gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh
zarco has quit [Ping timeout: 260 seconds]
zarco has joined #nixos-security
ris has quit [Ping timeout: 256 seconds]
justan0theruser has quit [Quit: WeeChat 2.9]
justanotheruser has joined #nixos-security
ninjin has quit [Remote host closed the connection]
ninjin has joined #nixos-security
<__red__> PR: #102706 fixes 8 security issues. (... and, a: I'm the maintainer of the package. b: It's the same package that's already in master (so this is a backport))
<{^_^}> https://github.com/NixOS/nixpkgs/pull/102706 (by redvers, 2 minutes ago, open): mediawiki: update 1.35.0
<__red__> What's the pol,icy for backporting ?
<__red__> how many releases vback do we do?
<__red__> actually make that one
<__red__> apparently thehre's a whole lot more branches than IO thought argh
<__red__> should I bve backporting to 20.03?
<__red__> Well, opened up a PR against that too
<__red__> hopefully that's correct
swapgs has quit [Quit: .]
swapgs has joined #nixos-security
swapgs has joined #nixos-security
<__red__> Question
<__red__> I'm working on bringing a package up to date
<__red__> specifically styx
<__red__> nm - it may be a misidfentification
<__red__> brb
FRidh has joined #nixos-security
sphalerite has quit [Ping timeout: 260 seconds]
immae has quit [Ping timeout: 272 seconds]
hexa- has quit [Ping timeout: 272 seconds]
bennofs has quit [Ping timeout: 272 seconds]
bennofs has joined #nixos-security
immae has joined #nixos-security
sphalerite has joined #nixos-security
hexa- has joined #nixos-security
ninjin has quit [Ping timeout: 240 seconds]
ninjin has joined #nixos-security
rajivr has joined #nixos-security
FRidh has quit [Remote host closed the connection]
FRidh has joined #nixos-security
GUEST1604490921 has joined #nixos-security
GUEST1604490921 has quit [Read error: Connection reset by peer]
GUEST1604491118 has joined #nixos-security
GUEST1604491118 has quit [Read error: Connection reset by peer]
GUEST1604491197 has joined #nixos-security
GUEST1604491197 has quit [Read error: Connection reset by peer]
GUEST1604491290 has joined #nixos-security
GUEST1604491290 has quit [Read error: Connection reset by peer]
GUEST1604491541 has joined #nixos-security
GUEST1604491541 has quit [Remote host closed the connection]
GUEST91807 has joined #nixos-security
GUEST91807 has quit [Ping timeout: 260 seconds]
GUEST93534 has joined #nixos-security
GUEST93534 has quit [Ping timeout: 244 seconds]
GUEST93997 has joined #nixos-security
GUEST93997 has quit [Read error: Connection reset by peer]
GUEST94796 has joined #nixos-security
GUEST94796 has quit [Read error: Connection reset by peer]
GUEST94894 has joined #nixos-security
GUEST94894 has quit [Read error: Connection reset by peer]
GUEST94946 has joined #nixos-security
GUEST94946 has quit [Remote host closed the connection]
GUEST95299 has joined #nixos-security
<__red__> Okay - I'm going to keep backporting to 20.03 until either it freezes or people tell me that I should stop
<hexa-> __red__: it's supported until 1 month after 20.09 release
GUEST95299 has quit [Remote host closed the connection]
lukegb has quit [Ping timeout: 265 seconds]
andi- changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh | Currently supported releases: unstable (master), 20.09, 20.03 (until 27th of November)
lukegb has joined #nixos-security
FRidh has quit [Quit: Konversation terminated!]
rajivr has quit [Quit: Connection closed for inactivity]
<__red__> thanks hexa- andi-
justanotheruser has quit [Ping timeout: 272 seconds]
ris has joined #nixos-security
<__red__> Okay - I'm working my way through my queue
<__red__> lots of corrections, but that's what review is for
* __red__ nods
ris has quit [Ping timeout: 256 seconds]
<__red__> So, if I want someone to "check my work" before I close a security vuln issue - is there a way to tag the issue for feedback?
<__red__> I'm guessing not @maintainers
<__red__> ;-)
<__red__> is there a security equivalent?
<hexa-> post it here
<__red__> okay - thx
<__red__> #99717 - advancecomp
<{^_^}> https://github.com/NixOS/nixpkgs/issues/99717 (by ckauhaus, 4 weeks ago, open): Vulnerability roundup 93: advancecomp-2.1: 1 advisory [7.8]
<__red__> if I see something in the default.nix as blatent as:
<__red__> patches = [
<__red__> name = "CVE-2019-9210.patch";
<__red__> (fetchpatch {
<__red__> ... and a PR labelled "fix CVE-2019-9210"
<__red__> then I don't need to double-verify everything right?
<__red__> we just assume it's still good
<__red__> (since it's an automatic vuln detection based upon version)
<andi-> Well verify that the url points to the correct patch and not a backdoor ;)
<andi-> and maybe verify the checksum
<__red__> rgr
ris has joined #nixos-security
justanotheruser has joined #nixos-security
<__red__> #96781 - upstream is broken. Submodule reference doesn't seem to exist anymore so it breaks on minimum bump. I tagged the maintainer to ask what they want to do next.
<{^_^}> https://github.com/NixOS/nixpkgs/issues/96781 (by ckauhaus, 9 weeks ago, open): Vulnerability roundup 92: aerospike-server-4.2.0.4: 1 advisory [9.8]
<__red__> #99730 - Closing as a false positive. Not a HP network device, but a media player application.
<{^_^}> https://github.com/NixOS/nixpkgs/issues/99730 (by ckauhaus, 4 weeks ago, closed): Vulnerability roundup 93: airwave-1.3.3: 2 advisories [8.8]
<__red__> ant: nixpkgs-unstable: ant-1.10.8 101143
<__red__> PR raised
<__red__> ant: nixos-20.09: ant-1.10.8 101143
<__red__> PR raised
<__red__> (both to 1.10.9)
<__red__> ant: nixos-20.03: ant-1.10.2 88268
<__red__> PR raised (again, 1.10.9)