| 30 Oct 2024 |
|  @grossmap:in.tum.de joined the room. | 19:59:46 |
 Mic92 | https://github.com/NixOS/nixpkgs/pull/352455 https://github.com/NixOS/nixpkgs/pull/352456 | 20:36:43 |
| Mic92 | nix: fix macOS sandbox escape via builtin builders | 20:36:55 |
 emily | Redacted or Malformed Event | 20:44:35 |
| emily | will handle this one | 20:48:58 |
 hexa | https://www.openwall.com/lists/oss-security/2024/10/30/4 qbittorrent | 23:55:19 |
| 31 Oct 2024 |
 Scrumplex | https://github.com/NixOS/nixpkgs/pull/352499 for master | 00:11:01 |
| Scrumplex | 24.05 is on 4.x. Just blindly applying the relevant patches doesn't work
Relevant patch: https://github.com/qbittorrent/qBittorrent/commit/2a4425380292baedc3be1d1e57506e45172da6fc
Part of the same PR but not strictly needed to fix vulnerability: https://github.com/qbittorrent/qBittorrent/commit/2a4077414f44f370d4bb66c3fd91ec755d4ce04d | 00:17:48 |
| emily | the advisory is somewhat (subtextually) withering about their security practices. I think knownVulnerabilities for 24.05 is okay, and it's not clear to me if the other issues they disclosed have been fixed. | 00:18:32 |
| emily | * the advisory is somewhat (subtextually) withering about their security practices. I think knownVulnerabilities for 24.05 is okay, and it's not clear to me if the other issues they disclosed have been fixed. (edit: actually, I guess they implied they're at least unexploitable due to TLS validation now) | 00:19:12 |
| Scrumplex | I'll propose this: https://github.com/NixOS/nixpkgs/pull/352501
Maybe we can safely update 24.05 to qBittorrent 5.0.1, as I couldn't see any breaking changes, but maybe other people can handle that ^^ | 00:21:57 |
| Scrumplex | Buffer overflow in libmpg123: https://www.openwall.com/lists/oss-security/2024/10/30/2 | 00:37:32 |
| Scrumplex | * Buffer overflow in libmpg123: https://www.openwall.com/lists/oss-security/2024/10/30/2 CVE-2024-10573 | 00:37:59 |
| hexa | https://www.openwall.com/lists/oss-security/2024/10/31/1 webkitgtk 2.46.3 Jan Tojnar | 01:04:50 |
 vcunat | In reply to @scrumplex:duckhub.io
Buffer overflow in libmpg123: https://www.openwall.com/lists/oss-security/2024/10/30/2 CVE-2024-10573 https://github.com/NixOS/nixpkgs/pull/351584 | 06:39:26 |
 Jan Tojnar | sorry, not sure if I will be able to get to it this week | 09:27:35 |
| 1 Nov 2024 |
|  Tomodachi94 (they/them) joined the room. | 19:18:47 |
| 2 Nov 2024 |
|  @matrix:03j.de joined the room. | 00:16:13 |
| 4 Nov 2024 |
 aleksana (force me to bed after 18:00 UTC) | Someone reported on hacker news that yt-dlp 2024.10.22 (which we are also using) has malicious behavior: https://news.ycombinator.com/item?id=42040600 | 12:03:10 |
| aleksana (force me to bed after 18:00 UTC) | No conclusion has been drawn yet | 12:04:27 |
 Sandro | we are not using the prebuilt binaries in the first place and the actual content is also being disputed | 15:52:07 |
|  martijn joined the room. | 18:41:25 |
|  Neco Arc left the room. | 19:58:37 |
|  @fifteenconcierge:matrix.org joined the room. | 20:26:13 |
| @fifteenconcierge:matrix.org left the room. | 20:31:32 |
| @fifteenconcierge:matrix.org joined the room. | 20:35:42 |
|  Alois set a profile picture. | 21:12:08 |
|  alois 🌱 joined the room. | 21:17:03 |
|  a10is joined the room. | 21:31:12 |
| 5 Nov 2024 |
| Alois | In reply to @aleksana:mozilla.org
Someone reported on hacker news that yt-dlp 2024.10.22 (which we are also using) has malicious behavior: https://news.ycombinator.com/item?id=42040600 complete nonsense; can be safely ignored + we compile from source | 00:17:59 |
