The other day I read about SegmentSmack (CVE-2018-5390) a security bug affecting in the latest kernels, then I read of the Debian released statement about that and I was wondering how (and if ) NixOS manages security fixes, especially those for the kernel… Searching out for answers I stumbled upon the NixOS security announcement mailing list only to find out that the last message was on 2017. Does anybody know more?
Even in this forum instance a “security” category for posts and announcements seems to be missing…
There is the
severity: security GitHub label: Issues · NixOS/nixpkgs · GitHub
There you see regular “Vulnerability roundups” by ckauhaus. I don’t know the details.
Upstream is relatively quick about this, I believe, and both unstable and stable branches are getting all maintenance updates for all kernel branches.
@vcunat, thanks for the clarification. It would be nice to give more visibility to what’s fixed upstream and by you guys. For example, how can I check if/when the code in unstable has a fix for this CVE? It would be possible to put this information somewhere (in a commit or somewhere else)? Searching through the repository didn’t reveal anything about it so I supposed that code that fix this vulnerability has yet to land in the repo…
Patches for CVEs in nixpkgs should use a convention naming them by the CVE name. I personally don’t think distributions are a good place to catalogue what upstream versions fixed what CVEs, as that’s common for everyone. One of our contributors regularly runs a tool that scans the NIST database and opens corresponding GitHub issues, but some things just move too fast for NIST to track immediately.