[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bug#1066113: guix: CVE-2024-27297
|
From: |
Vagrant Cascadian |
|
Subject: |
Re: Bug#1066113: guix: CVE-2024-27297 |
|
Date: |
Sat, 23 Mar 2024 15:37:50 -0700 |
Control: severity 1066113 serious
On 2024-03-16, Vagrant Cascadian wrote:
> On 2024-03-15, Salvatore Bonaccorso wrote:
>> On Fri, Mar 15, 2024 at 11:22:52AM -0700, Vagrant Cascadian wrote:
>>> On 2024-03-13, Vagrant Cascadian wrote:
>>> > On 2024-03-12, Vagrant Cascadian wrote:
>>> >> On 2024-03-12, Salvatore Bonaccorso wrote:
>> We had a look, and as per
>> https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b11b98d89550ce201b0de31401e822c55f4fa2a1
>> we think that it does not require a DSA, but a fix in the upcoming
>> point releases would be good.
>
> Oh my! I am a bit shocked by this honestly ... why is it treated as a
> minor security issue?
>
> I realize Guix is pretty niche in Debian... Nix is perhaps a little more
> widely used...
>
> For anyone with Guix or Nix installed, if I understand correctly, it
> basically allows arbitrarily replacing the source code for anything that
> you might build using Guix or Nix.
>
>
>> So can you submit it for the point releases? (make sure to adjust the
>> target distribution to bullseye respetively bookworm instead of
>> *-security).
>
> I can... although, I would like to make a kind and freindly nudge to
> reconsider a DSA if at all possible. :)
Thinking more on this... I worry that this issue is maybe more serious
than the Debian Security Team realizes?
If issues like this do not warrant a security update in Debian, I feel
the better course of action may be to remove Guix from Debian. I say
this reluctantly, with a heavy heart...
Marking as serious severity to reflect my opinion as the maintainer.
live well,
vagrant
signature.asc
Description: PGP signature
- Re: Bug#1066113: guix: CVE-2024-27297,
Vagrant Cascadian <=