#nixos-security on 2019-11-02

2019-04-23 19:29 gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh

01:04 feepo has joined #nixos-security

01:10 ris has quit [Ping timeout: 258 seconds]

03:13 aminechikhaoui has quit [Quit: The Lounge - https://thelounge.github.io]

03:14 aminechikhaoui has joined #nixos-security

03:43 andi- has quit [Remote host closed the connection]

03:50 hmpffff_ has joined #nixos-security

03:52 andi- has joined #nixos-security

03:52 hmpffff has quit [Ping timeout: 276 seconds]

07:49 tilpner has joined #nixos-security

11:20 ris has joined #nixos-security

11:46 hmpffff_ has quit [Quit: nchrrrr…]

13:06 pie_ has quit [Ping timeout: 268 seconds]

13:08 hmpffff has joined #nixos-security

17:06 <ris> #72600

17:06 <{^_^}> https://github.com/NixOS/nixpkgs/pull/72600 (by risicle, 26 seconds ago, open): opencv4: 4.1.0 -> 4.1.2, addressing CVE-2019-14491, CVE-2019-14492 & CVE-2019-15939

18:14 <andi-> ris: thank you! I'll try to churn through some of the PRs tonight

18:14 <ris> :+1:

18:15 <gchristensen> btw all PRs are built on linux now

18:15 <andi-> \o/

19:10 migy has quit [Ping timeout: 244 seconds]

19:13 migy has joined #nixos-security

19:24 gchristensen has quit [Quit: WeeChat 2.4]

19:24 {^_^} has quit [Remote host closed the connection]

19:26 gchristensen has joined #nixos-security

19:26 {^_^} has joined #nixos-security

21:36 <ris> #72625

21:36 <{^_^}> https://github.com/NixOS/nixpkgs/pull/72625 (by risicle, 50 seconds ago, open): opencv3: 3.4.7 -> 3.4.8, addressing CVE-2019-14491, CVE-2019-14492 & CVE-2019-15939

21:51 pie_ has joined #nixos-security

22:25 <andi-> ris: go for the "full" point release for 19.09 then. That is probably the easiest part for us and rebuilds will happend anyway

22:26 <ris> ok

22:27 <ris> currently assessing the feasibility of a 2.4 fix - not looking likely

22:27 <ris> will probably have to add "known vulnerabilities"

22:28 <andi-> do we have many consumerS?

22:32 <ris> good question

22:34 <ris> yes, several

22:34 <andi-> This is yet another case where security issues aren't black/white. One of them is yet another "simple" parsing error in binary formats. Now the user should decide if they care about that or if they only use *sane* images..

22:35 <ris> i think it's about loading of serialized e.g. feature bundles

22:36 <ris> so fairly obscure

23:01 <ris> andi-: actually could probably look at trying to move some of those users to opencv3 - i bet some of those packages have support for both

23:01 <andi-> yeah, I was thinking the same. If you have the mental bandwidth to deal with that go for it :-)

23:20 tilpner has quit [Quit: tilpner]