Описание
Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, <nix/fetchurl.nix> did not verify TLS certificates on HTTPS connections. This could lead to connection details such as full URLs or credentials leaking in case of a man-in-the-middle (MITM) attack. <nix/fetchurl.nix> is also known as the builtin derivation builder builtin:fetchurl. It's not to be confused with the evaluation-time function builtins.fetchurl, which was not affected by this issue. A user may be affected by the risk of leaking credentials if they have a netrc file for authentication, or rely on derivations with impureEnvVars set to use credentials from the environment. In addition, the commonplace trust-on-first-use (TOFU) technique of updating dependencies by specifying an invalid hash and obtaining it from a remote store was also vulnerable to a MITM injecting arbitrary store objects. This also applied to the impure derivations exper...
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | 2.26.3+dfsg-1ubuntu2 |
| esm-apps/jammy | released | 2.6.0+dfsg-3ubuntu0.1~esm1 |
| esm-apps/noble | released | 2.18.1+dfsg-1ubuntu5+esm2 |
| esm-infra/focal | DNE | |
| focal | DNE | |
| jammy | needed | |
| noble | needed | |
| oracular | ignored | end of life, was needed |
| plucky | not-affected | 2.24.9+dfsg-2ubuntu2 |
| questing | not-affected | 2.26.3+dfsg-1ubuntu2 |
Показывать по
Ссылки на источники
5.9 Medium
CVSS3
Связанные уязвимости
Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, `<nix/fetchurl.nix>` did not verify TLS certificates on HTTPS connections. This could lead to connection details such as full URLs or credentials leaking in case of a man-in-the-middle (MITM) attack. `<nix/fetchurl.nix>` is also known as the builtin derivation builder `builtin:fetchurl`. It's not to be confused with the evaluation-time function `builtins.fetchurl`, which was not affected by this issue. A user may be affected by the risk of leaking credentials if they have a `netrc` file for authentication, or rely on derivations with `impureEnvVars` set to use credentials from the environment. In addition, the commonplace trust-on-first-use (TOFU) technique of updating dependencies by specifying an invalid hash and obtaining it from a remote store was also vulnerable to a MITM injecting arbitrary store objects. This also applied to the impure derivations experim
Nix is a package manager for Linux and other Unix systems. Starting in ...
5.9 Medium
CVSS3