NIXPKGS-2026-1074

GitHub issue published 2 months, 2 weeks ago

Permalink CVE-2026-5774

updated 2 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 2 months, 2 weeks ago
@LeSuisse ignored
2 packages
- jujutsu
- jujuutils
2 months, 2 weeks ago
@LeSuisse accepted 2 months, 2 weeks ago
@LeSuisse published on GitHub 2 months, 2 weeks ago

Juju API Server Denial of Service and Authentication Replay via Unsynchronized Token Map

Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token.

References

In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence exploitvdb-entryvendor-advisory
https://github.com/juju/juju/pull/22206 issue-trackingpatch
https://github.com/juju/juju/pull/22205 issue-trackingpatch

Affected products

juju

<2.9.57
<4.0.6
<3.6.21

Matching in nixpkgs

pkgs.juju

Open source modelling tool for operating software in the cloud

nixos-unstable 3.6.12
- nixpkgs-unstable 3.6.12
- nixos-unstable-small 3.6.12

Ignored packages (2)

pkgs.jujutsu

Git-compatible DVCS that is both simple and powerful

nixos-unstable 0.40.0
- nixpkgs-unstable 0.40.0
- nixos-unstable-small 0.40.0

pkgs.jujuutils

Utilities around FireWire devices connected to a Linux computer

nixos-unstable 0.2
- nixpkgs-unstable 0.2
- nixos-unstable-small 0.2

Package maintainers

@RealityAnomaly Alex Zero <alex@arctarus.co.uk>

Nixpkgs security tracker