| 9 May 2026 |
 dish [Fox/It/She] | Gitpython security bump: https://github.com/NixOS/nixpkgs/pull/518443 | 17:20:00 |
| 11 May 2026 |
 kuflierl | 'high' severtiy cve in python library
https://github.com/NixOS/nixpkgs/pull/518798 | 02:28:11 |
 tgerbet | DNSMasq coordinated release (cache poisoning, privesc...) https://www.kb.cert.org/vuls/id/471747
https://github.com/NixOS/nixpkgs/pull/519082 | 17:34:09 |
 hexa |
dnsmasq has released version 2.93 to fix the above vulnerabilities
| 17:36:23 |
| hexa |
dnsmasq: 2.92 -> 2.92rel2
| 17:36:33 |
| hexa | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html | 17:37:29 |
| hexa |
With luck, 2.93 could be out in a week or so.
| 17:37:33 |
| tgerbet | Requested an update of the CERT/CC advisory in the internal case... | 17:40:14 |
 flx | https://github.com/NixOS/nixpkgs/pull/518430 | 23:24:08 |
| 12 May 2026 |
|  Harinn joined the room. | 18:14:40 |
| flx | https://github.com/NixOS/nixpkgs/pull/519502 | 18:32:28 |
| 13 May 2026 |
| flx | https://github.com/NixOS/nixpkgs/pull/519882 | 19:12:05 |
 Morgan (@numinit) | https://depthfirst.com/nginx-rift
FYI, nginx 😬, seems to trigger with captures in rewrite | 19:15:16 |
| tgerbet | https://nginx.org/en/CHANGES
https://nginx.org/en/CHANGES-1.30
There are also other sec issues in the releases
nginxMainline will need a 1.29 -> 1.31 bump.
It would be nice if someone could handle it, I have done the last nginx upgrades but I'm not close to a laptop until tomorrow night | 19:23:09 |
| Morgan (@numinit) | It's looking like a "tonight" thing for me (so several hours) | 19:23:44 |
| hexa | https://blog.packagist.com/composer-2-9-8-and-2-2-28-fix-github-actions-token-disclosure-in-error-messages/ | 19:35:01 |
| hexa | ma27 | 19:35:22 |
 Sandro | untested https://github.com/NixOS/nixpkgs/pull/519893 | 19:46:05 |
 ma27 | tomorrow if noone's faster | 22:44:35 |
| 14 May 2026 |
|  louis joined the room. | 23:21:54 |
| louis left the room. | 23:22:37 |
| 15 May 2026 |
| louis joined the room. | 04:50:18 |
 leona | Redacted or Malformed Event | 06:59:27 |
| leona | https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn/ was again pre-leaked (likely through commit msg + Spengler (as Qualys reported on oss-sec)). Qualys doesn't yet publish their advisory. | 07:01:33 |
| leona | * https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn/ was again pre-leaked (likely through commit msg + LLM + Spengler (as Qualys reported on oss-sec)). Qualys doesn't yet publish their advisory. | 07:01:41 |
 arcayr | spengler again? | 07:19:08 |
 Bart | https://github.com/NixOS/nixpkgs/pull/517598 | 12:03:38 |
| kuflierl | https://github.com/NixOS/nixpkgs/pull/520646 | 22:58:40 |
| 16 May 2026 |
|  maurice joined the room. | 10:04:53 |
| 17 May 2026 |
| Morgan (@numinit) | BIND preannouncing that they are publishing a new release on May 20
https://lists.isc.org/pipermail/bind-announce/2026-May/001294.html | 20:47:14 |
