#nixos-security on 2020-11-22

2020-11-04 15:50 andi- changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh | Currently supported releases: unstable (master), 20.09, 20.03 (until 27th of November)

00:05 justanotheruser has quit [Ping timeout: 265 seconds]

00:19 <hexa-> one more week of double-backports

00:19 <hexa-> eh, five days even

00:20 justanotheruser has joined #nixos-security

01:01 rajivr has joined #nixos-security

01:06 LnL has quit [Quit: exit 1]

01:06 LnL has joined #nixos-security

01:11 LnL has quit [Ping timeout: 256 seconds]

01:11 LnL has joined #nixos-security

01:12 ehmry has quit [Quit: https://quassel-irc.org - Chat comfortably. Anywhere.]

01:13 justanotheruser has quit [Ping timeout: 260 seconds]

01:31 justanotheruser has joined #nixos-security

01:36 tokudan has quit [Quit: Dunno.]

01:38 tokudan has joined #nixos-security

01:41 tokudan has quit [Remote host closed the connection]

01:44 tokudan has joined #nixos-security

02:02 tokudan has quit [Quit: Dunno.]

02:02 tokudan has joined #nixos-security

02:31 ris has quit [Ping timeout: 256 seconds]

02:55 justanotheruser has quit [Ping timeout: 272 seconds]

03:03 justanotheruser has joined #nixos-security

03:45 kalbasit has joined #nixos-security

03:49 kalbasit has quit [Ping timeout: 240 seconds]

06:57 FRidh has joined #nixos-security

07:08 red[evilred] has joined #nixos-security

07:08 <red[evilred]> exactly hexa-

07:08 <red[evilred]> can't lie - been tempted to look the other way a few time

07:08 <red[evilred]> s

09:05 FRidh has quit [Ping timeout: 264 seconds]

09:05 FRidh has joined #nixos-security

10:10 FRidh has quit [Ping timeout: 260 seconds]

10:11 FRidh has joined #nixos-security

10:21 <stigo> hexa-: #104422 probably shouldn't have been merged (my bad), would it be ok to revert the bump which have been merged into release-20.09 in favour of a patch that directly fixes the vuln?

10:21 <{^_^}> https://github.com/NixOS/nixpkgs/pull/104422 (by stigtsp, 1 day ago, merged): [20.09] mutt: 1.14.7 -> 2.0.2

10:31 <hexa-> stigo: please do

10:59 ehmry has joined #nixos-security

11:06 <stigo> done. reverted in #104582 fixed in #104583 and #104584

11:06 <{^_^}> https://github.com/NixOS/nixpkgs/pull/104582 (by stigtsp, 29 minutes ago, merged): Revert "[20.09] mutt: 1.14.7 -> 2.0.2"

11:06 <{^_^}> https://github.com/NixOS/nixpkgs/pull/104583 (by stigtsp, 21 minutes ago, open): [20.03] mutt: apply patch for CVE-2020-28896

11:06 <{^_^}> https://github.com/NixOS/nixpkgs/pull/104584 (by stigtsp, 8 minutes ago, open): [20.09] mutt: apply patch for CVE-2020-28896

11:07 ris has joined #nixos-security

12:28 <stigo> hexa-: i'm looking forward to not having to do double-backports as well.

12:37 <FRidh> we should really have a github action for that

12:38 <hexa-> well, for security it's often no double backporting

12:39 <hexa-> a version one release back often needs special handling due to major version bumps, patches not applying cleanly

12:39 <hexa-> but sure, backporting in general should be automated, I agree

12:40 <hexa-> i thought mic92 recently mentioned some tool over in #nixos-dev

12:41 <hexa-> https://logs.nix.samueldr.com/nixos-dev/2020-11-17#4249955;

12:44 <hexa-> but seems be affected by shell code injection madness

13:03 ehmry has quit [Read error: Connection reset by peer]

13:07 ehmry has joined #nixos-security

14:15 red[evilred] has quit [Quit: Idle timeout reached: 10800s]

14:22 red[evilred] has joined #nixos-security

14:22 <red[evilred]> probably

14:23 <red[evilred]> I think someone said that nix-something was able to do upgrades if you gave it source and dest versions

14:23 <red[evilred]> and it will do the branch, do the testing, open the pr etc ?

14:38 FRidh has quit [Quit: Konversation terminated!]

15:33 lukegb has quit [Quit: ~~lukegb out~~]

15:34 lukegb has joined #nixos-security

15:39 FRidh has joined #nixos-security

16:33 ehmry has quit [Quit: https://quassel-irc.org - Chat comfortably. Anywhere.]

18:00 rajivr has quit [Quit: Connection closed for inactivity]

19:03 WilliButz has quit [Remote host closed the connection]

19:06 WilliButz has joined #nixos-security

19:11 red[evilred] has quit [Quit: Idle timeout reached: 10800s]

20:22 IdleBot_4fae1f80 has quit [*.net *.split]

20:22 bridge[evilred] has quit [*.net *.split]

20:22 ikwildrpepper has quit [*.net *.split]

20:25 IdleBot_4fae1f80 has joined #nixos-security

20:25 bridge[evilred] has joined #nixos-security

20:25 ikwildrpepper has joined #nixos-security

20:36 tilpner has quit [Ping timeout: 260 seconds]

20:36 tilpner_ has joined #nixos-security

20:36 tilpner_ is now known as tilpner

21:00 bennofs is now known as bennofs|ALLES

21:47 FRidh has quit [Quit: Konversation terminated!]

21:58 justanotheruser has quit [Ping timeout: 260 seconds]

22:11 justanotheruser has joined #nixos-security