news: Add erratum for '--keep-failed' vulnerability.

* etc/news.scm: Add entry.
2026-04-06 21:20:33 +02:00 · 2021-03-18 21:51:45 +01:00
parent 9ade2b720a
commit f62633a527
1 changed files with 16 additions and 0 deletions
--- a/etc/news.scm
+++ b/etc/news.scm
@@ -20,6 +20,22 @@
 (channel-news
 (version 0)

+ (entry (commit "ec7fb669945bfb47c5e1fdf7de3a5d07f7002ccf")
+        (title
+         (en "Update on previous @command{guix-daemon} local privilege escalation"))
+        (body
+         (en "The previous news item described a potential local privilege
+escalation in @command{guix-daemon}, and claimed that systems with the Linux
+@uref{https://www.kernel.org/doc/Documentation/sysctl/fs.txt,
+``protected hardlink''} feature enabled were unaffected by the vulnerability.
+
+This is not entirely correct.  Exploiting the bug on such systems is harder,
+but not impossible.  To avoid unpleasant surprises, all users are advised to
+upgrade @command{guix-daemon}.  Run @command{info \"(guix) Upgrading Guix\"}
+for info on how to do that.  See
+@uref{http://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix-daemon/}
+for more information on this bug.")))
+
 (entry (commit "ec7fb669945bfb47c5e1fdf7de3a5d07f7002ccf")
        (title
         (en "Risk of local privilege escalation @i{via} @command{guix-daemon}")