CVE-2025-5351 created 4 months ago Libssh: double free vulnerability in libssh key export functions A flaw was found in the key export functionality of libssh. The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free issue if an additional failure occurs later in the function. This condition may result in heap corruption or application instability in low-memory scenarios, posing a risk to system reliability where key export operations are performed. Affected products rhcos libssh <0.11.2 libssh2 Matching in nixpkgs pkgs.libssh SSH client library nixos-unstable - nixpkgs-unstable 0.11.2 pkgs.libssh2 Client-side C library implementing the SSH2 protocol nixos-unstable - nixpkgs-unstable 1.11.1 pkgs.haskellPackages.libssh libssh bindings nixos-unstable - nixpkgs-unstable 0.1.0.0 pkgs.python312Packages.ansible-pylibssh Python bindings to client functionality of libssh specific to Ansible use case nixos-unstable - nixpkgs-unstable 1.2.2 pkgs.python313Packages.ansible-pylibssh Python bindings to client functionality of libssh specific to Ansible use case nixos-unstable - nixpkgs-unstable 1.2.2 pkgs.tests.pkg-config.defaultPkgConfigPackages.libssh2 Test whether libssh2-1.11.1 exposes pkg-config modules libssh2 nixos-unstable - nixpkgs-unstable libssh2 Package maintainers: 3 @svanderburg Sander van der Burg <s.vanderburg@tudelft.nl> @SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com> @geluk Johan Geluk <johan+nix@geluk.io>
pkgs.libssh2 Client-side C library implementing the SSH2 protocol nixos-unstable - nixpkgs-unstable 1.11.1
pkgs.python312Packages.ansible-pylibssh Python bindings to client functionality of libssh specific to Ansible use case nixos-unstable - nixpkgs-unstable 1.2.2
pkgs.python313Packages.ansible-pylibssh Python bindings to client functionality of libssh specific to Ansible use case nixos-unstable - nixpkgs-unstable 1.2.2
pkgs.tests.pkg-config.defaultPkgConfigPackages.libssh2 Test whether libssh2-1.11.1 exposes pkg-config modules libssh2 nixos-unstable - nixpkgs-unstable libssh2
CVE-2024-9453 created 4 months ago Jenkins-image: sensitive data disclosure when using openshift jenkins image A vulnerability was found in Red Hat OpenShift Jenkins. The bearer token is not obfuscated in the logs and potentially carries a high risk if those logs are centralized when collected. The token is typically valid for one year. This flaw allows a malicious user to jeopardize the environment if they have access to sensitive information. Affected products jenkins openshift-sync-plugin <1.1.0.818.v3883b_3b_df89a_ Matching in nixpkgs pkgs.jenkins Extendable open source continuous integration server nixos-unstable - nixpkgs-unstable 2.516.2 pkgs.jenkins-job-builder Jenkins Job Builder is a system for configuring Jenkins jobs using simple YAML files stored in Git nixos-unstable - nixpkgs-unstable 6.4.2 pkgs.python312Packages.jenkinsapi Python API for accessing resources on a Jenkins continuous-integration server nixos-unstable - nixpkgs-unstable 0.3.14 pkgs.python313Packages.jenkinsapi Python API for accessing resources on a Jenkins continuous-integration server nixos-unstable - nixpkgs-unstable 0.3.14 pkgs.python312Packages.python-jenkins Python bindings for the remote Jenkins API nixos-unstable - nixpkgs-unstable 1.8.3 pkgs.python313Packages.python-jenkins Python bindings for the remote Jenkins API nixos-unstable - nixpkgs-unstable 1.8.3 pkgs.python312Packages.jenkins-job-builder Jenkins Job Builder is a system for configuring Jenkins jobs using simple YAML files stored in Git nixos-unstable - nixpkgs-unstable 6.4.2 pkgs.python313Packages.jenkins-job-builder Jenkins Job Builder is a system for configuring Jenkins jobs using simple YAML files stored in Git nixos-unstable - nixpkgs-unstable 6.4.2 Package maintainers: 8 @NeQuissimus Tim Steinbach <tim@nequissimus.com> @earldouglas James Earl Douglas <james@earldouglas.com> @Bot-wxt1221 Bot-wxt1221 <3264117476@qq.com> @invokes-su Souvik Sen <nixpkgs-commits@deshaw.com> @drets Dmytro Rets <dmitryrets@gmail.com> @de11n Elliot Cameron <nixpkgs-commits@deshaw.com> @despsyched Priyanshu Tripathi <priyanshu.tripathi@deshaw.com> @gador Florian Brandes <florian.brandes@posteo.de>
