MidnightBSD

Advisories for nixos

CVE-2017-7412 HIGH

NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which allows local users to gain privileges by executing docker commands.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
nixos nixos 17.03
CVE-2019-17365 MEDIUM

Nix through 2.3 allows local users to gain access to an arbitrary user's account because the parent directory of the user-profile directories is world writable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-276,

Products Affected

Vendor Product Version
nixos nix *
CVE-2023-36476

calamares-nixos-extensions provides Calamares branding and modules for NixOS, a distribution of GNU/Linux. Users of calamares-nixos-extensions version 0.3.12 and prior who installed NixOS through the graphical calamares installer, with an unencrypted `/boot`, on either non-UEFI systems or with a LUKS partition different from `/` have their LUKS key file in `/boot` as a plaintext CPIO archive attached to their NixOS initrd. A patch is available and anticipated to be part of version 0.3.13 to backport to NixOS 22.11, 23.05, and unstable channels. Expert users who have a copy of their data may, as a workaround, re-encrypt the LUKS partition(s) themselves.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.9 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N 2.5 4.7

Products Affected

Vendor Product Version
nixos calamares-nixos-extensions *
CVE-2024-12084

A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
almalinux almalinux 10.0
tritondatacenter smartos *
archlinux arch_linux -
novell suse_linux -
nixos nixos *
nixos nixos 24.11
redhat enterprise_linux 10.0
samba rsync 3.3.0
samba rsync 3.2.7
gentoo linux -
CVE-2024-12085

A flaw was found in rsync which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
redhat openshift 5.0
almalinux almalinux 10.0
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 9.6_ppc64le
almalinux almalinux 9.0
redhat enterprise_linux_update_services_for_sap_solutions 9.0
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_eus 8.8
redhat enterprise_linux_for_power_little_endian_eus 9.4_ppc64le
redhat enterprise_linux_server_aus 9.2
redhat enterprise_linux_for_ibm_z_systems 9.0_s390x
redhat enterprise_linux_for_arm_64_eus 9.4_aarch64
redhat enterprise_linux 8.0
redhat openshift_container_platform 4.14
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.4_ppc64le
redhat enterprise_linux_server 6.0
redhat enterprise_linux_eus 9.2
redhat enterprise_linux_for_ibm_z_systems 9.2_s390x
redhat enterprise_linux_server_aus 8.4
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 9.2_ppc64le
redhat enterprise_linux_update_services_for_sap_solutions 8.6
redhat enterprise_linux_update_services_for_sap_solutions 9.6
redhat enterprise_linux_for_power_little_endian 9.0_ppc64le
redhat enterprise_linux_for_arm_64_eus 8.8_aarch64
redhat enterprise_linux_for_arm_64 9.2_aarch64
redhat enterprise_linux_for_arm_64_eus 9.6_aarch64
redhat enterprise_linux_for_power_little_endian 9.2_ppc64le
redhat enterprise_linux_server 7.0
redhat openshift_container_platform 4.16
redhat enterprise_linux_update_services_for_sap_solutions 8.4
redhat enterprise_linux_eus 9.6
redhat enterprise_linux_for_ibm_z_systems 8.0_s390x
samba rsync *
redhat enterprise_linux_for_arm_64 9.0_aarch64
redhat enterprise_linux_for_ibm_z_systems_eus 9.4_s390x
gentoo linux -
redhat openshift_container_platform 4.13
redhat enterprise_linux_for_ibm_z_systems_eus 9.6_s390x
redhat enterprise_linux_server_aus 9.6
nixos nixos *
redhat openshift_container_platform 4.12
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.6_ppc64le
redhat enterprise_linux_server_aus 9.4
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 9.0_ppc64le
redhat enterprise_linux_eus 9.4
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 9.4_ppc64le
redhat enterprise_linux_for_ibm_z_systems_eus 8.8_s390x
redhat enterprise_linux_update_services_for_sap_solutions 9.2
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_for_power_little_endian_eus 9.6_ppc64le
suse suse_linux -
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.8_ppc64le
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_for_arm_64 8.0_aarch64
tritondatacenter smartos *
archlinux arch_linux -
redhat enterprise_linux_server_tus 8.8
redhat enterprise_linux 9.0
redhat enterprise_linux_for_power_little_endian 8.8_ppc64le
redhat openshift_container_platform 4.17
redhat enterprise_linux_for_power_little_endian 8.0_ppc64le
almalinux almalinux 8.0
redhat openshift_container_platform 4.15
CVE-2024-12086

A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server. By sending specially constructed checksum values for arbitrary files, an attacker may be able to reconstruct the data of those files byte-by-byte based on the responses from the client.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 6.1 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N 1.6 4.0

Products Affected

Vendor Product Version
almalinux almalinux 10.0
redhat enterprise_linux 8.0
samba rsync *
gentoo linux -
suse suse_linux -
almalinux almalinux 9.0
tritondatacenter smartos *
archlinux arch_linux -
redhat enterprise_linux 7.0
redhat openshift_container_platform 4.0
nixos nixos *
redhat enterprise_linux 9.0
redhat enterprise_linux 6.0
redhat enterprise_linux 10.0
almalinux almalinux 8.0
CVE-2024-12087

