Nix 2.24.8 released fixing builtin:fetchurl credentials leak, severity 5.9 (moderate)

discourse.nixos.org

cross-posted to:
nix@programming.dev

Nix 2.24.8 released fixing builtin:fetchurl credentials leak, severity 5.9 (moderate)

discourse.nixos.org

captainkangaroo@discuss.tchncs.de to

NixOS@infosec.pubEnglish · 10 months ago

cross-posted to:
nix@programming.dev

DetSys seems to have made a security release to NixCpp. The primary risk is leaking of netrc credentials through a crafted derivation plus an attacker-in-the-middle. Users of the experimental feature impure-derivations are at greater risk. FlakeHub Cache users and users of impure derivations should upgrade as soon as possible. source: x.com Here’s the contents of the related security advisor: Credential leak when credentials are used with `` · Advisory · NixOS/nix · Gi...

You must log in or register to comment.

Chat

NixOS@infosec.pub

nixos@infosec.pub

Create a post

You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !nixos@infosec.pub

NixOS is a Linux distribution built on top of the Nix package manager. Its declarative configuration allows reliable system upgrades via several official channels of stability and size.

This community discusses NixOS, Nix, and everything related.

Visibility: Public

This community can be federated to other instances and be posted/commented in by their users.

1 user / day
1 user / week
1 user / month
1 user / 6 months
0 local subscribers
985 subscribers
5 Posts
0 Comments
Modlog

mods:
PortugalSpaceMoon@infosec.pub