pkgs.jenkins Extendable open source continuous integration server nixos-unstable - nixpkgs-unstable 2.516.2
pkgs.jenkins-job-builder Jenkins Job Builder is a system for configuring Jenkins jobs using simple YAML files stored in Git nixos-unstable - nixpkgs-unstable 6.4.2
pkgs.python312Packages.jenkinsapi Python API for accessing resources on a Jenkins continuous-integration server nixos-unstable - nixpkgs-unstable 0.3.14
pkgs.python313Packages.jenkinsapi Python API for accessing resources on a Jenkins continuous-integration server nixos-unstable - nixpkgs-unstable 0.3.14
pkgs.python312Packages.python-jenkins Python bindings for the remote Jenkins API nixos-unstable - nixpkgs-unstable 1.8.3
pkgs.python313Packages.python-jenkins Python bindings for the remote Jenkins API nixos-unstable - nixpkgs-unstable 1.8.3
pkgs.python312Packages.jenkins-job-builder Jenkins Job Builder is a system for configuring Jenkins jobs using simple YAML files stored in Git nixos-unstable - nixpkgs-unstable 6.4.2
pkgs.python313Packages.jenkins-job-builder Jenkins Job Builder is a system for configuring Jenkins jobs using simple YAML files stored in Git nixos-unstable - nixpkgs-unstable 6.4.2
CVE-2025-5372 created 4 months ago Libssh: incorrect return code handling in ssh_kdf() in libssh A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability. Affected products rhcos libssh <0.11.2 * libssh2 Matching in nixpkgs pkgs.libssh SSH client library nixos-unstable - nixpkgs-unstable 0.11.2 pkgs.libssh2 Client-side C library implementing the SSH2 protocol nixos-unstable - nixpkgs-unstable 1.11.1 pkgs.haskellPackages.libssh libssh bindings nixos-unstable - nixpkgs-unstable 0.1.0.0 pkgs.python312Packages.ansible-pylibssh Python bindings to client functionality of libssh specific to Ansible use case nixos-unstable - nixpkgs-unstable 1.2.2 pkgs.python313Packages.ansible-pylibssh Python bindings to client functionality of libssh specific to Ansible use case nixos-unstable - nixpkgs-unstable 1.2.2 pkgs.tests.pkg-config.defaultPkgConfigPackages.libssh2 Test whether libssh2-1.11.1 exposes pkg-config modules libssh2 nixos-unstable - nixpkgs-unstable libssh2 Package maintainers: 3 @svanderburg Sander van der Burg <s.vanderburg@tudelft.nl> @SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com> @geluk Johan Geluk <johan+nix@geluk.io>
pkgs.libssh2 Client-side C library implementing the SSH2 protocol nixos-unstable - nixpkgs-unstable 1.11.1
pkgs.python312Packages.ansible-pylibssh Python bindings to client functionality of libssh specific to Ansible use case nixos-unstable - nixpkgs-unstable 1.2.2
pkgs.python313Packages.ansible-pylibssh Python bindings to client functionality of libssh specific to Ansible use case nixos-unstable - nixpkgs-unstable 1.2.2
pkgs.tests.pkg-config.defaultPkgConfigPackages.libssh2 Test whether libssh2-1.11.1 exposes pkg-config modules libssh2 nixos-unstable - nixpkgs-unstable libssh2
