've opened at the same time https://github.com/NixOS/nixpkgs/pull/424592.
Will merge when darwin build finishes. | 14:10:48 |
| 14 Jul 2025 |
 Grimmauld (any/all) | * https://nvd.nist.gov/vuln/detail/CVE-2025-6817 | https://github.com/HDFGroup/hdf5/issues/5572
https://nvd.nist.gov/vuln/detail/CVE-2025-6816 | https://github.com/HDFGroup/hdf5/issues/5571
https://nvd.nist.gov/vuln/detail/CVE-2025-6750 | https://github.com/HDFGroup/hdf5/issues/5549
https://nvd.nist.gov/vuln/detail/CVE-2025-6516 | https://github.com/HDFGroup/hdf5/issues/5581
https://nvd.nist.gov/vuln/detail/CVE-2025-6270 | https://github.com/HDFGroup/hdf5/issues/5580
https://nvd.nist.gov/vuln/detail/CVE-2025-6269 | https://github.com/HDFGroup/hdf5/issues/5579
https://nvd.nist.gov/vuln/detail/CVE-2025-7069 | https://github.com/HDFGroup/hdf5/issues/5550
https://nvd.nist.gov/vuln/detail/CVE-2025-7068 | https://github.com/HDFGroup/hdf5/issues/5578
https://nvd.nist.gov/vuln/detail/CVE-2025-7067 | https://github.com/HDFGroup/hdf5/issues/5577
hdf5 doesn't have a new release, and none of these CVEs have patches yet either. I'll be watching the issues, i have my own projects that depend on hdf5 (bachelors thesis) but figured i might as well post these here too. Fix will likely only come out in September.
| 07:07:15 |
| 15 Jul 2025 |
|  ginkogruen joined the room. | 22:54:11 |
|  Chris Norman joined the room. | 22:54:12 |
| 16 Jul 2025 |
 teutat3s | https://github.com/electron/electron/releases/tag/v37.2.2 | Updated Chromium to 138.0.7204.100
https://github.com/NixOS/nixpkgs/pull/425750 | 10:45:31 |
| teutat3s | https://github.com/NLnetLabs/unbound/releases/tag/release-1.23.1 | fixes the Rebirthday Attack CVE-2025-5994 | 11:35:11 |
| hexa | ECS is disabled by default in nixpkgs | 11:38:48 |
| hexa | * ECS is not compiled in by default in nixpkgs | 11:38:56 |
 emily | 25.05 is still vulnerable to the zero-day from 2025-06-30 for which electron released https://github.com/electron/electron/releases/tag/v37.2.0 on 2025-07-02. meaning electron_37 on 25.05 is affected by two different chromium zero-days. one zero-day that should have landed two weeks ago and another, the newer one, for which electron upstream no release yet.
just to be clear, 138.0.7204.100, the release and PR you linked to, does not fix the newer zero-day from yesterday.
this is a reoccurring pattern with electron in nixpkgs. do you want me to flag electron_37 on 25.05 as vulnerable until you find the time to fix the zero-day from two weeks ago? | 13:14:31 |
|  @winston:milli.ng left the room. | 13:36:59 |
 leona | matrix (servers+maybe clients) security update on 2025-07-22 https://matrix.org/blog/2025/07/security-predisclosure/ | 16:16:40 |
| Grimmauld (any/all) | https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.5
More libxml2! YAY.... | 16:40:51 |
|  lennart joined the room. | 17:23:22 |
| Grimmauld (any/all) | https://github.com/NixOS/nixpkgs/pull/425863
Fixes CVE-2025-49794, CVE-2025-49796, CVE-2025-49795, CVE-2025-6170
Four CVEs this time!! | 18:14:20 |
| Grimmauld (any/all) | * https://github.com/NixOS/nixpkgs/pull/425863
Fixes CVE-2025-49794, CVE-2025-49796, CVE-2025-49795, CVE-2025-6170
Four CVEs this time :) | 18:14:32 |
| Grimmauld (any/all) | Also nodejs: https://github.com/NixOS/nixpkgs/pull/425602
Two CVEs, but the CVE that affects older versions (including our default, 22.x) is windows-only and therefore not super bad for us. | 18:34:23 |
