From f62633a527a7b54ab2c552b493dce382ab2365e6 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Thu, 18 Mar 2021 21:51:45 +0100 Subject: news: Add erratum for '--keep-failed' vulnerability. * etc/news.scm: Add entry. --- etc/news.scm | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'etc') diff --git a/etc/news.scm b/etc/news.scm index 3c604b0d23..f3e6bb6dff 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -20,6 +20,22 @@ (channel-news (version 0) + (entry (commit "ec7fb669945bfb47c5e1fdf7de3a5d07f7002ccf") + (title + (en "Update on previous @command{guix-daemon} local privilege escalation")) + (body + (en "The previous news item described a potential local privilege +escalation in @command{guix-daemon}, and claimed that systems with the Linux +@uref{https://www.kernel.org/doc/Documentation/sysctl/fs.txt, +``protected hardlink''} feature enabled were unaffected by the vulnerability. + +This is not entirely correct. Exploiting the bug on such systems is harder, +but not impossible. To avoid unpleasant surprises, all users are advised to +upgrade @command{guix-daemon}. Run @command{info \"(guix) Upgrading Guix\"} +for info on how to do that. See +@uref{http://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix-daemon/} +for more information on this bug."))) + (entry (commit "ec7fb669945bfb47c5e1fdf7de3a5d07f7002ccf") (title (en "Risk of local privilege escalation @i{via} @command{guix-daemon}") -- cgit 1.4.1