andi- changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh | Currently supported releases: unstable (master), 20.09, 20.03 (until 27th of November)
ris has quit [Ping timeout: 240 seconds]
lukegb has quit [Quit: ~~lukegb out~~]
lukegb has joined #nixos-security
cjb has quit []
cole-h has quit [Ping timeout: 252 seconds]
rajivr has joined #nixos-security
MichaelRaskin has quit [Ping timeout: 268 seconds]
FRidh has joined #nixos-security
ris has joined #nixos-security
MichaelRaskin has joined #nixos-security
<ris> hexa-: thinking i should prepare a curl patch PR in the meantime - patching is explicitly recommended by the advisory and it's going to be needed for stable at least
FRidh has quit [Quit: Konversation terminated!]
<hexa-> ris: yup, sgtm
<hexa-> ris: in fact, let's go with the patches on master as well for now
<ris> on it
<hexa-> thanks
justanotheruser has quit [Ping timeout: 250 seconds]
<ris> CVE-2021-22876 is pretty straightforward, CVE-2021-22890 might not be
<hexa-> which one is the one touch transfer.c?
<hexa-> touching*
<supersandro2000> Maybe that one is breaking nix?
<hexa-> it is peculiar, that it is a file:// url that times out
<supersandro2000> last time I tried it did not time out but curl failed to resume the download
<supersandro2000> which would mean something is bad with the code
<hexa-> oh yeah, that
<supersandro2000> but I have zero experience with c or c++ so I am stuck here
<hexa-> same
<hexa-> well, not zero, but still
<supersandro2000> maybe we could overwrite the version of curl nix uses? that wouldn't be great and a bad idea but yeah
FRidh has joined #nixos-security
<ris> i'm on top of it now, not much more to do...
<ris> again, one of the things causing me grief is the results of people running autoformatters
<supersandro2000> context?
<hexa-> curl probabl<
<hexa-> y
<supersandro2000> backporting the patch?
<supersandro2000> auto formatters are better than everyone cooking their own syntax, format and be done
<hexa-> autoformatters make backporting stuff even harder
<supersandro2000> if you use them from the beginning not really
<supersandro2000> and they are not doing things like black
<ris> i can talk on this subject for a long long time, but the real solution is for people to just chill out about formatting entirely
<ris> _especially_ if they make braindead decisions like gofmt does, justifying structs and maps
<ris> single byte change to the longest key in a map -> 20-line diff
<ris> nice
<supersandro2000> I have taken a short look at 90s C code and it is a total mess
<supersandro2000> formatting and logic wise
<supersandro2000> missing closing braces everywhere, custom formatting no one understands and the list goes on
<ris> obviously there are limits
justanotheruser has joined #nixos-security
cole-h has joined #nixos-security
<ris> #118343
<{^_^}> https://github.com/NixOS/nixpkgs/pull/118343 (by risicle, 1 minute ago, open): curl: add patches for CVE-2021-22876, CVE-2021-22890
<ris> still building for macos, but looks ok
rajivr has quit [Quit: Connection closed for inactivity]
andi- has quit [Ping timeout: 268 seconds]
andi- has joined #nixos-security
cole-h has quit [Ping timeout: 260 seconds]
star_cloud has quit [Remote host closed the connection]
star_cloud has joined #nixos-security
star_cloud has quit [Excess Flood]
star_cloud has joined #nixos-security
andi- has quit [Ping timeout: 258 seconds]
andi- has joined #nixos-security
FRidh has quit [Quit: Konversation terminated!]
cjb has joined #nixos-security
cjb has quit [Read error: Connection reset by peer]
cjb has joined #nixos-security
justanotheruser has quit [Ping timeout: 246 seconds]
<ris> #118369
<{^_^}> https://github.com/NixOS/nixpkgs/pull/118369 (by risicle, 16 seconds ago, open): [20.09] bind: add patches for multiple CVEs
supersandro2000 has quit [Disconnected by services]
supersandro2000 has joined #nixos-security