2026-02-03 13:05:45 <dne> path traversal in pip versions < 26 (low severity): https://github.com/advisories/GHSA-6vgw-5pg2-w6jp
2026-02-03 16:09:49 <dne> !96934
2026-02-04 16:38:07 <csn> i have five open prs that fix cves on various old, fix-on-request branches - do i need to do anything in particular to request reviews? (the gitlab pipelines are failing for unrelated reasons so i suspect folks might not see them otherwise)
2026-02-04 16:38:16 <csn> https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/?sort=created_date&state=opened&author_username=chrisnovakovic
2026-02-04 16:38:25 <ikke> csn: Let me check
2026-02-04 16:38:30 <csn> thanks
2026-02-04 17:00:07 <ikke> csn: I've backported CI commits that should make those branches work in CI again as well
2026-02-04 17:00:14 <ikke> You'd have to rebase your MR though
2026-02-04 17:00:22 <csn> will do, thanks for that
2026-02-04 17:14:24 <csn> that did the trick, just seeing lint warnings on some of the MRs now
2026-02-04 17:15:33 <ikke> As long as you didn't introduce them, that's fine
2026-02-04 17:21:34 <csn> nope, all of them were there before
2026-02-04 17:28:37 <ikke> ggst
2026-02-04 17:28:47 <ikke> sorry, wrong window ;-)
2026-02-06 00:49:56 <csn> any chance someone could take a look at https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/97028 and https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/96921, please? the openssl one is a straightforward patch version bump, and i had similar sqlite MRs merged for 3.[18-20]
2026-02-06 00:51:02 <csn> i did have to rework one alpine-specific patch in the openssl MR to get it to apply cleanly
2026-02-06 02:02:16 <omni> 3.17-stable reached end of support at 2024-11-22
2026-02-06 02:19:12 <csn> patches can still be merged on request though, right?
2026-02-06 02:19:23 <csn> i have downstream users who are, regrettably, still using it
2026-02-06 18:51:44 <achill> yes they can, I'll look at them later this evening
2026-02-08 12:38:06 <mkjmkj> .9
2026-02-08 13:07:19 <achill> .10
2026-02-13 02:56:53 <jahway603_> Can I please have !97440 and !97441 merged? They resolve CVE-2026-24044.
2026-02-13 15:33:52 <andar1an> Hello, sorry if this is the wrong place to ask. This morning I am noticing when using openssh-askpass with openrc user services, that when prompted for the password when openrc functions are run, the input password in the gui will appear in the terminal. This also happened to me when a prompt occured with rc-status -U, but I am not sure why I was prompted for the password there (the themeing was also different in that case, so it may be a differen
2026-02-13 15:34:27 <andar1an> I have not tested ksshaskpass or lxqt-openssh-askpass, but this seemed like something that may be worth bringing up
2026-02-13 15:34:52 <andar1an> again, apologies if wrong forum, I have created an issue. Just not sure if I am naively doing something I shouldn't be
2026-02-13 16:14:59 <andar1an> jumping off irc, but there is an issue open if relevant 
2026-02-16 12:44:30 <dne> https://lists.xenproject.org/archives/html/xen-announce/2026-02/msg00000.html
2026-02-16 12:44:32 <dne> "TL;DR: All Xen releases will now have long-term support, with up to five years of security support."
2026-02-16 13:06:46 <jvoisin> I'm wondering who is paying for this
2026-02-17 07:48:11 <omni> I'd be happy if they tagged patch releases when they release XSA patches
2026-02-17 18:36:20 <omni> not sure I've brought it up here before, but thought about it again now when I backported the intel-ucode security upgrades
2026-02-17 18:37:40 <omni> in contrast, amd-ucode is a subpackage to main/linux-firmware and, as such, shouldn't upgrades of linux-firmware too be backported to all of our maintained stable releases?
2026-02-17 18:38:23 <omni> ncopa: I think I've mentioned that idea to you some time ago
2026-02-17 20:46:30 <mkjmkj> quit
2026-02-18 19:45:55 <omni> won't
2026-02-18 20:35:34 <invoked> don't you dare
2026-02-18 20:35:36 <invoked> give up
2026-02-27 20:32:27 <Ariadne> jvoisin: i don't know who is paying for xen LTS.  it's not me.  we ship xen to our customers off of snapshots of `master` that are refreshed every few months.