2024-04-03 09:36:17 <ikke> https://joeyh.name/blog/entry/reflections_on_distrusting_xz/ encourages to revert xz  to a version that was not touched by Jian Tan
2024-04-03 09:41:15 <pj[m]> Lasse plans on rebasing history to remove malicious content
2024-04-03 12:59:07 <jvoisin> ikke: fwupd just moved from xz to zstd
2024-04-03 13:22:42 <dne> and so will "Jia Tan" :)
2024-04-03 13:42:47 <sam_> haha
2024-04-03 13:47:01 <sam_> ikke: fwiw im not super keen on that plan given he forked it without much awareness of xz
2024-04-03 13:47:05 <sam_> he was encouraging debian to use 5.3.x
2024-04-03 13:47:08 <sam_> which is.. a dev release
2024-04-03 13:47:10 <sam_> (xz does odd/even)
2024-04-03 13:47:17 <sam_> it implies he is not very familiar with xz at all
2024-04-03 13:48:00 <ikke> Right
2024-04-04 07:20:22 <omni> https://kb.cert.org/vuls/id/421644
2024-04-04 07:30:04 <omni> main/nodejs was fixed in edge and 3.19-stable
2024-04-07 01:40:43 <omni> upcoming https://xenbits.xen.org/xsa/
2024-04-07 19:38:35 <ikke> Someone willing to do a security review of https://github.com/michaelforney/swc/tree/master/launch? This is being packaged in https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/63712, but the binary is installed with suid. (Though I'm not sure it's even a good idea to use suid for this in the first place). The code for that binary seems relatively small.
2024-04-07 23:30:18 <jvoisin> ikke: https://github.com/michaelforney/swc/blob/master/launch/launch.c#L493
2024-04-07 23:30:37 <jvoisin> is it me, or it's spawning whatever binary is passed as argument?
2024-04-08 03:28:12 <fluix> my guess is this is something similar to when Sway supported being suid, but now doesn't because there's better ways to do things
2024-04-08 04:52:57 <ikke> jvoisin: it does set POSIX_SPWAN_RESETIDS, so the spwaned executables should use the original uid/gid, right?
2024-04-08 06:20:35 <ncopa> jvoisin: it does look like it is spawning whatever you tell it to lanch via args, yes
2024-04-08 10:38:49 <fabled> Is the secdb available or convertible easily to VEX JSON easily?
2024-04-08 10:39:44 <ikke> what is VEX json?
2024-04-08 10:41:00 <ikke> https://github.com/openvex
2024-04-08 10:42:21 <ikke> There is a go library available, so might not be too difficult to provide it
2024-04-08 10:45:37 <ikke> the tricky part may be the `time` field
2024-04-08 10:46:53 <ikke> not_affected + impact_statement as well
2024-04-08 10:49:46 <ikke> fabled: so full adherence to the spec is not trivial given the data we have
2024-04-08 11:24:47 <fabled> I would be mostly interested to get suppression database in VEX format to shut up stupid scanners
2024-04-08 11:25:43 <fabled> For cve-bin-tool
2024-04-08 11:42:31 <ikke> Do you know what fields they care about?
2024-04-08 16:54:49 <fabled> Ikke: I think just the field that indicates the CVE is fixed
2024-04-08 17:12:07 <ikke> fabled: so "status": "fixed"
2024-04-08 17:13:59 <fabled> Yes
2024-04-14 02:44:06 <omni> https://github.com/advisories/GHSA-jjg7-2v4v-x38h
2024-04-14 02:44:38 <omni> I have upgraded py3-idna from 3.6 to 3.7 on edge and 3.19-stable
2024-04-14 02:51:17 <omni> but not 3.16-3.18-stable
2024-04-16 17:43:27 <omni> https://www.mozilla.org/en-US/security/advisories/mfsa2024-19/
2024-04-22 22:22:13 <omni> podman is a bit behind in security upgrades on 3.19-stable
2024-04-24 22:56:40 <omni> !64425
2024-04-24 22:56:46 <omni> (merged)
2024-04-24 22:57:45 <omni> in 3.19 we have 1.96.1 on which https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a doesn't easily apply