!ZRgXNaHrdpGqwUnGnj:nixos.org

NixOS Security Triage

549 Members
Coordination and triage of security issues in nixpkgs | Discussions in #security-discuss:nixos.org | Open PRs: https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+is%3Aopen+sort%3Aupdated-desc+label%3A%221.severity%3A+security%22168 Servers

Load older messages


SenderMessageTime
22 Feb 2024
@dooy:matrix.org@dooy:matrix.orgHello. Is there NixOS triage or there is only security triage. Not sure what triage refers to. I read in a doc how Nix triage needs help and that one can be helpful there. Also is this only for NixOS or all nix?15:06:13
@k900:0upti.meK900 ⚡️Triage in general mostly means sorting through incoming issues15:06:36
@k900:0upti.meK900 ⚡️And prioritizing them and forwarding them to the relevant people15:06:51
@k900:0upti.meK900 ⚡️ This is more of a #dev:nixos.org thing 15:07:05
@reddima100:matrix.org@reddima100:matrix.org joined the room.15:44:15
@reddima100:matrix.org@reddima100:matrix.org left the room.15:45:38
23 Feb 2024
@hexa:lossy.networkhexa https://c-ares.org/changelog.html 07:38:43
@fernsehmuell:matrix.orgfernsehmuellHello, there is a CVE for the PostgresSQL-JDBC driver (https://nvd.nist.gov/vuln/detail/CVE-2024-1597). Right now nixpkgs has version 42.6.0. (stable+unstable). It is fixed in 42.6.1. So an update should be enough.12:17:24
@fernsehmuell:matrix.orgfernsehmuell * Hello, there is a CVE for the PostgresSQL-JDBC driver (https://nvd.nist.gov/vuln/detail/CVE-2024-1597). Right now nixpkgs has version 42.6.0. (stable+unstable). It is fixed in 42.6.1. So an update should be enough. 12:18:24
@fernsehmuell:matrix.orgfernsehmuell * Hello, there is a CVE for the PostgresSQL-JDBC driver (https://nvd.nist.gov/vuln/detail/CVE-2024-1597). Right now nixpkgs has version 42.6.0. (stable+unstable). It is fixed in 42.6.1. So an update should be enough. 12:18:55
@fernsehmuell:matrix.orgfernsehmuell changed their display name from fernsehmuell (DECT 3376 (fern)) to fernsehmuell.12:40:12
@forden:envs.net@forden:envs.net joined the room.14:08:56
@forden:envs.net@forden:envs.net left the room.14:09:03
@insurgo:matrix.orgInsurgo aka tlaurion [AFK until March 20th] changed their display name from Insurgo aka tlaurion [(UTC/GMT)-5] to Insurgo aka tlaurion [AFK until March 20th].18:23:58
@tgerbet:matrix.orgtgerbethttps://github.com/NixOS/nixpkgs/pull/29101222:54:23
27 Feb 2024
@mclutzifer:matrix.org@mclutzifer:matrix.org left the room.13:05:24
@hhefesto:matrix.orgDaniel Herrera Rendón joined the room.20:47:19
28 Feb 2024
@/yvan:matrix.org@/yvan:matrix.org left the room.15:45:47
29 Feb 2024
@ilex:oakforest.inilexhttps://github.com/HardySimpson/zlog/pull/251/commits/77d8af3b368b564605f3ab34ad9b0ed6ead9b38012:33:07
@blitz:chat.x86.lolJulian Stecklina
In reply to @ilex:oakforest.in
https://github.com/HardySimpson/zlog/pull/251/commits/77d8af3b368b564605f3ab34ad9b0ed6ead9b380
as someone who (also) writes C code for money, this is a pretty sad bug
17:53:02
@katexochen:matrix.orgPaul Meyer (katexochen)

We plan to issue a security fix for the google.golang.org/protobuf and github.com/golang/protobuf modules on next Tuesday, March 5.
This will cover CVE-2024-24786.

https://groups.google.com/g/golang-announce/c/jiGrhz7X6aU/m/I8gP6k5ABAAJ?utm_medium=email&utm_source=footer&pli=1

21:00:42
1 Mar 2024
@tgerbet:matrix.orgtgerbet
In reply to @ilex:oakforest.in
https://github.com/HardySimpson/zlog/pull/251/commits/77d8af3b368b564605f3ab34ad9b0ed6ead9b380
https://github.com/NixOS/nixpkgs/pull/292517
10:30:25
@katexochen:matrix.orgPaul Meyer (katexochen)

We plan to issue Go 1.22.1 and Go 1.21.8 during US business hours on Tuesday, March 5.
These minor releases include PRIVATE security fixes to the standard library, covering the following CVEs:
CVE-2023-24783
CVE-2023-45290
CVE-2023-45289
https://groups.google.com/g/golang-announce/c/smSYdsWaO4o/m/7OvResZDBAAJ?utm_medium=email&utm_source=footer&pli=1

10:40:51
@katexochen:matrix.orgPaul Meyer (katexochen) *

We plan to issue Go 1.22.1 and Go 1.21.8 during US business hours on Tuesday, March 5.
These minor releases include PRIVATE security fixes to the standard library, covering the following CVEs:
CVE-2023-24783
CVE-2023-45290
CVE-2023-45289
https://groups.google.com/g/golang-announce/c/smSYdsWaO4o/m/7OvResZDBAAJ?utm_medium=email&utm_source=footer&pli=1

10:41:01
@katexochen:matrix.orgPaul Meyer (katexochen) *

We plan to issue Go 1.22.1 and Go 1.21.8 during US business hours on Tuesday, March 5.
These minor releases include PRIVATE security fixes to the standard library, covering the following CVEs:
CVE-2023-24783
CVE-2023-45290
CVE-2023-45289

https://groups.google.com/g/golang-announce/c/smSYdsWaO4o/m/7OvResZDBAAJ?utm_medium=email&utm_source=footer&pli=1

10:41:08
@tomberek:matrix.orgtomberek set a profile picture.15:20:53
2 Mar 2024
@dooy:matrix.org@dooy:matrix.org left the room.11:27:45
@stablejoy:matrix.orgstablejoy joined the room.11:30:00
@stablejoy:matrix.orgstablejoy set a profile picture.11:44:15
3 Mar 2024
@c3r5b8:matrix.orgc3r5b8 joined the room.06:06:16

There are no newer messages yet.


Back to Room ListRoom Version: 6