| 26 Mar 2024 |
 pinpox | Not sure if this is the right place to ask, but are current NixOS versions impacted by https://github.com/Notselwyn/CVE-2024-1086 ? | 20:33:53 |
 K900 | Mo | 20:34:38 |
| K900 | * No | 20:34:45 |
| K900 |
The exploit affects versions from (including) v5.14 to (including) v6.6, excluding patched branches v5.15.149>, v6.1.76>, v6.6.15>
| 20:35:11 |
 ris_ | at last https://github.com/NixOS/nixpkgs/pull/295967 | 23:05:56 |
| 27 Mar 2024 |
 Jan Tojnar | https://github.com/NixOS/nixpkgs/pull/299417 | 05:44:09 |
 tgerbet | https://www.openwall.com/lists/oss-security/2024/03/27/5
util-linux 2.40 was released with the fix
https://github.com/util-linux/util-linux/commit/404b0781f52f7c045ca811b2dceec526408ac253 | 21:06:20 |
| tgerbet | And curl 8.7.1 https://github.com/NixOS/nixpkgs/pull/299580 | 21:07:22 |
| tgerbet | Well https://www.openwall.com/lists/oss-security/2024/03/27/7 😅 | 21:48:07 |
| 29 Mar 2024 |
|  SebTM joined the room. | 04:23:38 |
 vcunat | https://github.com/NixOS/nixpkgs/commit/c2b0bf3dd525#commitcomment-140365634 | 06:36:33 |
| vcunat | (in case someone's interested in .mlflow for NixOS 23.11) | 06:37:06 |
 clefru | Redacted or Malformed Event | 08:53:25 |
| clefru | * FYI from what I see, the two 0 days for Google Chrome published on Tuesday are still unpatched in release-23.11. | 08:53:45 |
| clefru | Redacted or Malformed Event | 09:00:49 |
| clefru | Sorry ignore that.. I am tracking nixos-23.11 and not release-23.11 | 09:05:50 |
 hexa | https://www.openwall.com/lists/oss-security/2024/03/29/4 | 16:12:46 |
 syd installs gentoo (they/them) | In reply to @hexa:lossy.network
https://www.openwall.com/lists/oss-security/2024/03/29/4 b) argv[0] needs to be /usr/sbin/sshd | 16:15:35 |
| syd installs gentoo (they/them) | In reply to @hexa:lossy.network
https://www.openwall.com/lists/oss-security/2024/03/29/4 * b) argv[0] needs to be /usr/sbin/sshd
ldd $(which sshd) | grep -i lzma doesn't link against lzma
| 16:19:17 |
| syd installs gentoo (they/them) | * b) argv[0] needs to be /usr/sbin/sshd
ldd $(which sshd) | grep -i lzma doesn't link against lzma
https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/compression/xz/default.nix
is on the affected version 5.6.1
| 16:20:24 |
| syd installs gentoo (they/them) | * b) argv[0] needs to be /usr/sbin/sshd
ldd $(which sshd) | grep -i lzma doesn't link against lzma
https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/compression/xz/default.nix
is on the affected version 5.6.1 (5.4.4 on 23.11)
| 16:21:00 |
| syd installs gentoo (they/them) | * b) argv[0] needs to be /usr/sbin/sshd
ldd $(which sshd) | grep -i lzma doesn't link against lzma
https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/compression/xz/default.nix
is on the affected version 5.6.1 (5.4.4 on 23.11)
Thank you hexa https://github.com/NixOS/nixpkgs/pull/300028
| 16:22:08 |
 Julien | Just saw that as well, is there a specific reason we are not building xz from the "source code" links generated from github ? If I understand correctly part of the backdoor is not present in there | 16:38:11 |
| vcunat | Because release tarballs need less dependencies to build. | 16:39:31 |
 raitobezarius | In reply to @julienmalka:matrix.org
Just saw that as well, is there a specific reason we are not building xz from the "source code" links generated from github ? If I understand correctly part of the backdoor is not present in there #security-discuss:nixos.org | 16:39:38 |
| vcunat | * Because release tarballs need less dependencies to build from. | 16:39:55 |
| tgerbet | And the source code tarball generated by GH automatically are not stable | 16:40:28 |
| vcunat | We have tools for that. | 16:40:55 |
| vcunat | Hashing the unpacked directory tree instead. | 16:41:07 |
| vcunat | Dependency on autoreconfHook can be bothersome, especially for packages involved in stdenv bootstrapping. | 16:41:42 |
