-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
-----BEGIN PGP SIGNATURE----- iQJRBAEBCgA7FiEEpCB7VsJVEJ8ssxV+SZCXrl6oFdkFAmYIhx0dHGpvaG4ua2Vo YXlpYXNAcHJvdG9ubWFpbC5jb20ACgkQSZCXrl6oFdmOLw//dXLjX82YYaQeEpbp a0xNswh4OyHKDpMwy8rE2sWbQ7Ckivu79e+0m8wGbzf1+K4SB37CaxT2g9/98uRB Vm5XiztOmnx83aqin4DS141FR8mVFUz+7YzqNP5iZNq+x+s3OBlWE3D3fxiD5dnj 9ZFNfGev8tgNyYrQ6Sa6ftXBvK61O20kWMa23BsFojZiSldyZO+ELP6fNIg0Pc9z pZdbP3l5Y5sInPe+mNNJG/SLgOXnovGA/Cg/4N+JciF490bwWnMR6HrtSHAONJKk VtBPgKBYoIUtQFTD0922+2ykfBKGL4R4KdlXXChwqLLeFYZ6K4NHK4RD4tXLbW2H KH3z72dHennuLAeyOxvUu7BBJnEKNGJ8DWdXF0g4HnbbaCADxuLvM70i3ddOBLuq cQuHuzLZH/anynCGHclwj4I0ZPP8i8tZVUhGdRQ+skXTVySx5me6aG7Yc9bRYNyy v7Aafdf4jdBGIEEy1oBvrZFLnp1VUOBEcWRWTOQNlmBOjy52kxpUD/bzSVSQErft yLBd58VBicOsrm/hPZZ9NVvOfaxZn4LY1/fmMKX58JQJUv+OaepwVE42icX5EqT6 JVCHXNhoJ0xqBCIhfid+KHwO7ePjXJoVaShzs864OVwx3IyPaphbGH3/XL6sutJb ncmpTQzJJllME60zLO+4fQzNtq4= =SYeT -----END PGP SIGNATURE----- Hi Guix-ers, Two security issues I would like to briefly draw attention to: First, a belated (sorry!) note about a security issue that was originally found in Nix but also affects the guix-daemon. All users are strongly encouraged to update their guix-daemon. For details about this security issue, how to check if you are on an impacted version, and most importantly how to upgrade, please see the blog post: <https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/> Secondly, perhaps many have heard of the recent security issue (backdoor) in the xz project: - <https://www.openwall.com/lists/oss-security/2024/03/29/4> (original disclosure) - <https://nvd.nist.gov/vuln/detail/CVE-2024-3094> (CVE-2024-3094) As far as I, and those I've discussed with, can tell, Guix is *not* affected. For one, we are currently on an older version, 5.2.8, which I believe also predates most or all of the contributions made by the identity associated with the backdoor. We also don't fit what we currently know about when the backdoor is enabled in the build, due to our packaging not being one of the targets, as well as not using systemd (which provided a link between sshd and xz), among other factors. This is an evolving situation with many current discussions online. I also just noticed that the xz project has a page identifying this backdoor and what they are currently doing: <https://tukaani.org/xz-backdoor/>. Though given how this exploit has come about, we should remain skeptical and vigilant. Let me stress that there is much we don't know. There certainly remains the possibility of other exploits or malicious code to be discovered, as well as looking at contributions made via the same user identifier to other projects. We will be keeping a close eye on this, but please report any security issues to <guix-secur...@gnu.org>. I hope this was helpful and assuring but I welcome feedback on any of this. While I am on guix-security, please note I wrote this message independently to be timely and hopefully assuage any questions. I hope otherwise everyone is having a great weekend and that your Guix machines (and all the others!) are humming along happily! John Kehayias
