!ZRgXNaHrdpGqwUnGnj:nixos.org

NixOS Security Triage

748 Members
Coordination and triage of security issues in nixpkgs231 Servers

Load older messages

SenderMessageTime
20 Jun 2021
@hexa:lossy.networkhexaand v5.4.12422:09:13
21 Jun 2021
@emilazy:matrix.orgemily joined the room.00:35:35
@industrialrobot:matrix.orgindustrialrobot joined the room.08:12:49
@andreas.schraegle:helsinki-systems.deajs124seems like there was a dovecot + pigeonhole security release just now11:50:21
@janne.hess:helsinki-systems.dedas_j

changelog says:

 * CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
   JWT tokens. This may be used to supply attacker controlled keys to
   validate tokens, if attacker has local access.
 * CVE-2021-33515: On-path attacker could have injected plaintext commands
   before STARTTLS negotiation that would be executed after STARTTLS
   finished with the client.
11:51:49
@hexa:lossy.networkhexa ajs124: das_j are you taking care of that? 13:07:05
@janne.hess:helsinki-systems.dedas_j I think ajs124 is currently on it 13:07:24
@hexa:lossy.networkhexaI hope he knows that as well13:07:49
@janne.hess:helsinki-systems.dedas_jHe told me so - so he might know but who am I to tell13:08:53
@robert:funklause.dedotlambda In pigeonhole, the following was fixed: CVE-2020-28200: Sieve excessive resource usage. But I'm not sure version 0.5.15 can be used with earlier versions of Dovecot, so what do we do on stable? 13:12:46
@andreas.schraegle:helsinki-systems.deajs124 dotlambda: backport? 13:18:13
@andreas.schraegle:helsinki-systems.deajs124there's also 2.3.14.1, maybe that works with the new dovecot?13:18:24
@andreas.schraegle:helsinki-systems.deajs124 * there's also 2.3.14.1, maybe that works with the new pigeonhole?13:18:28
@robert:funklause.dedotlambdaI'm gonna ask on IRC13:18:37
@andreas.schraegle:helsinki-systems.deajs124https://github.com/NixOS/nixpkgs/pull/12766713:24:27
@andreas.schraegle:helsinki-systems.deajs124 andi-: aren't you a dovecot user? if so, do you maybe have some time to review ⬆️? 14:37:45
@andi:kack.itandi-I can't test right now. Only gonna be back home on sunday.14:39:23
@janne.hess:helsinki-systems.dedas_j ajs124: You can test on mail02 14:39:38
@janne.hess:helsinki-systems.dedas_jIsn't there a dovecot?14:39:47
@andreas.schraegle:helsinki-systems.deajs124I can also test on mail01 🤷‍♂️14:40:01
@janne.hess:helsinki-systems.dedas_jI do hereby explicitly not approve of this14:40:16
@andreas.schraegle:helsinki-systems.deajs124
Active: active (running) since Mon 2021-06-21 16:35:54 CEST; 4min 29s ago
14:40:31
@andreas.schraegle:helsinki-systems.deajs124 * 
Active: active (running) since Mon 2021-06-21 16:35:54 CEST; 4min 29s ago
CGroup: /system.slice/dovecot2.service
        ├─2666908 /nix/store/cmh9cnp6ng654xkb0la6yk9hsrniaqmd-dovecot-2.3.15/sbin/dovecot -F
14:40:54
@hexa:lossy.networkhexadoesn't crash, okay. but does it also work?14:41:06
@andreas.schraegle:helsinki-systems.deajs124it throws the same error messages as in the previous release?14:41:26
@hexa:lossy.networkhexaawesome14:41:34
@andreas.schraegle:helsinki-systems.deajs124we even still have the systemd unit that isn't used by the module (I think) in the package14:43:13
@leo:gaspard.ninjaEkleogRedacted or Malformed Event14:52:54
@leo:gaspard.ninjaEkleogRedacted or Malformed Event14:53:33
@leo:gaspard.ninjaEkleogRedacted or Malformed Event14:54:20

Show newer messages

Back to Room ListRoom Version: 6