#nixos-security on 2019-08-05

2019-04-23 19:29 gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh

09:55 hmpffff has joined #nixos-security

10:01 pietranera has joined #nixos-security

10:11 <pietranera> Hi all, FTR the icedtea_web team has released the fixes to a bunch of serious CVEs (https://www.openwall.com/lists/oss-security/2019/07/31/2) a couple of days ago in version 1.8.3 (https://github.com/AdoptOpenJDK/IcedTea-Web/commit/6b2d51873acc745016311712074fde89a629ccb8). AFAICT Nix ships with version 1.7.1 (https://github.com/NixOS/nixpkgs/commit/ede066dfcc024342cfca566512852e54c655320e April 2018). I don't know whether it'd b

10:11 <pietranera> e worth backporting to the stable channels or mark 1.7.1 as insecure and update only unstable. Thanks for your hard work on Nix/NixOS!

10:47 <andi-> pietranera: if those patches apply (with a minimal effort) on 1.7.x then we should backport them

11:32 <gchristensen> if they don't apply we should decide on either backporting,or marking insecure

11:40 <andi-> I would like to have someone that atually knows Java (these days) to make a call on that tho… I have not idea what changed between 1.7, 1.8 or whatever and the changelog is likely not enough for an outsiders.

12:43 <pietranera> I can try and have a look (I know some Java, though it's not my main programming language), but I can't commit to a specific timeline.

12:57 <marek> anyone againts merging this to master? https://github.com/NixOS/nixpkgs/pull/65668

12:57 <{^_^}> #65668 (by mmahut, 4 days ago, open): wavpack: CVE-2019-1010317 CVE-2019-1010319

15:17 justanotheruser has quit [Quit: WeeChat 2.4]

15:18 justanotheruser has joined #nixos-security

16:36 pietranera has quit [Quit: Leaving.]

20:20 hmpffff has quit [Quit: Bye…]

22:18 <pie_> hm, guess i wont get withpackages stuff into 19.09

23:14 <samueldr> https://www.reddit.com/r/netsec/comments/cmgcog/kde_kdesktopfile_command_injection_rce/ → https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt

23:14 <pie_> (oops wrong chan)

23:15 <samueldr> this sounds pretty bad

23:18 <pie_> is this windows shortcut vulns all oer again

23:19 <samueldr> https://userbase.kde.org/KDE_System_Administration/Configuration_Files#Shell_Expansion

23:20 <samueldr> oof

23:22 <pie_> "Disable shell expansion / dynamic entries for [Desktop Entry] configurations." how does one do that

23:22 <samueldr> you just have to Disable shell expansion / dynamic entries for [Desktop Entry] configurations.

23:42 tokudan has quit [Quit: ZNC 1.7.3 - https://znc.in]

23:42 <pie_> yeah but how...

23:44 tokudan has joined #nixos-security