nixVersions.nix_2_3: add knownVulnerabilities#420974
Conversation
48b082c to
e216a82
Compare
52ec7b0 to
3997403
Compare
3997403 to
a60390d
Compare
4aaa1b1 to
a0a12bf
Compare
a0a12bf to
da1b7d4
Compare
da1b7d4 to
ba03474
Compare
wolfgangwalther
left a comment
There was a problem hiding this comment.
Reading through: LGTM.
It doesn't make sense for release.nix to run these twice; once directly, and once as part of the tarball job.
ba03474 to
1666082
Compare
|
Backport failed for Please cherry-pick the changes locally and resolve any conflicts. git fetch origin release-24.11
git worktree add -d .worktree/backport-420974-to-release-24.11 origin/release-24.11
cd .worktree/backport-420974-to-release-24.11
git switch --create backport-420974-to-release-24.11
git cherry-pick -x 1063473001bb85bf3af2fe21f3a76011ea8c558b a61841a597730a4ec18be3f87a257a3989e629dd |
|
Successfully created backport PR for |
|
@alyssais We are backporting the most critical patches here: tvlfyi/nix#5 These are specifically the patches from Lix, not from C++ Nix. For the other CVEs we haven't decided what to do yet, in particular porting something like pasta or the other solutions to that problem doesn't look attractive until there's more real-world experience with them from the early adopters. |
| "CVE-2024-38531" | ||
| "CVE-2024-47174" | ||
| "CVE-2025-46415" | ||
| "CVE-2025-46416" |
There was a problem hiding this comment.
From my understanding, also later versions of nix are vulnerable to CVE-2025-46416 since abstract unix sockets can be created in the main network namespace. So we should add it to knownVulnerabilities for the other packages in nixVersions for consistency?!
There was a problem hiding this comment.
That weakness about abstract domain sockets is still present, but not the vulnerability described in the CVE. Known exploit chains are fixed.
Hopefully somebody backports the patches, in which case we can revert this, and if not it will give us a good indication that nobody cares about getting Nix 2.3 from Nixpkgs and we can drop it.
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.