| 23 Mar 2026 |
 dish [Fox/It/She] | Closes 10 currently open security issues for siyuan https://github.com/NixOS/nixpkgs/pull/502753 | 18:20:37 |
| 24 Mar 2026 |
 leona | https://github.com/NixOS/nixpkgs/pull/503140 nginx | 20:11:50 |
| dish [Fox/It/She] | https://nodejs.org/en/blog/vulnerability/march-2026-security-releases | 21:38:22 |
| dish [Fox/It/She] | nodejs | 21:38:23 |
| dish [Fox/It/She] | 2 high, 5 medium, 2 low severity CVEs | 21:40:58 |
| dish [Fox/It/She] | 24.x and earlier are only affected by 4 of the medium vulns, but all of the high and low ones as well | 21:41:24 |
| dish [Fox/It/She] | PR submitted for all 4 versions https://github.com/NixOS/nixpkgs/pull/503168 | 21:48:49 |
 whispers [& it/fae] | aduh95 did this in #503151, #503152, #503153, and #503154 | 21:50:46 |
| whispers [& it/fae] | * aduh95 did this in #503151, #503152, #503153, and #503154. all are already merged. 24 to staging, the rest to master. | 21:50:59 |
| dish [Fox/It/She] | my apologies, didn't see those. Thank you! | 21:51:30 |
| 25 Mar 2026 |
 Fernando Rodrigues | https://xenbits.xenproject.org/xsa/advisory-482.html XSA targetting a Linux driver | 01:04:14 |
| Fernando Rodrigues | * | 01:04:31 |
| Fernando Rodrigues | I'm not entirely sure how to patch out kernels though | 01:04:55 |
| Fernando Rodrigues | * | 01:05:00 |
 Alyssa Ross | Presumably mainline will have the patch at some point? | 06:37:24 |
| Alyssa Ross | but maybe we should askā¦ | 06:41:23 |
| Fernando Rodrigues | it will; this would be about patching ahead of schedule. We do that for Xen since minor version bumps take forever to release, but I'm not sure how we do things in the kernel. | 06:56:21 |
| Alyssa Ross | stable kernels are weekly, but this patch has not even been posted to a kernel list yet | 06:58:51 |
| Alyssa Ross | ah but it was committed directly to Linus's tree, good | 07:01:17 |
| Alyssa Ross | so generally it will be in 7.0-rc6 on Sunday, and then stable kernels the following Friday. | 07:01:55 |
| Alyssa Ross | but in this case, I already see them in the stable kernel queue, so they're likely to make it into this Friday's instead | 07:04:21 |
| Fernando Rodrigues | awesome | 07:42:27 |
 hexa | https://seclists.org/oss-sec/2026/q1/383 | 14:45:37 |
| hexa | backdoor in litellm 1.82.7 | 14:45:43 |
| hexa | Redacted or Malformed Event | 14:46:19 |
| hexa | ok, master has 1.81.14 | 14:46:28 |
 kirillrdy | it only affects artifacts on pypi, nixpkgs fetches from github | 19:24:05 |
 Ben Sparks | as long as no one has the bright idea to bump nixpkgs to a revision on pypi :) | 19:34:55 |
| Ben Sparks | * as long as no one has the bright idea to bump nixpkgs to said revision on pypi :) | 19:35:07 |
| kirillrdy | its already been yanked from pypi | 19:36:55 |
