| 29 May 2025 |
 K900 | What the lol | 09:26:48 |
 Grimmauld (any/all) | jq had no release since 2023, but now the second 7.5+ cve | 09:27:21 |
| K900 | Has anyone rewritten it in rust yet | 09:27:37 |
 Alison Jenkins | https://github.com/MiSawa/xq | 09:28:18 |
| Grimmauld (any/all) | https://github.com/yamafaktory/jql
not sure how compatible it is though
also #security-discuss:nixos.org if we'll discuss that | 09:28:34 |
 Morgan (@numinit) | Kea has a few https://www.openwall.com/lists/oss-security/2025/05/28/7 | 16:26:42 |
| Morgan (@numinit) | Also https://www.openwall.com/lists/oss-security/2025/05/27/2
Heap buffer overflow in GNU Coreutils sort that's been there since version 7.2 (we're on 9.7, and apparently it's still there) | 16:28:58 |
| Grimmauld (any/all) | seems simple enough to update, but why are we on 2.6.x if there exists 2.7x? | 16:29:23 |
| Grimmauld (any/all) | * seems simple enough to update, but why are we on 2.6.x if there exists 2.7.x? | 16:29:27 |
| Morgan (@numinit) | not sure | 16:29:52 |
 Arian | https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598
https://github.com/systemd/systemd/releases/tag/v257.6
| 17:28:46 |
 hexa | bceause only even minor versions are stable | 17:33:38 |
| hexa | and the update is not straightforward | 17:33:43 |
| hexa | https://github.com/NixOS/nixpkgs/pull/411875 | 17:34:06 |
| Grimmauld (any/all) | uh oh, didn't realize the module needed changing to allow clean updates.... Indeed, not straight-forward, and thanks for explaining :) | 17:35:53 |
| Grimmauld (any/all) | https://github.com/NixOS/nixpkgs/pull/412147
I was already poking systemd for udev stuff earlier today, have the bump pr :)
I tested nixos tests, i did not try to repro the vuln to see if it is truly fixed now.
| 18:41:42 |
| Grimmauld (any/all) | * https://github.com/NixOS/nixpkgs/pull/412147
I was already poking systemd for udev stuff earlier today, have the bump pr :)
i did not try to repro the vuln to see if it is truly fixed now.
| 18:44:10 |
| 30 May 2025 |
 stigo | https://github.com/NixOS/nixpkgs/pull/412233 (considered to be low-medium severity) | 03:39:03 |
 leona | what about backports? just apply to 25.05 and 24.11? | 09:06:59 |
| stigo | In reply to @leona:leona.is
what about backports? just apply to 25.05 and 24.11? Yeah should work fine | 09:58:12 |
| Grimmauld (any/all) | https://github.com/NixOS/nixpkgs/pull/412367
it has been done
Was an absolute pain to make these patches apply properly, i think i didn't horribly butcher anything - review appreciated.
| 14:47:23 |
|  DerivationDingus set a profile picture. | 19:53:54 |
| DerivationDingus changed their profile picture. | 19:55:16 |
| 31 May 2025 |
| Grimmauld (any/all) | https://github.com/jqlang/jq/issues/3327#issuecomment-2924552289
So uh - do we discard builds for this? Or do we fix that next cycle? | 07:15:02 |
| K900 | We barely have builds | 07:17:19 |
| K900 | Send it | 07:17:20 |
| Grimmauld (any/all) | I mean, its bootstrap, soo..... | 07:29:11 |
| Grimmauld (any/all) | but will do | 07:29:19 |
| Grimmauld (any/all) | https://github.com/NixOS/nixpkgs/pull/412590 | 07:37:21 |
|  fhluit87 joined the room. | 12:53:13 |