A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
almalinux almalinux 10.0
redhat enterprise_linux_eus 9.6
redhat enterprise_linux_for_ibm_z_systems 8.0_s390x
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 9.6_ppc64le
samba rsync *
redhat enterprise_linux_for_arm_64 9.0_aarch64
gentoo linux -
almalinux almalinux 9.0
redhat enterprise_linux_for_ibm_z_systems_eus 9.6_s390x
redhat enterprise_linux_server_aus 9.6
nixos nixos *
redhat enterprise_linux_for_ibm_z_systems 9.0_s390x
redhat enterprise_linux 8.0
redhat enterprise_linux_for_power_little_endian_eus 9.6_ppc64le
suse suse_linux -
redhat enterprise_linux_update_services_for_sap_solutions 9.6
redhat enterprise_linux_for_arm_64 8.0_aarch64
tritondatacenter smartos *
redhat enterprise_linux_for_power_little_endian 9.0_ppc64le
archlinux arch_linux -
redhat enterprise_linux 9.0
redhat enterprise_linux_for_arm_64_eus 9.6_aarch64
redhat enterprise_linux_for_power_little_endian 8.0_ppc64le
almalinux almalinux 8.0
CVE-2024-12088

A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
almalinux almalinux 10.0
redhat enterprise_linux_eus 9.6
redhat enterprise_linux_for_ibm_z_systems 8.0_s390x
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 9.6_ppc64le
samba rsync *
redhat enterprise_linux_for_arm_64 9.0_aarch64
gentoo linux -
almalinux almalinux 9.0
redhat enterprise_linux_for_ibm_z_systems_eus 9.6_s390x
redhat discovery 1.14
novell suse_linux -
redhat enterprise_linux_server_aus 9.6
nixos nixos *
redhat enterprise_linux 6.0
redhat enterprise_linux_for_ibm_z_systems 9.0_s390x
redhat enterprise_linux 8.0
redhat enterprise_linux_for_power_little_endian_eus 9.6_ppc64le
redhat enterprise_linux_update_services_for_sap_solutions 9.6
redhat enterprise_linux_for_arm_64 8.0_aarch64
tritondatacenter smartos *
redhat enterprise_linux_for_power_little_endian 9.0_ppc64le
archlinux arch_linux -
redhat enterprise_linux 7.0
redhat openshift_container_platform 4.0
redhat enterprise_linux 9.0
redhat enterprise_linux 10.0
redhat enterprise_linux_for_arm_64_eus 9.6_aarch64
redhat enterprise_linux_for_power_little_endian 8.0_ppc64le
almalinux almalinux 8.0
CVE-2024-27297

Nix is a package manager for Linux and other Unix systems. A fixed-output derivations on Linux can send file descriptors to files in the Nix store to another program running on the host (or another fixed-output derivation) via Unix domain sockets in the abstract namespace. This allows to modify the output of the derivation, after Nix has registered the path as "valid" and immutable in the Nix database. In particular, this allows the output of fixed-output derivations to be modified from their expected content. This issue has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L 2.1 4.2

Products Affected

Vendor Product Version
nixos nix *
CVE-2024-32657

Hydra is a Continuous Integration service for Nix based projects. Attackers can execute arbitrary code in the browser context of Hydra and execute authenticated HTTP requests. The abused feature allows Nix builds to specify files that Hydra serves to clients. One use of this functionality is serving NixOS `.iso` files. The issue is only with html files served by Hydra. The issue has been patched on https://hydra.nixos.org around 2024-04-21 14:30 UTC. The nixpkgs package were fixed in unstable and 23.11. Users with custom Hydra packages can apply the fix commit to their local installations. The vulnerability is only triggered when opening HTML build artifacts, so not opening them until the vulnerability is fixed works around the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 4.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 2.1 2.5

Products Affected

Vendor Product Version
nixos hydra *
CVE-2024-45049

Hydra is a Continuous Integration service for Nix based projects. It is possible to trigger evaluations in Hydra without any authentication. Depending on the size of evaluations, this can impact the availability of systems. The problem can be fixed by applying https://github.com/NixOS/hydra/commit/f73043378907c2c7e44f633ad764c8bdd1c947d5 to any Hydra package. Users are advised to upgrade. Users unable to upgrade should deny the `/api/push` route in a reverse proxy. This also breaks the "Evaluate jobset" button in the frontend.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
nixos hydra *
CVE-2024-45593

Nix is a package manager for Linux and other Unix systems. A bug in Nix 2.24 prior to 2.24.6 allows a substituter or malicious user to craft a NAR that, when unpacked by Nix, causes Nix to write to arbitrary file system locations to which the Nix process has access. This will be with root permissions when using the Nix daemon. This issue is fixed in Nix 2.24.6.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 9.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H 2.3 6.0

Products Affected

Vendor Product Version
nixos nix *
CVE-2025-32435

Hydra is a Continuous Integration service for Nix based projects. Evaluation of untrusted non-flake nix code could potentially access secrets that are accessible by the hydra user/group. This should not affect the signing keys, that are owned by the hydra-queue-runner and hydra-www users respectively.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 2.6 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N 1.2 1.4

Products Affected

Vendor Product Version
nixos hydra *
CVE-2025-54800

Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-party project as part of its build process. This also happens in other places like with hydra-release-name. This issue has been patched by commit dea1e16. A workaround involves either not building untrusted packages or not visiting the builds page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
nixos hydra *
CVE-2025-54864

Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be very taxing on the infrastructure when large evaluations are done, introducing potential denial of service attacks on the host running the evaluator. This issue has been patched by commit f7bda02. A workaround involves blocking /api/push-github and /api/push-gitea via a reverse proxy.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
nixos hydra *