| 25 Mar 2026 |
 hexa | https://seclists.org/oss-sec/2026/q1/383 | 14:45:37 |
| hexa | backdoor in litellm 1.82.7 | 14:45:43 |
| hexa | Redacted or Malformed Event | 14:46:19 |
| hexa | ok, master has 1.81.14 | 14:46:28 |
 kirillrdy | it only affects artifacts on pypi, nixpkgs fetches from github | 19:24:05 |
 Ben Sparks | as long as no one has the bright idea to bump nixpkgs to a revision on pypi :) | 19:34:55 |
| Ben Sparks | * as long as no one has the bright idea to bump nixpkgs to said revision on pypi :) | 19:35:07 |
| kirillrdy | its already been yanked from pypi | 19:36:55 |
| 26 Mar 2026 |
| hexa | https://seclists.org/oss-sec/2026/q1/387 libpng | 00:48:39 |
| hexa | Redacted or Malformed Event | 00:48:43 |
 vcunat | It's a huge rebuild, so there's at least one week of time (before starting another staging-next*) | 10:00:27 |
| vcunat | Unless we'd like to scrap the few days of the current staging-next-25.11. (as this one looks potentially quite serious) | 10:01:13 |
| vcunat | * Unless we'd like to scrap the few days of the current staging-next-25.11. (as this one looks potentially quite serious; see the first Impact: section) | 10:02:23 |
|  @meadow_weasel:matrix.org left the room. | 15:04:56 |
 ma27 | glibc security update: https://github.com/NixOS/nixpkgs/pull/503779 | 16:40:27 |
| ma27 | also checking if 25.11 is affected (I think so). can I target -next-25.11 oder rather staging? | 16:41:01 |
| vcunat | -linux is over 40% rebuilt in there, so unless it's critical... | 17:11:44 |
| vcunat | * -linux is over 40% rebuilt in there, so unless it's critical, I'd choose staging-25.11. | 17:12:00 |
| vcunat | * -linux is over 40% rebuilt in there, so unless it's really urgent, I'd choose staging-25.11. | 17:12:14 |
| vcunat | The description doesn't sound serious to me, at a quick read:
https://sourceware.org/bugzilla/show_bug.cgi?id=34014#c0 | 17:15:27 |
| ma27 | agreed. it's also not even on the 2.40 release branch 🤷 | 17:17:33 |
| vcunat | I honestly don't get it. A prerequisite is that your configured DNS resolver is malicious. And the impact is that answer returned by that resolver is interpreted incorrectly? I guess I'm too tired today? | 17:17:46 |
| 27 Mar 2026 |
 dish [Fox/It/She] | manual backport of the last 3 nats-server releases to fix a few security issues for it on release-25.11 https://github.com/NixOS/nixpkgs/pull/503952 | 04:52:26 |
| dish [Fox/It/She] | (by a few, I mean a lot, there's over 10 issues open from sectracker rn) | 04:52:50 |
| dish [Fox/It/She] | none of the open issues affect master branch since it's on the latest release that has fixes for all known issues that are on nixpkgs' security tracker | 04:55:16 |
| vcunat | I'd say it has security aspects, but no idea about severity:
https://github.com/NixOS/nixpkgs/pull/503869 | 06:20:31 |
| ma27 | grafana security updates: https://github.com/NixOS/nixpkgs/pull/504009, https://github.com/NixOS/nixpkgs/pull/504014 (25.11) | 10:33:43 |
|  Moved to @sashanoraa:matrix.org changed their display name from Sashanoraa.gay (she/her, ze/zir) to Moved to @sashanoraa:matrix.org. | 15:27:45 |
