#nixos-security on 2020-05-05

2019-04-23 19:29 gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh

01:17 anselmolsm_ has quit [Quit: Konversation terminated!]

02:42 hmpffff has joined #nixos-security

02:46 hmpffff_ has quit [Ping timeout: 272 seconds]

07:06 edef_ has joined #nixos-security

07:06 edef_ is now known as edef

07:06 edef has quit [Killed (cherryh.freenode.net (Nickname regained by services))]

07:09 stigo has quit [*.net *.split]

07:15 stigo has joined #nixos-security

07:18 swapgs has quit [Ping timeout: 246 seconds]

07:20 swapgs has joined #nixos-security

07:20 swapgs has quit [Changing host]

09:30 hmpffff_ has joined #nixos-security

09:32 hmpffff has quit [Ping timeout: 244 seconds]

09:35 hmpffff has joined #nixos-security

09:37 hmpffff_ has quit [Ping timeout: 260 seconds]

10:28 infinisil has quit [Ping timeout: 246 seconds]

10:30 infinisil has joined #nixos-security

10:30 lejonet has quit [Ping timeout: 264 seconds]

10:30 lejonet has joined #nixos-security

12:02 sphalerite has quit [Quit: rebooooooooot]

12:04 sphalerite has joined #nixos-security

12:08 sphalerite has quit [Client Quit]

12:10 sphalerite has joined #nixos-security

15:01 <hexa-> andi-: unstable still stuck on the 21st

15:01 <hexa-> oh wait, that's newer than yesterday

15:01 <hexa-> still two weeks old

15:02 <hexa-> is it only evaluating channel bumps?

15:17 spacekookie has quit [Quit: **agressive swooshing**]

15:18 spacekookie has joined #nixos-security

15:21 anselmolsm has joined #nixos-security

15:27 justanotheruser has quit [Ping timeout: 260 seconds]

15:42 justanotheruser has joined #nixos-security

17:33 <andi-> yes otherwise I might as well boil water :D

17:34 <andi-> the 27th of april is the newest channel iirc

18:38 anselmolsm has quit [Remote host closed the connection]

18:41 anselmolsm has joined #nixos-security

18:43 <hexa-> looking into ansible now

19:35 <hexa-> #86981 #86980

19:35 <{^_^}> https://github.com/NixOS/nixpkgs/pull/86981 (by mweinelt, 29 seconds ago, open): [20.03] ansible: v2.8.7 → v2.8.11, v2.7.15 → v2.7.17

19:35 <{^_^}> https://github.com/NixOS/nixpkgs/pull/86980 (by mweinelt, 5 minutes ago, open): ansible: v2.9.2 → v2.9.7, v2.8.7 → v2.8.11, v2.7.15 → v2.7.17

20:47 <hexa-> is there a consenus on what to do about old packages that patches fixing security vulns, that are not recognizable as such by tools like broken.sh?

20:47 <hexa-> e.g. pkgs/applications/office/antiword/10_fix_buffer_overflow_wordole_c.patch

21:24 <flokli> I don't understand the question

21:24 <hexa-> should 10_fix_buffer_overflow_wordole_c.patch be renamed to CVE-2014-8123.patch so broken.sh can pick that up?

21:25 <hexa-> or what does broken.sh use to look up fixes?

21:25 <flokli> it usually uses the patch name. if we fetch it via fetchurl, this works, if it's a nonrecognizable patch shipped in nixpkgs, renaming might help.

21:25 <hexa-> antiword is shown as being vulnerable although it was ptched

22:20 KeiraT has quit [Ping timeout: 240 seconds]

22:26 KeiraT has joined #nixos-security

23:06 justanotheruser has quit [Ping timeout: 264 seconds]

23:19 justanotheruser has joined #nixos-security

23:29 stigo has quit [Ping timeout: 256 seconds]

23:31 stigo has joined #nixos-security