#nixos-security on 2020-11-05

2020-11-04 15:50 andi- changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh | Currently supported releases: unstable (master), 20.09, 20.03 (until 27th of November)

00:31 <__red__> I wonder how much traffic a bot that spits out changes on issues/pullrequests that are tagged security would cause.

01:13 ris has quit [Ping timeout: 246 seconds]

03:08 rajivr has joined #nixos-security

03:13 <pie_> I imagine this is not terribly a problem but apparently (part of) githubs source code may or may not have been leaked

03:13 <pie_> https://web.archive.org/web/20201104050026if_/https://github.com/github/dmca/tree/565ece486c7c1652754d7b6d2b5ed9cb4097f9d5

03:13 <pie_> https://resynth1943.net/articles/github-source-code-leak/

03:14 <pie_> I don't know how much effect this could have on infra but I imagine if the leak is legit theres more opportunity for audit and 0days

03:15 <pie_> people have discussed the security of github before and everyone wasnt running around screaming so im assuming its fiiiiiiiine

03:17 <pie_> Also not sure if the developer was impersonated or the account compromised

03:17 <__red__> right

03:18 <__red__> I'm guessing since 99% of our stuff is public only write issues or access to secrets could be problematic for the org - right?

03:19 <__red__> Uhh, you need to me a member admin to make a webhook

03:19 <pie_> <x> decrypted github enterprise source. trivially obtainable from public data. so, it's just a stunt

03:19 <__red__> so much for that idea

03:19 <__red__> oh well :-/

03:19 * pie_ is not able to substantiate that comment yet

03:19 <pie_> but the commenter is generally pretty reputable

03:27 <pie_> I imagine you can put anyone's name on a git(hub) commit though so they probably just did that

03:28 <pie_> https://old.reddit.com/r/DataHoarder/comments/jnzxmd/someone_pushed_github_source_code_to_their_dmca/

03:30 <pie_> Even https://old.reddit.com/r/DataHoarder/comments/jnzxmd/someone_pushed_github_source_code_to_their_dmca/gb5unub/ . git-blame-someone-else . heh.

03:30 <pie_> Ill stop spamming now.

03:38 <pie_> btw just google the hash in the archive url

03:43 <__red__> thanks

03:43 <__red__> I was ammused

03:46 GUEST48003 has joined #nixos-security

03:48 <pie_> ok last one (sfw) https://boards.4channel.org/g/thread/78532424/githubcomgithub-enterprise-source#p78538626

03:50 justanotheruser has quit [Ping timeout: 272 seconds]

03:51 justanotheruser has joined #nixos-security

04:01 GUEST48003 has quit [Remote host closed the connection]

04:01 blueberrypie has quit [Quit: leaving]

04:01 GUEST48896 has joined #nixos-security

04:05 blueberrypie has joined #nixos-security

04:06 LnL has quit [Ping timeout: 240 seconds]

04:07 LnL has joined #nixos-security

04:20 <__red__> Coolio

04:21 <__red__> All - can we talk about #96781

04:21 <{^_^}> https://github.com/NixOS/nixpkgs/issues/96781 (by ckauhaus, 9 weeks ago, open): Vulnerability roundup 92: aerospike-server-4.2.0.4: 1 advisory [9.8]

04:21 <__red__> it's an RCE

04:21 <__red__> and upstream is broken

04:22 <__red__> unless we bump a major rev

04:22 <__red__> how do we want to deal with such things?

04:24 kalbasit has quit [Remote host closed the connection]

04:26 GUEST48896 has quit [Remote host closed the connection]

04:29 star0558 has joined #nixos-security

04:46 star0558 has quit [Remote host closed the connection]

04:47 star1616 has joined #nixos-security

04:48 star1616 has quit [Remote host closed the connection]

04:49 watt739 has joined #nixos-security

04:58 <__red__> #100296 closed, false positive (NVD database needs updating)

04:58 <{^_^}> https://github.com/NixOS/nixpkgs/issues/100296 (by ckauhaus, 3 weeks ago, closed): Vulnerability roundup 94: archiver-3.3.2: 1 advisory [5.5]

04:58 <__red__> #90750 - PR opened for it #102860

04:58 <{^_^}> https://github.com/NixOS/nixpkgs/issues/90750 (by ckauhaus, 19 weeks ago, open): Vulnerability roundup 85: archiver-3.3.0: 1 advisory [5.5]

