Nixpkgs Security Tracker

Login with GitHub

Details of issue NIXPKGS-2025-0009

affected
published on 1 Nov 2025
CVE-2025-8941
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    69 packages
    • ipam
    • opam
    • paml
    • dspam
    • pamix
    • rspamd
    • openpam
    • pam_p11
    • pam_u2f
    • pamixer
    • dopamine
    • pam_krb5
    • sbclPackages.cl-xmlspam
    • python312Packages.pamela
    • python313Packages.pamela
    • stalwart-mail-spam-filter
    • python312Packages.pypamtest
    • python313Packages.pypamtest
    • python312Packages.python-pam
    • python313Packages.python-pam
    • wordpressPackages.plugins.antispam-bee
    • matrix-synapse-plugins.matrix-synapse-pam
    • matrix-synapse-plugins.synapse-http-antispam
    • matrix-synapse-plugins.matrix-synapse-mjolnir-antispam
    • vscode-extensions.fabiospampinato.vscode-open-in-github
    • pam_ssh_agent_auth
    • rubyPackages.rpam2
    • decode-spam-headers
    • haskellPackages.pam
    • luaPackages.lua-pam
    • google-authenticator
    • lua51Packages.lua-pam
    • lua52Packages.lua-pam
    • lua53Packages.lua-pam
    • rubyPackages_3_1.rpam2
    • rubyPackages_3_2.rpam2
    • rubyPackages_3_3.rpam2
    • rubyPackages_3_4.rpam2
    • kdePackages.kwallet-pam
    • opensmtpd-filter-rspamd
    • python312Packages.pamqp
    • python313Packages.pamqp
    • apparmor-pam
    • opam-publish
    • pam-reattach
    • spamassassin
    • nss_pam_ldapd
    • libpam-wrapper
    • opam-installer
    • pam-honeycreds
    • rspamd-trainer
    • pam_ussh
    • pam_rssh
    • pam_ldap
    • pam
    • ncpamixer
    • opam2json
    • pam_dp9ik
    • pam_gnupg
    • pam_mount
    • pam_mysql
    • pam_pgsql
    • pamtester
    • pam_ccreds
    • pam_mktemp
    • pam_rundir
    • pam_tmpdir
    • yubico-pam
    • pam-watchid
    2 months, 1 week ago
  • @LeSuisse accepted as draft 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago
Linux-pam: incomplete fix for cve-2025-6020

A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.

Affected products

pam
  • *
linux-pam
discovery/discovery-server-rhel9
  • *
web-terminal/web-terminal-tooling-rhel9
  • *
cert-manager/jetstack-cert-manager-rhel9
  • *
web-terminal/web-terminal-rhel9-operator
  • *
insights-proxy/insights-proxy-container-rhel9
  • *
compliance/openshift-compliance-openscap-rhel8
  • *
openshift-sandboxed-containers/osc-monitor-rhel9
  • *
registry.redhat.io/discovery/discovery-server-rhel9
  • *
openshift-sandboxed-containers/osc-podvm-builder-rhel9
  • *
openshift-sandboxed-containers/osc-podvm-payload-rhel9
  • *
openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9
  • *

Matching in nixpkgs

pkgs.linux-pam

Pluggable Authentication Modules, a flexible mechanism for authenticating user

  • nixos-unstable -