Source: guix Version: 1.4.0-5 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.2.0-4+deb11u1
Hi, Vagrant, knowing that you are awaere already, but filling for having a Debian bug tracking reference. The following vulnerability was published for guix. CVE-2024-27297[0]: | Nix is a package manager for Linux and other Unix systems. A fixed- | output derivations on Linux can send file descriptors to files in | the Nix store to another program running on the host (or another | fixed-output derivation) via Unix domain sockets in the abstract | namespace. This allows to modify the output of the derivation, after | Nix has registered the path as "valid" and immutable in the Nix | database. In particular, this allows the output of fixed-output | derivations to be modified from their expected content. This issue | has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. | Users are advised to upgrade. There are no known workarounds for | this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-27297 https://www.cve.org/CVERecord?id=CVE-2024-27297 [1] https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143 Please adjust the affected versions in the BTS as needed. Regards, Salvatore