news: Add erratum for '--keep-failed' vulnerability.

* etc/news.scm: Add entry.
This commit is contained in:
Tobias Geerinckx-Rice 2021-03-18 21:51:45 +01:00
parent 9ade2b720a
commit f62633a527
No known key found for this signature in database
GPG Key ID: 0DB0FF884F556D79

View File

@ -20,6 +20,22 @@
(channel-news
(version 0)
(entry (commit "ec7fb669945bfb47c5e1fdf7de3a5d07f7002ccf")
(title
(en "Update on previous @command{guix-daemon} local privilege escalation"))
(body
(en "The previous news item described a potential local privilege
escalation in @command{guix-daemon}, and claimed that systems with the Linux
@uref{https://www.kernel.org/doc/Documentation/sysctl/fs.txt,
``protected hardlink''} feature enabled were unaffected by the vulnerability.
This is not entirely correct. Exploiting the bug on such systems is harder,
but not impossible. To avoid unpleasant surprises, all users are advised to
upgrade @command{guix-daemon}. Run @command{info \"(guix) Upgrading Guix\"}
for info on how to do that. See
@uref{http://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix-daemon/}
for more information on this bug.")))
(entry (commit "ec7fb669945bfb47c5e1fdf7de3a5d07f7002ccf")
(title
(en "Risk of local privilege escalation @i{via} @command{guix-daemon}")