I hope this is the right place to ask such a question and that is has not been asked before. If so, I missed it, my apologies for that.
Due to current events regarding the sudo security issue (Buffer overflow in command line unescaping | Sudo), I following (at least out of curiosity) how this story pans out, so to speak.
I’ve noticed that debian and Ubuntu have patched their packages, as they seem to have access to a mailinglist that announces these exploits a while before they are made public. I am assuming Nix is not invited to that particular party?
Regardless, the issue is fixed in master by virtue of https://github.com/NixOS/nixpkgs/commit/c46b679be03303111d3b14d4e65495766c6b01e9
I have so far learned that pinning my system to the tag 20.09 was a mistake, as it freezes them to the very release day. However the release-20.09 branch seems to contain security fixes, which I believe is what I should have used.
I am following the release-20.09 channel via nixos-20.09 release nixos-20.09.4407.1c1f5649bb9. At the time of this writing, it does not include the sudo fix. Am I understanding the process correctly that at some point
- Someone will advance the
release-20.09GitHub branch, - triggering a cache rebuild (which takes time)
- the patched sudo binary finally makes its way onto my system?
If there is any documentation that goes into this in details, I would be very happy for a pointer.
Thanks & keep up the good work 