#nixos-security on 2020-11-25

2020-11-04 15:50 andi- changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh | Currently supported releases: unstable (master), 20.09, 20.03 (until 27th of November)

01:07 rajivr has joined #nixos-security

01:15 ris has quit [Ping timeout: 260 seconds]

01:54 red[evilred] has joined #nixos-security

01:54 <red[evilred]> also hexa- (IRC) - #104835 and #104838 with better commit messages as advise.

01:54 <{^_^}> https://github.com/NixOS/nixpkgs/pull/104835 (by redvers, 24 minutes ago, open): cassandra: 3.11.4 -> 3.11.9

01:54 <{^_^}> https://github.com/NixOS/nixpkgs/pull/104838 (by redvers, 7 minutes ago, open): cassandra_2_1: 2.1.20 -> 2.1.22

01:55 <red[evilred]> s/.$/d./g

02:12 tilpner_ has joined #nixos-security

02:14 tilpner has quit [Ping timeout: 256 seconds]

02:14 tilpner_ is now known as tilpner

03:34 <hexa-> Pam 1.5.0 has a auth bypass under some conditions - https://www.openwall.com/lists/oss-security/2020/11/24/3

03:34 <hexa-> Unrelated to the auth bypass, but on the topic of linux-pam; this summer I landed exposing prctl(PR_SET_NO_NEW_PRIVS) in pam_limits [0]. It's a convenient way to prevent logins from potentially attaining new privileges, even if bad actors find bugs in suid programs or even know the root password (assuming remote root logins are disabled).

03:34 <hexa-> [0] https://github.com/linux-pam/linux-pam/commit/dd9cf929e7ec79...

03:35 <hexa-> Via https://news.ycombinator.com/item?id=25201264

03:35 <red[evilred]> anyone else able to get to: https://linux-cifs.samba.org/cifs-utils/

04:04 <red[evilred]> btw - I assume if I come across a package in my travels that needs a bump with a name attribute and no pname / version - I should switch that while I'm at it?

04:47 <red[evilred]> Well, nvd.nist.gov appears to be down so I guess I'm done for the evenin;

04:47 <red[evilred]> Nite all./

07:05 justanotheruser has quit [Quit: WeeChat 2.9]

07:06 justanotheruser has joined #nixos-security

07:37 FRidh has joined #nixos-security

07:47 red[evilred] has quit [Quit: Idle timeout reached: 10800s]

09:07 star_cloud has quit [Read error: Connection reset by peer]

09:09 star_cloud has joined #nixos-security

09:09 star_cloud has quit [Read error: Connection reset by peer]

09:13 star_cloud has joined #nixos-security

09:15 FRidh has quit [Ping timeout: 240 seconds]

09:15 FRidh has joined #nixos-security

09:23 star_cloud has quit [Excess Flood]

09:24 star_cloud has joined #nixos-security

09:43 FRidh has quit [Ping timeout: 272 seconds]

09:44 FRidh has joined #nixos-security

10:11 justanotheruser has quit [Quit: WeeChat 2.9]

10:12 justanotheruser has joined #nixos-security

10:41 zarel has quit [Ping timeout: 256 seconds]

10:42 zarel has joined #nixos-security

10:51 FRidh has quit [Ping timeout: 272 seconds]

10:52 FRidh has joined #nixos-security

11:46 FRidh has quit [Ping timeout: 260 seconds]

11:47 FRidh has joined #nixos-security

12:21 watt877 has joined #nixos-security

12:26 watt877 has quit [Ping timeout: 264 seconds]

12:35 <stigo> can someone review/merge #103951 ?

12:35 <{^_^}> https://github.com/NixOS/nixpkgs/pull/103951 (by stigtsp, 1 week ago, open): firefox-beta-bin: 81.0b4 -> 84.0b4, firefox-devedition-bin: 80.0b8 -> 84.0b4

13:10 FRidh has quit [Ping timeout: 246 seconds]

13:10 FRidh has joined #nixos-security

13:25 star_cloud has quit [Remote host closed the connection]

13:26 star_cloud has joined #nixos-security

13:36 star_cloud has quit [Excess Flood]

13:37 star_cloud has joined #nixos-security

13:55 LnL has quit [Ping timeout: 272 seconds]

13:56 LnL has joined #nixos-security

14:07 lassulus has quit [Ping timeout: 256 seconds]

14:13 lassulus has joined #nixos-security

14:17 lukegb has quit [Quit: ~~lukegb out~~]

14:18 star_cloud has quit [Remote host closed the connection]

14:18 star_cloud has joined #nixos-security

14:18 lukegb has joined #nixos-security

14:21 LnL has quit [Ping timeout: 265 seconds]

14:28 star_cloud has quit [Excess Flood]

14:29 star_cloud has joined #nixos-security

14:31 LnL has joined #nixos-security

15:33 FRidh has quit [Ping timeout: 260 seconds]

15:34 FRidh has joined #nixos-security

16:58 star_cloud has quit [Remote host closed the connection]

16:59 star_cloud has joined #nixos-security

17:09 star_cloud has quit [Excess Flood]

17:10 star_cloud has joined #nixos-security

17:13 FRidh has quit [Ping timeout: 260 seconds]

17:13 FRidh has joined #nixos-security

18:14 rajivr has quit [Quit: Connection closed for inactivity]

18:42 justanotheruser has quit [Ping timeout: 260 seconds]

18:51 ris has joined #nixos-security

18:56 justanotheruser has joined #nixos-security

20:19 <hexa-> https://github.com/NixOS/nixpkgs/pull/104820

20:19 <{^_^}> #104820 (by mweinelt, 20 hours ago, open): [20.09]: webkitgtk: 2.28.4 -> 2.30.3

20:19 <hexa-> jtojnar says they don't do backports to prevent burnout, worldofpeace said everything there is fine with them

20:45 tilpner_ has joined #nixos-security

20:45 tilpner has quit [Ping timeout: 260 seconds]

20:45 tilpner_ is now known as tilpner

21:29 FRidh has quit [Quit: Konversation terminated!]

22:29 star_cloud has quit [Remote host closed the connection]

22:29 star_cloud has joined #nixos-security

22:39 star_cloud has quit [Excess Flood]

22:41 star_cloud has joined #nixos-security

22:59 LnL has quit [Ping timeout: 260 seconds]

23:14 justanotheruser has quit [Ping timeout: 256 seconds]

23:35 justanotheruser has joined #nixos-security