2023-10-05 22:25:29 <omni> https://github.com/curl/curl/discussions/12026
2023-10-05 22:25:47 <omni> "Severity HIGH security problem to be announced with curl 8.4.0 on Oct 11"
2023-10-11 04:22:54 <ikke> https://gitlab.com/redhat/centos-stream/rpms/curl/-/commit/0783247f07250043dceb74e426f16f9d46147163#57c8706b6a9132202629833e05fd961bfcc66836
2023-10-11 04:23:50 <ikke> Some say the patch for CVE-2023-38545 has leaked already 
2023-10-11 04:26:09 <fluix> looks like it, someone fucked up, and by ~14 hours too
2023-10-11 06:03:47 <ikke> https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/
2023-10-11 06:06:39 <ikke> https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/
2023-10-15 00:57:35 <idkrn[m]> <ikke> "Some say the patch for CVE-2023-..." <- "curl: update to 8.4.0 to fix CVE-2023-38545 and assorted minor issues (Android may not use this functionality, but it should be fixed in case it does)"
2023-10-15 00:57:35 <idkrn[m]>  https://grapheneos.org/releases#:~:text=curl%3A%20update%20to%208.4.0%20to%20fix%20CVE%2D2023%2D38545%20and%20assorted%20minor%20issues%20(Android%20may%20not%20use%20this%20functionality%2C%20but%20it%20should%20be%20fixed%20in%20case%20it%20does)
2023-10-15 01:19:15 <fluix> it was already officially release on the 11th
2023-10-15 04:42:38 <treozy> ca⁠n you cut⁠ the spam​ shit its gett​i⁠ng wa​y too a⁠nnoy⁠i⁠ng this⁠ i​s wel⁠l past the "he⁠e he⁠e hoo ho⁠o supernets​ i​s up to i​ts si​l⁠ly mischie​f once again" threshol⁠d
2023-10-20 12:30:02 <omni> I'll let someone else verify that this looks alright !53723 and if so merge
2023-10-20 12:38:48 <ncopa> done. Thanks!
2023-10-23 19:29:08 <omni> !53924 !53926 !53934 !53935 !53936
2023-10-24 06:29:08 <ncopa> merged. thanks!
2023-10-24 15:56:50 <omni> regarding https://www.openssl.org/news/secadv/20231024.txt we have 1.1.1w in 3.16 & 3.15
2023-10-25 13:34:18 <omni> both libx11 and libxpm are in main https://lists.freedesktop.org/archives/xorg/2023-October/061506.html
2023-10-26 23:09:25 <omni> I may have been to quick in merging !54177 see comment in !54179
2023-10-27 04:52:24 <ncopa> omni: do we ship minizip with the zlib package? i'm pretty sure we don't.
2023-10-27 04:52:45 <ncopa> 02ab5a25b2f11a81d1d698e5d8d585d89e46fe97
2023-10-27 05:05:05 <ncopa> ok. I saw it was reverted. thanks
2023-10-27 11:03:39 <omni> yeah, I only checked that the patch was legit before I merged, then I saw that it was useless for main/zlib, that comunity/minizip was already patched a week ago and that you had added a comment for main/zlib about the vuln not affecting it
2023-10-27 13:46:39 <jvoisin> fedora is moving to zlib-ng
2023-10-27 20:01:22 <sam_> a terrible idea imo
2023-10-27 20:01:29 <sam_> zlib has its problems, but zlib-ng has a lot too
2023-10-27 22:58:46 <omni> but it's the next, G!
2023-10-31 16:34:24 <celie> omni: I've gone off for the day, so if you want to try tests in !53975, maybe you can open a separate MR for that. I tried running the tests for 1.94.0: https://gitlab.alpinelinux.org/Celeste/aports/-/pipelines/186035, but they didn't work. However, the MR for 3.18-stable runs the tests, though not on all archs.
2023-10-31 16:36:32 <omni> celie: ok!