<MichaelRaskin>
qyliss: but then it is not «again», it is «still»
<qyliss>
well yeah
<qyliss>
I assumed this would have been included in yesterday's patch
<qyliss>
But I guess it was discovered after
<MichaelRaskin>
That's why i say combo — it looks like Coinbase gives Mozilla info in real time as they are looking at the malware, and Mozilla patches in-the-wild exploits just with the speed they can understand the exploits…
<ivan>
I guess they found it in their bug tracker after coinbase reported getting owned
<MichaelRaskin>
It is marked as part 1 though
<ivan>
it's common to try to camouflage critical security fixes with misleading commit messages
<MichaelRaskin>
Well, referring to access-controlled but in the commit message kind of spoils that strategy
<MichaelRaskin>
Hm, there is no further parts, though
<andi->
reviewing the PR (#63588, qyliss)
<qyliss>
fwiw I was planning on merging as soon as nix-review passes, but can hold off for a little bit if you want.
<qyliss>
andi-: that's nix-review passing now
<andi->
qyliss: I usually try to open the MR and then at some point merge it with the new firefox build :-)
<qyliss>
not sure I understand
<andi->
I test firefox by running the tests and then using it for the actual PR to nixpkgs.
<qyliss>
oh nice :)
<andi->
and some reading of news / social media..
<andi->
qyliss: the change looks fine. +1 on that. Just haven't been able to test it myself just yet
<MichaelRaskin>
Ah right people still use full browsers to read news
<qyliss>
in that case I'm gonna go ahead and merge. getting this fixed ASAP >> small chance of something broken
<andi->
qyliss: +1
<qyliss>
merged
<MichaelRaskin>
Right. Mozilla is usually not breaking unrelated stuff in point releases
<MichaelRaskin>
Thank you
<andi->
started a new 19.03 eval
<qyliss>
what an exciting week this has been for security
<qyliss>
there was a bind DoS earlier today as well
<andi->
I am just catching up with things. Mostly been busy with a security issue at work...
<andi->
(╯° °)╯︵ ┻━┻)
<qyliss>
lol
<ekleog>
oh I was thinking “week” included https://rambleed.com/ ; but it sounds like that was a bit more than a week ago… let's say interesting ten days?
<andi->
yeah, can't wait to get a proper weekend of sleep :-)
<qyliss>
yeah
<MichaelRaskin>
Was the Windows DoS disclosure drama this week? But it was indeed pretty irrelevant in comparison
<qyliss>
I didn't even know there was one of those
<MichaelRaskin>
Well, there was a DoS for Windows in Project Zero, as usual MS had an alleged patch inside the first month of the 90 days, 90 days ended one day before Patch Tuesday so they got a one-day extension with no pushback, then it turns out they managed not to include the fix in the latest Patch Tuesday.
<MichaelRaskin>
Of course they tried to get an extension, and allegedely used threats, but didn't provide any convincing reasons to believe they wouldn't just fail to release the fix one more time.