| 17 Jun 2026 |
 hexa | h3 only | 17:17:25 |
| hexa | 1.30.x is not yet EOL | 17:18:28 |
| hexa | so is it not vulnerable per https://my.f5.com/manage/s/article/K000161616? | 17:18:41 |
| hexa | 
Download | 17:18:55 |
|  r-burns joined the room. | 19:14:06 |
| r-burns | PR to address CVE-2026-12043 HIGH Heap double-free in AWS Common Runtime
https://github.com/NixOS/nixpkgs/pull/531504
Messaging here because this is a dependency of Nix via its AWS support which is typically enabled by default.
Not sure of the severity here, perhaps low because it's only a concern if fetching a path from a compromised S3 bucket? Or perhaps not a concern at all if Nix only calls out to aws-c-common at runtime, not the aws-c-http component (not sure). Just wanted to point it out here so someone more knowledgeable can triage appropriately. | 19:22:52 |
 Morgan (@numinit) | https://lore.kernel.org/util-linux/c2fo4x3lcppsj77k564i4qodmon3wagx47qf4mqwjwdtiplupg@jmaqrlzp273h/T/
On it in a couple hours, looks like libmount stuff | 22:30:59 |
 Sergei Zimmerman (xokdvium) | In reply to @r-burns:matrix.org
PR to address CVE-2026-12043 HIGH Heap double-free in AWS Common Runtime
https://github.com/NixOS/nixpkgs/pull/531504
Messaging here because this is a dependency of Nix via its AWS support which is typically enabled by default.
Not sure of the severity here, perhaps low because it's only a concern if fetching a path from a compromised S3 bucket? Or perhaps not a concern at all if Nix only calls out to aws-c-common at runtime, not the aws-c-http component (not sure). Just wanted to point it out here so someone more knowledgeable can triage appropriately. The http component usage should be quite limited? This presumably also affects the cpp sdk (used by older nix versions)? If not, the http client usage should be limited to doing auth and such – the actual download is done by libcurl | 22:33:29 |
| r-burns | It looks like modern nix 2.34 still links against it, just via aws-crt-cpp instead of aws-sdk-cpp. But yes, it looks like the only usage of AWS libs in modern nix is now in libstore/aws-creds.cc, which only appears to be using aws-c-auth and aws-c-io functionality. So yeah Nix is probably unaffected then, thanks for clarifying :) | 22:59:47 |
| 18 Jun 2026 |
 stigo | I'm looking at all outstanding perlPackages vuln patches today | 12:12:33 |
| r-burns | ^ maybe not fully accurate as aws-c-auth appears to call out to aws-c-http internally, but they're not interacted with directly by Nix, at least | 13:39:22 |
| stigo | https://github.com/NixOS/nixpkgs/pull/533010 <-- several perlPackages | 17:12:21 |
|  whispers [& it/fae] changed their display name from whispers [& it/fae] to meow meow. | 18:46:29 |
| whispers [& it/fae] changed their display name from meow meow to whispers [& it/fae]. | 19:12:06 |
|  Heartfelt Heron joined the room. | 22:11:42 |
 Sandro | https://github.com/hedgedoc/hedgedoc/releases/tag/1.11.0 | 22:14:51 |
| Sandro | https://github.com/NixOS/nixpkgs/pull/533128 | 23:12:42 |
| hexa | https://github.com/NixOS/nixpkgs/pull/533143 | 23:42:38 |
| 19 Jun 2026 |
|  whoami [violet_cookie_bytes] joined the room. | 12:20:04 |
| 19 May 2021 |
|  @grahamc:nixos.org set the history visibility to "world_readable". | 22:57:54 |
| @grahamc:nixos.org changed the room name to "" from "". | 22:57:54 |
|  ajs124 joined the room. | 22:58:46 |
|  andi- joined the room. | 23:00:51 |
| hexa joined the room. | 23:01:24 |
|  Sushi Dude joined the room. | 23:04:45 |
|  [0x4A6F] joined the room. | 23:04:54 |
|  sumner joined the room. | 23:11:04 |
|  sugi joined the room. | 23:24:52 |
|  Foxboron joined the room. | 23:32:00 |
|  adisbladis joined the room. | 23:43:35 |
