#nixos-security on 2019-10-06

2019-04-23 19:29 gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh

00:50 ris has quit [Ping timeout: 276 seconds]

02:09 hmpffff_ has joined #nixos-security

02:12 hmpffff has quit [Ping timeout: 276 seconds]

10:20 qyliss has quit [Quit: bye]

10:23 qyliss has joined #nixos-security

11:54 tokudan[m] has quit [Write error: Connection reset by peer]

11:54 timokau[m] has quit [Read error: Connection reset by peer]

12:01 timokau[m] has joined #nixos-security

12:18 tokudan[m] has joined #nixos-security

14:29 ris has joined #nixos-security

14:29 <ris> the only use of jackson-databind i can _see_ in nixpkgs is as a maven dep for chronos

14:30 <ris> though really anywhere we grab a jar blind, we could have it lurking

14:39 <ris> #69973 should also be considered a security issue

14:39 <{^_^}> https://github.com/NixOS/nixpkgs/pull/69973 (by r-ryantm, 1 week ago, open): varnish6: 6.2.0 -> 6.3.0

14:43 <ris> ^ again it would be nice if someone could add the tag

15:48 <ris> #70532

15:48 <{^_^}> https://github.com/NixOS/nixpkgs/pull/70532 (by risicle, 23 minutes ago, open): [r19.09] varnish6: 6.2.0 -> 6.2.1, fixing CVE-2019-15892

21:39 <fpletz> ris: thanks for the varnish fixes

21:39 <ris> :+1:

21:39 <fpletz> we should should also remove versions 4 and 5

21:39 <fpletz> since they aren't maintained upstream anymore

21:40 <ris> 4 certainly isn't

21:40 <fpletz> https://varnish-cache.org/releases/index.html :)

21:42 <fpletz> I'll remove those old versions and add the maintained ones

21:42 <fpletz> since I'm technically the nixos maintainer of varnish... though I haven't given it much love lately

23:31 aanderse[m] has joined #nixos-security

23:38 aanderse has quit [Quit: ZNC 1.7.4 - https://znc.in]

23:39 aanderse[m] is now known as aanderse

23:58 ris has quit [Ping timeout: 250 seconds]