gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh
feepo has joined #nixos-security
ris has quit [Ping timeout: 258 seconds]
aminechikhaoui has quit [Quit: The Lounge - https://thelounge.github.io]
aminechikhaoui has joined #nixos-security
andi- has quit [Remote host closed the connection]
hmpffff_ has joined #nixos-security
andi- has joined #nixos-security
hmpffff has quit [Ping timeout: 276 seconds]
tilpner has joined #nixos-security
ris has joined #nixos-security
hmpffff_ has quit [Quit: nchrrrr…]
pie_ has quit [Ping timeout: 268 seconds]
hmpffff has joined #nixos-security
<ris> #72600
<{^_^}> https://github.com/NixOS/nixpkgs/pull/72600 (by risicle, 26 seconds ago, open): opencv4: 4.1.0 -> 4.1.2, addressing CVE-2019-14491, CVE-2019-14492 & CVE-2019-15939
<andi-> ris: thank you! I'll try to churn through some of the PRs tonight
<ris> :+1:
<gchristensen> btw all PRs are built on linux now
<andi-> \o/
migy has quit [Ping timeout: 244 seconds]
migy has joined #nixos-security
gchristensen has quit [Quit: WeeChat 2.4]
{^_^} has quit [Remote host closed the connection]
gchristensen has joined #nixos-security
{^_^} has joined #nixos-security
<ris> #72625
<{^_^}> https://github.com/NixOS/nixpkgs/pull/72625 (by risicle, 50 seconds ago, open): opencv3: 3.4.7 -> 3.4.8, addressing CVE-2019-14491, CVE-2019-14492 & CVE-2019-15939
pie_ has joined #nixos-security
<andi-> ris: go for the "full" point release for 19.09 then. That is probably the easiest part for us and rebuilds will happend anyway
<ris> ok
<ris> currently assessing the feasibility of a 2.4 fix - not looking likely
<ris> will probably have to add "known vulnerabilities"
<andi-> do we have many consumerS?
<ris> good question
<ris> yes, several
<andi-> This is yet another case where security issues aren't black/white. One of them is yet another "simple" parsing error in binary formats. Now the user should decide if they care about that or if they only use *sane* images..
<ris> i think it's about loading of serialized e.g. feature bundles
<ris> so fairly obscure
<ris> andi-: actually could probably look at trying to move some of those users to opencv3 - i bet some of those packages have support for both
<andi-> yeah, I was thinking the same. If you have the mental bandwidth to deal with that go for it :-)
tilpner has quit [Quit: tilpner]