2025-09-05 14:27:43 Systemd 2025-09-05 14:27:52 Why every distro has their "security team" ??? 2025-09-05 14:28:06 Why not merge, under banner "systemd security team" ? 2025-09-05 14:28:21 If everyone runs same thing after all, what's even thep oint 2025-09-05 14:28:28 No let's go a step further 2025-09-05 14:28:37 Why even different package managers? 2025-09-05 14:28:42 Let's all use systemd package manager 2025-09-05 14:29:07 It's nice, full, bloated, full of juicy buffer overflows for our juice overlords to take advantage of and get a god complex 2025-09-05 14:29:07 mm 2025-09-05 14:29:17 Why even different distros ? 2025-09-05 14:29:34 If it's all Linux and Gnu under the hood, why even bother? 2025-09-05 14:29:41 Oh what, you use Musl ?? boo fucking hoo 2025-09-05 14:30:12 Security LOOOOOOOOOOOOOOOOOL 2025-09-08 15:44:45 ok 2025-09-15 02:32:28 Hi there! I'm Jess, I work on the [OSV database](https://github.com/google/osv.dev).... (full message at ) 2025-09-15 04:51:16 "Hi there! I'm Jess, I work on..." <- You should avoid long messages (and edits) as the primary chat platform is IRC, not Matrix - and bridge doesn't handle that well when relaying messages 2025-09-15 04:52:40 It would be best if you could open issue on cports/secdb 2025-09-15 04:52:55 s/cports/aports 2025-09-15 22:48:32 "s/cports/aports" <- Alright, thanks! 2025-09-18 08:41:49 . 2025-09-22 08:57:33 hi, a trivy scan of a container image base on alpine 3.22 flags usr/lib/librav1e.so.0.7.1 (rustbinary) due to 2 vulnerable rust crates 2025-09-22 08:58:12 both with a medium severity 2025-09-22 08:59:13 1) GHSA-2rxc-gjrp-vjhx 2025-09-22 08:59:20 2) CVE-2025-4574 2025-09-22 09:01:30 k9s 2025-09-22 09:02:13 sorry for the last one, thought my terminal had focus :( 2025-09-23 10:28:26 can you find which package provides usr/lib/librav1e.so.0.7.1? 2025-09-23 10:28:39 apk info --who-owns /usr/lib/librav1e.so.0.7.1 2025-09-23 10:32:11 its rav1e 2025-09-23 10:35:14 if it is to be upgraded, I think ffmpeg needs to be rebuilt 2025-09-23 10:36:33 at least if it's from 0.7.x to 0.8.x 2025-09-23 10:37:21 sounds like we cannot upgrade 2025-09-23 10:38:22 if it's the crossbeam-channel crate that has the vulnerability, perhaps we can bump that 2025-09-23 10:41:18 in alpine 3.22-stable 2025-09-23 10:41:22 Downloaded crossbeam-channel v0.5.11 2025-09-23 10:41:47 rav1e pulls in crossbeam-channel 0.5.11 2025-09-23 10:42:19 according https://github.com/crossbeam-rs/crossbeam/releases/tag/crossbeam-channel-0.5.15 2025-09-23 10:42:31 the double free was introduced in 0.5.12 2025-09-23 10:43:43 so, as far I can see, alpine 3.22-stable is not vulnerable to CVE-2025-4574 2025-09-23 10:45:49 the other: https://github.com/advisories/GHSA-2rxc-gjrp-vjhx 2025-09-23 10:46:08 Downloaded anstream v0.6.5 2025-09-23 10:46:20 looks valid. fixed in 0.6.8 2025-09-23 10:51:02 does not seem to have CVE 2025-09-23 10:51:16 it is https://rustsec.org/advisories/RUSTSEC-2024-0404.html 2025-09-23 10:51:39 not sure how to update secfixes? 2025-09-23 11:00:34 ncopa: You can include just RUSTSEC-2024-0404 2025-09-23 11:03:51 👍 2025-09-23 11:04:25 just like the CVEs? 2025-09-23 11:04:30 yes 2025-09-23 11:04:48 omni: xen has a couple of entries with just XSA-* as well ;-) 2025-09-23 11:04:50 stil think it might be an idea to bump crossbeam-channel 2025-09-23 11:05:17 yes, but the XSAs are coupled with corresponding CVEs 2025-09-23 11:05:22 Not all 2025-09-23 11:05:28 I don't thinke there's a CVE for RUSTSEC-2024-0404 2025-09-23 11:05:48 in the APKBUILD, I mean 2025-09-23 11:05:51 4.7.1-r5: 2025-09-23 11:05:53 - XSA-207 2025-09-23 11:06:07 oh, ok, that's old 2025-09-23 11:06:39 Just to indicate that it's already happening 2025-09-23 11:06:55 yeah, sure, missed that 2025-09-30 21:06:17 https://openssl-library.org/news/secadv/20250930.txt 2025-09-30 21:07:27 in 3.19-stable we have 3.1.8, EoLed 2025-03-14