#nixos-security on 2020-11-13

2020-11-04 15:50 andi- changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh | Currently supported releases: unstable (master), 20.09, 20.03 (until 27th of November)

00:11 star_cloud has quit [Remote host closed the connection]

00:13 star_cloud has joined #nixos-security

01:36 ris has quit [Ping timeout: 258 seconds]

04:45 kalbasit has quit [Ping timeout: 272 seconds]

06:49 c74d has quit [Quit: c74d]

07:12 FRidh has joined #nixos-security

07:39 FRidh has quit [Ping timeout: 272 seconds]

07:39 FRidh has joined #nixos-security

10:45 tilpner has quit [Remote host closed the connection]

10:45 tilpner has joined #nixos-security

12:57 rajivr has joined #nixos-security

13:51 <hexa-> https://www.saddns.net/

14:03 <hexa-> patched in linux 5.9.2

14:06 <hexa-> also in 5.4.72

14:39 FRidh has quit [Ping timeout: 260 seconds]

15:18 kalbasit has joined #nixos-security

16:47 <hexa-> > https://www.openwall.com/lists/oss-security/2020/11/13/1

16:47 <{^_^}> "https://www.openwall.com/lists/oss-security/2020/11/13/1"

16:47 <hexa-> oh well

16:47 <hexa-> Subject: Buffer Overflow in raptor widely unfixed in Linux distros

16:48 <hexa-> tl;dr: debian fixed this bug after 3y, since the upstream was unresponsive and a CVE was never requested

16:48 <hexa-> Hanno Böck, who discovered the issue, says this

16:48 <hexa-> > Maybe noteworthy is that this didn't get a CVE in 2017. It seems many

16:48 <{^_^}> error: syntax error, unexpected IN, expecting ')', at (string):359:48

16:48 <hexa-> distros rely on CVEs to get a process of backporting fixes rolling.

16:48 <hexa-> Given the fluctuating reliability of CVE assignments not sure this is

16:48 <hexa-> wise. I have now requested a CVE (CVE-2017-18926).

16:49 <hexa-> I learned of this issue from DSA and fixed it promptly in #103134, which was today merged and backported

16:49 <{^_^}> https://github.com/NixOS/nixpkgs/pull/103134 (by mweinelt, 5 days ago, merged): librdf_raptor2: add patch for CVE-2017-18926

17:20 rajivr has quit [Quit: Connection closed for inactivity]

18:10 ris has joined #nixos-security

18:15 simpson has joined #nixos-security

19:30 star_cloud has quit [Read error: Connection reset by peer]

19:33 star_cloud has joined #nixos-security

19:46 MichaelRaskin has joined #nixos-security

22:17 zarel has quit [Ping timeout: 272 seconds]

22:24 zarel has joined #nixos-security

23:18 bridge[evilred] has quit [Remote host closed the connection]

23:18 bridge[evilred] has joined #nixos-security

23:40 <joepie91> "The Node.js project will release new versions of 15.x, 14.x and 12.x on or shortly after Monday, November 16th, 2020. These releases will fix: * One high severity issue"

23:42 kalbasit has quit [Ping timeout: 256 seconds]