#nixos-security on 2021-04-01

2020-11-04 15:50 andi- changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh | Currently supported releases: unstable (master), 20.09, 20.03 (until 27th of November)

00:14 star_cloud has quit [Ping timeout: 240 seconds]

00:35 ris has quit [Ping timeout: 265 seconds]

00:58 rajivr has joined #nixos-security

01:51 cjb has quit []

02:32 star_cloud has joined #nixos-security

07:42 FRidh has joined #nixos-security

08:32 FRidh has quit [Quit: Konversation terminated!]

08:41 cole-h has quit [Ping timeout: 268 seconds]

12:05 justanotheruser has quit [Ping timeout: 258 seconds]

14:56 Raito_Bezarius has quit [Ping timeout: 258 seconds]

15:09 Raito_Bezarius has joined #nixos-security

16:51 cole-h has joined #nixos-security

17:43 ris has joined #nixos-security

17:46 rajivr has quit [Quit: Connection closed for inactivity]

18:01 justanotheruser has joined #nixos-security

18:42 stigo has quit [Quit: stigo]

19:03 stigo has joined #nixos-security

19:08 star_cloud has quit [Remote host closed the connection]

19:08 star_cloud has joined #nixos-security

19:18 star_cloud has quit [Excess Flood]

19:19 star_cloud has joined #nixos-security

19:26 <ris> considering what to do about https://nvd.nist.gov/vuln/detail/CVE-2021-21240 - think we'll have to bump httplib2 0.18.1 -> 0.19.0 in 20.09, as the fix for it is... to convert the entire auth header parsing to pyparsing https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc, so there's really no fix other than the big bump

19:28 <ris> though it's just a ReDoS, i've got to raise an eyebrow at it being scored 7.5 HIGH

20:12 cole-h has quit [Quit: Goodbye]

20:16 cole-h has joined #nixos-security

21:32 <supersandro2000> they self rated it a medium on github

22:05 <hexa-> so be it

22:05 <hexa-> unless someone starts paying us for it we'are handling things best effort

22:07 <hexa-> ris: https://github.com/python-pillow/Pillow/releases/tag/8.2.0

22:07 <hexa-> this isn't even funny anymore

22:07 <hexa-> https://github.com/python-pillow/Pillow/pull/5377

22:07 <{^_^}> python-pillow/Pillow#5377 (by hugovk, 7 hours ago, merged): Security fixes for 8.2.0

22:19 <supersandro2000> six more CVEs 😄

22:21 <supersandro2000> > This library provides extensive file format support, an efficient internal representation, and fairly powerful image processing capabilities.

22:21 <supersandro2000> and extensive bugs apparently

22:21 <{^_^}> error: syntax error, unexpected ',', expecting ')', at (string):493:52

22:34 cjb has joined #nixos-security

22:49 <ris> holy mother of god

22:50 supersandro2000 has quit [Remote host closed the connection]

22:51 supersandro2000 has joined #nixos-security

22:52 <ris> well.. at least they are all just dos

22:59 <ris> i'll prepare an 8.2.0 PR

23:05 <hexa-> thank you

23:05 <hexa-> curl 7.75.0 already breaks nix test

23:06 <hexa-> needs someone familiar with what nix-channel does with curl

23:56 supersandro2000 has quit [Disconnected by services]

23:56 supersandro2000 has joined #nixos-security