andi- changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh | Currently supported releases: unstable (master), 20.09, 20.03 (until 27th of November)
cole-h has quit [Ping timeout: 252 seconds]
rajivr has joined #nixos-security
cole-h has joined #nixos-security
star_cloud has quit [Remote host closed the connection]
star_cloud has joined #nixos-security
star_cloud has quit [Excess Flood]
star_cloud has joined #nixos-security
cole-h has quit [Ping timeout: 260 seconds]
Synthetica has joined #nixos-security
dotlambda has joined #nixos-security
cole-h has joined #nixos-security
Synthetica has quit [Quit: Connection closed for inactivity]
<ris> i am extremely confused over the relationship between pupnp/libupnp and miniupnp
<hexa-> same
rajivr has quit [Quit: Connection closed for inactivity]
<ris> so just for fun i tried writing a test for CVE-2021-29462 using the existing nixos test, but got confused when even the old version gave me a "dns rebinding attack detected" rejection... not realizing that miniupnpd is something different
<ris> (the existing nixosTests.upnp that is)
Synthetica has joined #nixos-security
<ris> digging, it looks like pupnp is an entirely pure lib - in that it doesn't even come with any demo tools that you could use to run the miniserver. so without actually building a little one of them, i don't see it being possible to test the fix, so i'm not going to try backporting that patch
<ris> but hey, i've successfully verified that miniupnpd isn't vulnerable to dns rebinding
supersandro2000 is now known as Guest38913
supersandro2000 has joined #nixos-security
Guest38913 has quit [Ping timeout: 240 seconds]