| 11 Jun 2026 |
 hexa | Redacted or Malformed Event | 18:42:45 |
|  lav joined the room. | 23:50:44 |
| 12 Jun 2026 |
|  Sapii/Saperson changed their display name from Sapii to Sapii/Saperson. | 01:24:28 |
 Markus Theil | OpenSSL PR:
https://github.com/NixOS/nixpkgs/pull/530955
I'm still doing some small smoke tests, like building systemd with it. Will mark as ready when done and ping here. | 07:22:26 |
| Markus Theil | https://github.com/NixOS/nixpkgs/pull/530964 | 07:45:21 |
| Markus Theil | Added another PR for fast path, as mentioned by vcunat. | 07:45:43 |
 dotlambda | I don't have time to look into whether https://github.com/NixOS/nixpkgs/pull/526853 can be backported.
Note that https://github.com/NixOS/nixpkgs/pull/529580 fixes even more CVEs. | 18:51:11 |
| 14 Jun 2026 |
|  @aangularframework:matrix.org left the room. | 15:49:02 |
|  Nick joined the room. | 16:20:16 |
| Nick | Fixes critical CVE in perl package
https://github.com/NixOS/nixpkgs/pull/531809 | 23:22:54 |
| hexa | perl maintainers have been requested | 23:45:14 |
| 15 Jun 2026 |
 stigo | Critical is probably pushing it a bit, that CVSS score comes from CISA btw | 12:16:46 |
|  tcllama joined the room. | 18:39:14 |
| 17 Jun 2026 |
 K900 | https://www.cve.org/CVERecord?id=CVE-2026-42530 nginx vuln just dropped | 17:15:52 |
| hexa | h3 only | 17:17:25 |
| hexa | 1.30.x is not yet EOL | 17:18:28 |
| hexa | so is it not vulnerable per https://my.f5.com/manage/s/article/K000161616? | 17:18:41 |
| hexa | 
Download | 17:18:55 |
|  r-burns joined the room. | 19:14:06 |
| r-burns | PR to address CVE-2026-12043 HIGH Heap double-free in AWS Common Runtime
https://github.com/NixOS/nixpkgs/pull/531504
Messaging here because this is a dependency of Nix via its AWS support which is typically enabled by default.
Not sure of the severity here, perhaps low because it's only a concern if fetching a path from a compromised S3 bucket? Or perhaps not a concern at all if Nix only calls out to aws-c-common at runtime, not the aws-c-http component (not sure). Just wanted to point it out here so someone more knowledgeable can triage appropriately. | 19:22:52 |
 Morgan (@numinit) | https://lore.kernel.org/util-linux/c2fo4x3lcppsj77k564i4qodmon3wagx47qf4mqwjwdtiplupg@jmaqrlzp273h/T/
On it in a couple hours, looks like libmount stuff | 22:30:59 |
 Sergei Zimmerman (xokdvium) | In reply to @r-burns:matrix.org
PR to address CVE-2026-12043 HIGH Heap double-free in AWS Common Runtime
https://github.com/NixOS/nixpkgs/pull/531504
Messaging here because this is a dependency of Nix via its AWS support which is typically enabled by default.
Not sure of the severity here, perhaps low because it's only a concern if fetching a path from a compromised S3 bucket? Or perhaps not a concern at all if Nix only calls out to aws-c-common at runtime, not the aws-c-http component (not sure). Just wanted to point it out here so someone more knowledgeable can triage appropriately. The http component usage should be quite limited? This presumably also affects the cpp sdk (used by older nix versions)? If not, the http client usage should be limited to doing auth and such – the actual download is done by libcurl | 22:33:29 |
| r-burns | It looks like modern nix 2.34 still links against it, just via aws-crt-cpp instead of aws-sdk-cpp. But yes, it looks like the only usage of AWS libs in modern nix is now in libstore/aws-creds.cc, which only appears to be using aws-c-auth and aws-c-io functionality. So yeah Nix is probably unaffected then, thanks for clarifying :) | 22:59:47 |
| 18 Jun 2026 |
| stigo | I'm looking at all outstanding perlPackages vuln patches today | 12:12:33 |
| r-burns | ^ maybe not fully accurate as aws-c-auth appears to call out to aws-c-http internally, but they're not interacted with directly by Nix, at least | 13:39:22 |
| stigo | https://github.com/NixOS/nixpkgs/pull/533010 <-- several perlPackages | 17:12:21 |
|  whispers [& it/fae] changed their display name from whispers [& it/fae] to meow meow. | 18:46:29 |
| whispers [& it/fae] changed their display name from meow meow to whispers [& it/fae]. | 19:12:06 |
|  Heartfelt Heron joined the room. | 22:11:42 |
 Sandro 🐧 | https://github.com/hedgedoc/hedgedoc/releases/tag/1.11.0 | 22:14:51 |
