Nix 2.24 is vulnerable to (remote) privilege escalation

1. matrix.to

   1 261 1,028 5.7 JavaScript

   A simple stateless privacy-protecting URL redirecting service for Matrix

   

   This message was sent last Sunday in a public Matrix discussion involving the author.

   > Eelco is working on it, there's a patch on the GitHub advisory, we plan to get it out on Monday, but no promises yet if everything will get done by then

   https://matrix.to/#/!VRULIdgoKmKPzJZzjj:nixos.org/$tJgEBGqKs...

   In what world is this "not being in touch," "actively ignoring messages," "not forwarding the researcher to anyone else"? Also, Nix maintainers clearly state that they weren't "aware" of the deadline. Very different definitions of words indeed.

2. CodeRabbit

   coderabbit.ai featured

   CodeRabbit: AI Code Reviews for Developers. Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.

   

3. nix

   2 402 13,787 10.0 C++

   Nix, the purely functional package manager

   

   This is fixed in 2.24.6: https://github.com/NixOS/nix/releases/tag/2.24.6

   See also https://discourse.nixos.org/t/vulnerability-in-nix-2-24/5190... for updates.

   Can someone link to the actual fix? It's a bit hard to navigate the git history for me...

Suggest a related project