Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2025-0018
published 6 months, 1 week ago
Permalink CVE-2025-61662
4.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 6 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 7 months ago
  • @LeSuisse deleted
    4 maintainers
    • @SigmaSquadron
    • @hehongbo
    • @digitalrane
    • @CertainLach
    6 months, 1 week ago maintainer.delete
  • @LeSuisse ignored
    2 packages
    • grub2_pvhgrub_image
    • grub2_pvgrub_image
    6 months, 1 week ago
  • @LeSuisse accepted 6 months, 1 week ago
  • @LeSuisse published on GitHub 6 months, 1 week ago

Grub2: missing unregister call for gettext command may lead to use-after-free

grub2
  • =<2.14
rhcos
NIXPKGS-2025-0017
published 6 months, 1 week ago
Permalink CVE-2025-61663
4.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 6 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 7 months ago
  • @LeSuisse deleted
    4 maintainers
    • @SigmaSquadron
    • @hehongbo
    • @digitalrane
    • @CertainLach
    6 months, 1 week ago maintainer.delete
  • @LeSuisse ignored
    2 packages
    • grub2_pvgrub_image
    • grub2_pvhgrub_image
    6 months, 1 week ago
  • @LeSuisse accepted 6 months, 1 week ago
  • @LeSuisse published on GitHub 6 months, 1 week ago

Grub2: missing unregister call for normal commands may lead to use-after-free

grub2
  • =<2.14
rhcos
NIXPKGS-2025-0014
published 6 months, 1 week ago
Permalink CVE-2025-13502
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 6 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 6 months, 4 weeks ago
  • @LeSuisse ignored
    5 packages
    • tests.pkg-config.defaultPkgConfigPackages."webkit2gtk-4.0"
    • obs-studio-plugins.obs-webkitgtk
    • haskellPackages.webkit2gtk3-javascriptcore
    • tests.pkg-config.defaultPkgConfigPackages."javascriptcoregtk-4.0"
    • tests.pkg-config.defaultPkgConfigPackages."webkit2gtk-web-extension-4.0"
    6 months, 1 week ago
  • @LeSuisse deleted
    4 maintainers
    • @jtojnar
    • @bobby285271
    • @hedning
    • @dasj19
    6 months, 1 week ago maintainer.delete
  • @LeSuisse accepted 6 months, 1 week ago
  • @LeSuisse published on GitHub 6 months, 1 week ago

Webkit: webkitgtk / wpe webkit: out-of-bounds read and integer underflow vulnerability leading to dos

webkitgtk
  • <2.50.2
webkitgtk3
webkitgtk4
  • *
webkit2gtk3
  • *
NIXPKGS-2025-0021
published 6 months, 1 week ago
Permalink CVE-2025-61664
4.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 6 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 7 months ago
  • @LeSuisse ignored
    2 packages
    • grub2_pvgrub_image
    • grub2_pvhgrub_image
    6 months, 1 week ago
  • @LeSuisse deleted maintainer @SigmaSquadron 6 months, 1 week ago maintainer.delete
  • @LeSuisse added
    3 maintainers
    • @hehongbo
    • @digitalrane
    • @CertainLach
    6 months, 1 week ago maintainer.add
  • @LeSuisse deleted
    3 maintainers
    • @hehongbo
    • @digitalrane
    • @CertainLach
    6 months, 1 week ago maintainer.delete
  • @LeSuisse accepted 6 months, 1 week ago
  • @LeSuisse published on GitHub 6 months, 1 week ago

Grub2: missing unregister call for normal_exit command may lead to use-after-free

grub2
  • =<2.14
rhcos
NIXPKGS-2025-0015
published 6 months, 1 week ago
Permalink CVE-2025-8396
updated 6 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 9 months, 1 week ago
  • @LeSuisse ignored
    14 packages
    • temporal-cli
    • python312Packages.temporalio
    • python313Packages.temporalio
    • haskellPackages.temporal-media
    • terraform-providers.temporalcloud
    • postgresqlPackages.temporal_tables
    • postgresql13Packages.temporal_tables
    • postgresql14Packages.temporal_tables
    • postgresql15Packages.temporal_tables
    • postgresql16Packages.temporal_tables
    • postgresql18Packages.temporal_tables
    • haskellPackages.temporal-music-notation
    • haskellPackages.temporal-music-notation-demo
    • haskellPackages.temporal-music-notation-western
    7 months, 3 weeks ago
  • @LeSuisse accepted 7 months, 3 weeks ago
  • @LeSuisse published on GitHub 6 months, 1 week ago

Insufficiently specific bounds checking on authorization header could lead to …

temporal
  • <1.26.3
  • <1.27.3
  • <1.28.1
NIXPKGS-2025-0013
published 6 months, 1 week ago
Permalink CVE-2025-10230
10.0 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 6 months, 1 week ago by @mweinelt Activity log
  • Created suggestion 7 months ago
  • @mweinelt ignored package sambamba 6 months, 1 week ago
  • @mweinelt accepted 6 months, 1 week ago
  • @mweinelt published on GitHub 6 months, 1 week ago

