!ZRgXNaHrdpGqwUnGnj:nixos.org

NixOS Security Triage

731 Members
Coordination and triage of security issues in nixpkgs225 Servers

Load older messages

SenderMessageTime
17 Apr 2026
@pyrox:pyrox.devdish [Fox/It/She] changed their profile picture.16:58:37
@aaronedev:matrix.orgaaronedev joined the room.18:53:50
22 Apr 2026
@vcunat:matrix.orgvcunatCVE-2026-4367: libXpm Out-of-bounds read https://lists.x.org/archives/xorg-announce/2026-April/003690.html06:21:10
@vcunat:matrix.orgvcunat* CVE-2026-4367: libXpm Out-of-bounds read https://lists.x.org/archives/xorg-announce/2026-April/003690.html EDIT: it's not small, Rebuild: linux 20383, darwin 853807:11:46
@flx-:matrix.orgflxhttps://github.com/NixOS/nixpkgs/pull/51227708:50:52
23 Apr 2026
@scrumplex:duckhub.ioScrumplexNixOS is probably less affected than others, but there is a high severity fix for packagekit here: https://github.com/NixOS/nixpkgs/pull/512652 See https://www.openwall.com/lists/oss-security/2026/04/22/606:42:42
@paul:koeck.devPaul joined the room.16:12:57
@hythera:matrix.orgHythera joined the room.21:04:24
@hythera:matrix.orgHytheraAll PRs approved by at least one of their respected maintainers; would be nice if someone could take a look at them :) https://github.com/NixOS/nixpkgs/pull/511009 https://github.com/NixOS/nixpkgs/pull/511515 https://github.com/NixOS/nixpkgs/pull/51278121:06:30
@john:matrix.freelock.comJohn joined the room.22:31:28
@gigacode:poa.stgigacode joined the room.23:55:08
24 Apr 2026
@matthewahiles:matrix.orgMatthew Hiles joined the room.00:51:35
27 Apr 2026
@samuel.dionne-riel:cyberus-technology.deSamuel Dionne-Riel "old" PR for gdk-pixbuf bump includes a security fix (not clearly outlined in their changelog): https://github.com/NixOS/nixpkgs/pull/507383 14:02:16
@vcunat:matrix.orgvcunatAbout urgency... is it bad for 32-bit systems only?14:10:54
@vcunat:matrix.orgvcunat (thinking of that because of staging-next-25.11 in progress) 14:11:13
@samuel.dionne-riel:cyberus-technology.deSamuel Dionne-RielI don't know if I have the knowledge to state for sure, but “64-bit exploitation primitives verified”, just demonstrated on 32-bit?14:12:22
@vcunat:matrix.orgvcunatAh, right. I read the line but missed the "exploitation" word and thus didn't get the meaning.14:13:39
@paul:koeck.devPaul left the room.14:16:56
@vcunat:matrix.orgvcunat Considering the rebuild amount etc, I pulled it to staging-next-25.11 as well. 14:26:18
@ninja:worldethicaldataforum.orgNinja joined the room.14:39:05
@stigo:matrix.orgstigoBtw, if someone feels like merging this: https://github.com/NixOS/nixpkgs/pull/513690 (CryptX rng+fork() bug)19:14:18
28 Apr 2026
@aangularframework:matrix.orgAangularity joined the room.04:38:20
@samuel.dionne-riel:cyberus-technology.deSamuel Dionne-Rielhttps://github.com/NixOS/nixpkgs/pull/512192#issuecomment-433911801321:16:29
@hexa:lossy.networkhexahttps://www.openwall.com/lists/oss-security/2026/04/28/2023:45:11
@whispers:catgirl.cloudwhispers [& it/fae]looks like a non-issue: https://seclists.org/oss-sec/2026/q2/257. our source tarball has the correct line.23:55:36
@whispers:catgirl.cloudwhispers [& it/fae] looks like a non-issue: https://seclists.org/oss-sec/2026/q2/257. our source tarball (decompressed from traceroute/traceroute.c) has the correct line. 23:56:02
@whispers:catgirl.cloudwhispers [& it/fae] looks like a non-issue: https://seclists.org/oss-sec/2026/q2/257. our source tarball (decompressed from traceroute.src) has the correct line. 23:56:12
@whispers:catgirl.cloudwhispers [& it/fae] looks like a non-issue: https://www.openwall.com/lists/oss-security/2026/04/28/22. our source tarball (decompressed from traceroute.src) has the correct line. 23:58:53
29 Apr 2026
@hexa:lossy.networkhexa https://www.openwall.com/lists/oss-security/2026/04/29/1 starman stigo 00:19:07
@stigo:matrix.orgstigohttps://github.com/NixOS/nixpkgs/pull/51460100:52:28

Show newer messages

Back to Room ListRoom Version: 6