NixOS Discourse

Vulnerability in Nix 2.24

Announcements Security

fricklerhandwerk September 17, 2024, 8:51pm 8

Here’s the post mortem as promised:

NAR unpacking vulnerability -- post mortem Security

Last week there was a period of 14 hours where the mechanism of a serious security vulnerability in Nix 2.24 was publicly known but no patch available. The following reconstructs what led up to that, and lists the conclusions Nix maintainers (@edolstra @tomberek @Ericson2314 @roberth @fricklerhandwerk) draw from the incident. Summary of events Nix maintainers were first informed of the vulnerability on Friday 2024-08-30 on Matrix by @puckipedia, with an advance warning on GitHub by @jade. @tom…

5 Likes

show post in topic

Home
Categories
Guidelines
Terms of Service
Privacy Policy

Powered by Discourse, best viewed with JavaScript enabled

Hosted by Flying Circus.