gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh
hmpffff has quit [Quit: nchrrrr…]
justanotheruser has joined #nixos-security
justanotheruser has quit [Ping timeout: 264 seconds]
justanotheruser has joined #nixos-security
tilpner has quit [Remote host closed the connection]
tilpner has joined #nixos-security
Yakulu has left #nixos-security ["Disconnected: closed"]
Yakulu has joined #nixos-security
pietranera has joined #nixos-security
hmpffff has joined #nixos-security
andi- has quit [Ping timeout: 250 seconds]
andi- has joined #nixos-security
andi- has quit [Excess Flood]
andi- has joined #nixos-security
__Sander__ has joined #nixos-security
<ivan> https://github.com/NixOS/nixpkgs/pull/65633 chromium update I've tested
<{^_^}> #65633 (by ivan, 2 hours ago, open): chromium: 75.0.3770.90 -> 76.0.3809.87
<ivan> https://github.com/NixOS/nixpkgs/pull/65635 chromium backport I haven't tested
<{^_^}> #65635 (by ivan, 1 hour ago, open): [19.03] chromium: 75.0.3770.90 -> 76.0.3809.87
<ivan> andi-: ^
<andi-> ivan: I saw them.. Will try to look at them later today..
<ivan> thanks
<marek> when doing larger changes, for example right now have a backport for iptables, who could spinup hydra job for it?
<marek> or is it the role of staging-19.03 and staging-next?
<gchristensen> no need for a job, those go to staging
<gchristensen> and usually I feel pretty okay with those sorts of changes going right to 19.03's branch
<marek> ok, should I open the PR directly there?
<marek> after breaking half of nixos with my unzip change, I'm full of fear :)
<gchristensen> yeah
<marek> gchristensen: ok, for https://github.com/NixOS/nixpkgs/pull/65662 it can go to release-19.03 directly, but for https://github.com/NixOS/nixpkgs/pull/65660 I should rather make it to staging-next instream of the master?
<{^_^}> #65662 (by mmahut, 17 minutes ago, open): iptables: CVE-2019-11360 (release-19.03)
<{^_^}> #65660 (by mmahut, 24 minutes ago, open): gnupatch: CVE-2019-13636
<gchristensen> right
<marek> I guess it's easier to spot regressions in 19.03
<gchristensen> master should not receive mass rebuilds
<marek> gchristensen: ok thank you!
__Sander__ has quit [Quit: Konversation terminated!]
<samueldr> [12:19:50] <pietranera> https://www.openwall.com/lists/oss-security/2019/07/31/2 icedtea_web: "CVE-2019-10182 and CVE-2019-10185 are considered High, since they can easily be used to take over the client before checking signatures. All versions of icedtea-web are believed to be vulnerable." The email points to a PR on GitHub that hasn't been yet merged though.
<samueldr> (from #nixos)
<gchristensen> oh wow
<pietranera> thanks samueldr, I meant to post it here, but used the wrong window!
<samueldr> no worries, I just copy whatever CVE things happen to be shared on other channels here
<marek> gchristensen: please can you glance at this if it needs a staging branch? https://github.com/NixOS/nixpkgs/pull/65672
<{^_^}> #65672 (by mmahut, 23 minutes ago, open): pango: CVE-2019-1010238
<gchristensen> yes please
<marek> ok
<aanderse> hmm
<aanderse> can we get a bot to mention new issues or prs with the "security" label?
<aanderse> or when that label is added
<tilpner> ,feeds
<{^_^}> https://feed.nix.tx0.co provides Atom feeds for nixpkgs issue labels to notify you about new issues tagged with that label from within e.g. Thunderbird
<tilpner> Not a bot, but might be useful
<tilpner> (If you already have a reader, otherwise useless)
<tilpner> aanderse: ^
hmpffff_ has joined #nixos-security
hmpffff has quit [Ping timeout: 252 seconds]
<aanderse> tilpner: thanks!
<andi-> ivan: I currently lack CPU time to review the chromium PRs... A few too many hydra jobs running :/