04:58 <{^_^}> https://github.com/NixOS/nixpkgs/pull/102860 (by redvers, 1 minute ago, open): archiver: 3.3.0 -> 3.3.2 [20.09]

05:22 <__red__> #99734 - Closed - patched already

05:22 <{^_^}> https://github.com/NixOS/nixpkgs/issues/99734 (by ckauhaus, 4 weeks ago, closed): Vulnerability roundup 93: avahi-0.7: 1 advisory [9.1]

05:32 <__red__> Okay - #96775 - for https://github.com/ReadyTalk/avian

05:32 <{^_^}> https://github.com/NixOS/nixpkgs/issues/96775 (by ckauhaus, 9 weeks ago, open): Vulnerability roundup 92: avian-1.2.0: 2 advisories [7.8]

05:33 <__red__> Upstream is inactive, the release here is old... likie 2015

05:33 <__red__> apparently the only thing they're committing are security and reliabilty fixes

05:33 <__red__> but they're not bumping the revision

05:33 <__red__> ... and they're about 10 patches in 5 years...

05:34 <__red__> do I roll all the patches up?

05:34 <__red__> do I tag the current ref for master?

05:34 <__red__> I guess I'll tag thhe maintainer and ask them?

05:37 watt739 has quit [Ping timeout: 256 seconds]

06:13 <__red__> #90734

06:13 <{^_^}> https://github.com/NixOS/nixpkgs/issues/90734 (by ckauhaus, 19 weeks ago, open): Vulnerability roundup 85: balsa-2.5.9: 1 advisory [6.5]

06:13 <__red__> #94729

06:13 <{^_^}> https://github.com/NixOS/nixpkgs/issues/94729 (by ckauhaus, 13 weeks ago, open): Vulnerability roundup 91: balsa-2.5.9: 1 advisory [7.5]

06:13 <__red__> both ready with PR#102866

06:23 <__red__> #88269 closed - patchlevel is not vulnerable

06:23 <{^_^}> https://github.com/NixOS/nixpkgs/issues/88269 (by ckauhaus, 24 weeks ago, closed): Vulnerability roundup 84: bash-4.4-p23: 1 advisory

06:32 <__red__> #90745 is abandoned, but someone else has forked it and is now maintaining it in another github project (and is fairly active)

06:32 <{^_^}> https://github.com/NixOS/nixpkgs/issues/90745 (by ckauhaus, 19 weeks ago, open): Vulnerability roundup 85: beep-1.3: 2 advisories [7]

06:32 <__red__> There is no maintainer for the project

06:32 <__red__> so I guess I should add myself and switch the versions?

06:35 <__red__> Strictly speaking it's not vulnerable as we do not install it suid - so... I guess I can just close it and move on?

06:36 <__red__> (but my worry is that someone might suid it in the future)

06:36 <__red__> but they shhouldn't do that:tm:

08:46 watt976 has joined #nixos-security

08:51 watt976 has quit [Remote host closed the connection]

08:52 watt332 has joined #nixos-security

09:38 FRidh has joined #nixos-security

09:59 Guest82 has joined #nixos-security

09:59 <Guest82> https://paste.scratchbook.ch/view/c67d422e#L1

10:00 Guest82 has quit [Client Quit]

10:45 watt332 has quit [Ping timeout: 264 seconds]

11:04 haiko has quit [Quit: Connection closed for inactivity]

13:09 FRidh has quit [Ping timeout: 260 seconds]

13:09 FRidh has joined #nixos-security

15:37 <ehmry> if you are interested in doing a nixos security voice chat, please mark your availability: https://www.when2meet.com/?10274768-cMAgo

15:37 <ehmry> this would be a continuation of the nixcon security breakout room

15:40 <ehmry> by security we also mean freaky isolation stuff

16:25 <pie_> kinky

16:39 <__red__> That's a really well designed tool

16:39 <__red__> I really like it

17:23 rajivr has quit [Quit: Connection closed for inactivity]

17:25 justan0theruser has joined #nixos-security

17:27 justanotheruser has quit [Ping timeout: 244 seconds]

18:56 FRidh has quit [Quit: Konversation terminated!]

19:06 ris has joined #nixos-security

20:04 justan0theruser has quit [Ping timeout: 272 seconds]

22:21 justanotheruser has joined #nixos-security

23:18 <andi-> ehmry: is there a gist of the nixcon discussion?