NixOS Security Triage - Public Room Timeline - Matrix Static

	NixOS Security Triage	659 Members
	Coordination and triage of security issues in nixpkgs \| Discussions in #security-discuss:nixos.org \| Open PRs: https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+is%3Aopen+sort%3Aupdated-desc+label%3A%221.severity%3A+security%22	204 Servers

You have reached the beginning of time (for this room).

Sender	Message	Time
1 Jul 2025
Markus Theil	Thx for the hint. Will add a PR this evening.	13:57:22
Markus Theil	All mentioned CVEs are also fixed in the PR for 3.5.0 already merged to staging. Currently used version 3.4.x are not affected.	13:58:26
SigmaSquadron	XSA #470: https://github.com/NixOS/nixpkgs/pull/421514	14:19:12
SigmaSquadron	* XSA #470: https://github.com/NixOS/nixpkgs/pull/421514	14:19:50
emily	on it. does it need backporting?	14:39:36
	zororg joined the room.	14:55:33
Markus Theil	https://github.com/NixOS/nixpkgs/pull/421531 is still compiling on my side. Will ping here, when ready and some smoke tests are done.	15:33:21
SigmaSquadron	In reply to @emilazy:matrix.org on it. does it need backporting? yep, forgot the label, sorry.	15:57:16
	Damian Poddebniak joined the room.	20:54:51
2 Jul 2025
Markus Theil	OpenSSL is ready. Update for 25.05 in https://github.com/NixOS/nixpkgs/pull/421735	09:43:52
4 Jul 2025
Grimmauld (any/all)	https://nvd.nist.gov/vuln/detail/CVE-2025-6817 \| https://github.com/HDFGroup/hdf5/issues/5572 https://nvd.nist.gov/vuln/detail/CVE-2025-6816 \| https://github.com/HDFGroup/hdf5/issues/5571 https://nvd.nist.gov/vuln/detail/CVE-2025-6750 \| https://github.com/HDFGroup/hdf5/issues/5549 `hdf5` doesn't have a new release, and none of these CVEs have patches yet either. I'll be watching the issues, i have my own projects that depend on hdf5 (bachelors thesis) but figured i might as well post these here too. Fix will likely only come out in September.	07:53:03
Grimmauld (any/all)	* https://nvd.nist.gov/vuln/detail/CVE-2025-6817 \| https://github.com/HDFGroup/hdf5/issues/5572 https://nvd.nist.gov/vuln/detail/CVE-2025-6816 \| https://github.com/HDFGroup/hdf5/issues/5571 https://nvd.nist.gov/vuln/detail/CVE-2025-6750 \| https://github.com/HDFGroup/hdf5/issues/5549 https://nvd.nist.gov/vuln/detail/CVE-2025-6516 \| https://github.com/HDFGroup/hdf5/issues/5581 `hdf5` doesn't have a new release, and none of these CVEs have patches yet either. I'll be watching the issues, i have my own projects that depend on hdf5 (bachelors thesis) but figured i might as well post these here too. Fix will likely only come out in September.	07:54:17
Grimmauld (any/all)	* https://nvd.nist.gov/vuln/detail/CVE-2025-6817 \| https://github.com/HDFGroup/hdf5/issues/5572 https://nvd.nist.gov/vuln/detail/CVE-2025-6816 \| https://github.com/HDFGroup/hdf5/issues/5571 https://nvd.nist.gov/vuln/detail/CVE-2025-6750 \| https://github.com/HDFGroup/hdf5/issues/5549 https://nvd.nist.gov/vuln/detail/CVE-2025-6516 \| https://github.com/HDFGroup/hdf5/issues/5581 https://nvd.nist.gov/vuln/detail/CVE-2025-6270 \| https://github.com/HDFGroup/hdf5/issues/5580 https://nvd.nist.gov/vuln/detail/CVE-2025-6269 \| https://nvd.nist.gov/vuln/detail/CVE-2025-6269 `hdf5` doesn't have a new release, and none of these CVEs have patches yet either. I'll be watching the issues, i have my own projects that depend on hdf5 (bachelors thesis) but figured i might as well post these here too. Fix will likely only come out in September.	07:55:50
Grimmauld (any/all)	there might well be more, seems some new people started actually fuzzing that lib. There is POCs and all, but assigned severity is all somewhat low. Still safe to say the next release is security-relevant	07:57:13

Show newer messages

Back to Room ListRoom Version: 6