Samba: command injection in wins server hook script

rhcos
samba
  • <4.21.9
  • <4.23.2
  • <4.21.5
samba4
Fixed in:
https://github.com/NixOS/nixpkgs/pull/433796
https://github.com/NixOS/nixpkgs/pull/452396
NIXPKGS-2025-0012
published 6 months, 1 week ago
Permalink CVE-2025-11935
updated 6 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 7 months ago
  • @LeSuisse accepted 6 months, 1 week ago
  • @LeSuisse published on GitHub 6 months, 1 week ago

Forward Secrecy Violation in WolfSSL TLS 1.3

wolfssl
  • ==v5.8.2
  • <5.8.4
NIXPKGS-2025-0011
published 6 months, 1 week ago
Permalink CVE-2025-11934
updated 6 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion 7 months ago
  • @LeSuisse accepted 6 months, 1 week ago
  • @LeSuisse published on GitHub 6 months, 1 week ago

Improper Validation of Signature Algorithm Used in TLS 1.3 CertificateVerify

wolfssl
  • ==v5.8.2
  • <5.8.4
NIXPKGS-2025-0006
published 7 months, 3 weeks ago
Permalink CVE-2025-40928
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 7 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 9 months, 1 week ago
  • @LeSuisse ignored
    6 packages
    • perlPackages.CpanelJSONXS
    • perl538Packages.CpanelJSONXS
    • perl540Packages.CpanelJSONXS
    • perlPackages.JSONXSVersionOneAndTwo
    • perl538Packages.JSONXSVersionOneAndTwo
    • perl540Packages.JSONXSVersionOneAndTwo
    7 months, 3 weeks ago
  • @LeSuisse accepted 7 months, 3 weeks ago
  • @LeSuisse published on GitHub 7 months, 3 weeks ago

JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact

JSON-XS
  • <4.04
NIXPKGS-2025-0009
published 7 months, 3 weeks ago
Permalink CVE-2025-8941
7.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 7 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 9 months, 1 week ago
  • @LeSuisse ignored
    69 packages
    • ipam
    • opam
    • paml
    • dspam
    • pamix
    • rspamd
    • openpam
    • pam_p11
    • pam_u2f
    • pamixer
    • dopamine
    • pam_krb5
    • sbclPackages.cl-xmlspam
    • python312Packages.pamela
    • python313Packages.pamela
    • stalwart-mail-spam-filter
    • python312Packages.pypamtest
    • python313Packages.pypamtest
    • python312Packages.python-pam
    • python313Packages.python-pam
    • wordpressPackages.plugins.antispam-bee
    • matrix-synapse-plugins.matrix-synapse-pam
    • matrix-synapse-plugins.synapse-http-antispam
    • matrix-synapse-plugins.matrix-synapse-mjolnir-antispam
    • vscode-extensions.fabiospampinato.vscode-open-in-github
    • pam_ssh_agent_auth
    • rubyPackages.rpam2
    • decode-spam-headers
    • haskellPackages.pam
    • luaPackages.lua-pam
    • google-authenticator
    • lua51Packages.lua-pam
    • lua52Packages.lua-pam
    • lua53Packages.lua-pam
    • rubyPackages_3_1.rpam2
    • rubyPackages_3_2.rpam2
    • rubyPackages_3_3.rpam2
    • rubyPackages_3_4.rpam2
    • kdePackages.kwallet-pam
    • opensmtpd-filter-rspamd
    • python312Packages.pamqp
    • python313Packages.pamqp
    • apparmor-pam
    • opam-publish
    • pam-reattach
    • spamassassin
    • nss_pam_ldapd
    • libpam-wrapper
    • opam-installer
    • pam-honeycreds
    • rspamd-trainer
    • pam_ussh
    • pam_rssh
    • pam_ldap
    • pam
    • ncpamixer
    • opam2json
    • pam_dp9ik
    • pam_gnupg
    • pam_mount
    • pam_mysql
    • pam_pgsql
    • pamtester
    • pam_ccreds
    • pam_mktemp
    • pam_rundir
    • pam_tmpdir
    • yubico-pam
    • pam-watchid
    7 months, 3 weeks ago
  • @LeSuisse accepted 7 months, 3 weeks ago
  • @LeSuisse published on GitHub 7 months, 3 weeks ago

Linux-pam: incomplete fix for cve-2025-6020

pam
  • *
linux-pam
discovery/discovery-server-rhel9
  • *
web-terminal/web-terminal-tooling-rhel9
  • *
cert-manager/jetstack-cert-manager-rhel9
  • *
web-terminal/web-terminal-rhel9-operator
  • *
insights-proxy/insights-proxy-container-rhel9
  • *
compliance/openshift-compliance-openscap-rhel8
  • *
openshift-sandboxed-containers/osc-monitor-rhel9
  • *
registry.redhat.io/discovery/discovery-server-rhel9
  • *
openshift-sandboxed-containers/osc-podvm-builder-rhel9
  • *
openshift-sandboxed-containers/osc-podvm-payload-rhel9
  • *
openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-podvm-builder-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-podvm-payload-rhel9
  • *
registry.redhat.io/openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9
  • *