CVE-2025-52816 created 4 months ago WordPress Zita theme <= 1.6.5 - Local File Inclusion Vulnerability Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehunk Zita allows PHP Local File Inclusion. This issue affects Zita: from n/a through 1.6.5. Affected products zita =<1.6.5 Matching in nixpkgs pkgs.zitadel Identity and access management platform nixos-unstable - nixpkgs-unstable 2.71.7 pkgs.zita-at1 Autotuner Jack application to correct the pitch of vocal tracks nixos-unstable - nixpkgs-unstable at1-0.8.2 pkgs.zita-ajbridge Connect additional ALSA devices to JACK nixos-unstable - nixpkgs-unstable 0.8.4 pkgs.zita-njbridge Command line Jack clients to transmit full quality multichannel audio over a local IP network nixos-unstable - nixpkgs-unstable 0.4.8 pkgs.zitadel-tools Helper tools for zitadel nixos-unstable - nixpkgs-unstable 0.5.0 pkgs.zita-alsa-pcmi Successor of clalsadrv, provides easy access to ALSA PCM devices nixos-unstable - nixpkgs-unstable 0.6.1 pkgs.zita-convolver Convolution library by Fons Adriaensen nixos-unstable - nixpkgs-unstable 4.0.3 pkgs.zita-resampler Resample library by Fons Adriaensen nixos-unstable - nixpkgs-unstable 1.11.2 Package maintainers: 3 @orivej Orivej Desh <orivej@gmx.fr> @magnetophon Bart Brouns <bart@magnetophon.nl> @nrabulinski Nikodem Rabuliński <1337-nix@nrab.lol>
pkgs.zita-at1 Autotuner Jack application to correct the pitch of vocal tracks nixos-unstable - nixpkgs-unstable at1-0.8.2
pkgs.zita-njbridge Command line Jack clients to transmit full quality multichannel audio over a local IP network nixos-unstable - nixpkgs-unstable 0.4.8
pkgs.zita-alsa-pcmi Successor of clalsadrv, provides easy access to ALSA PCM devices nixos-unstable - nixpkgs-unstable 0.6.1
CVE-2025-53331 created 4 months ago WordPress RSS Digest plugin <= 1.5 - Cross Site Request Forgery (CSRF) Vulnerability Cross-Site Request Forgery (CSRF) vulnerability in samcharrington RSS Digest allows Stored XSS. This issue affects RSS Digest: from n/a through 1.5. Affected products rss-digest =<1.5 Matching in nixpkgs pkgs.matcha-rss-digest Daily digest generator from a list of RSS feeds nixos-unstable - nixpkgs-unstable 0.7.1 Package maintainers: 1 @foo-dogsquared Gabriel Arazas <foodogsquared@foodogsquared.one>
pkgs.matcha-rss-digest Daily digest generator from a list of RSS feeds nixos-unstable - nixpkgs-unstable 0.7.1
CVE-2024-6174 created 4 months ago When a non-x86 platform is detected, cloud-init grants root access … When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration. Affected products cloud-init <25.1.3 Matching in nixpkgs pkgs.cloud-init Provides configuration and customization of cloud instance nixos-unstable - nixpkgs-unstable 25.2 Package maintainers: 2 @jfroche Jean-François Roche <jfroche@pyxel.be> @illustris Harikrishnan R <me@illustris.tech>
pkgs.cloud-init Provides configuration and customization of cloud instance nixos-unstable - nixpkgs-unstable 25.2
CVE-2024-11584 created 4 months ago cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with … cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could trigger hotplug-hook commands. Affected products cloud-init <25.1.3 Matching in nixpkgs pkgs.cloud-init Provides configuration and customization of cloud instance nixos-unstable - nixpkgs-unstable 25.2 Package maintainers: 2 @jfroche Jean-François Roche <jfroche@pyxel.be> @illustris Harikrishnan R <me@illustris.tech>
pkgs.cloud-init Provides configuration and customization of cloud instance nixos-unstable - nixpkgs-unstable 25.2
CVE-2025-5318 created 4 months ago Libssh: out-of-bounds read in sftp_handle() A flaw was found in the libssh library. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior. Affected products rhcos * libssh <0.11.2 * rhosdt/tempo-rhel8 * rhaiis/vllm-cuda-rhel9 * rhaiis/vllm-rocm-rhel9 * rhosdt/tempo-query-rhel8 * rhosdt/tempo-gateway-rhel8 * rhaiis/model-opt-cuda-rhel9 * rhosdt/tempo-rhel8-operator * rhosdt/tempo-gateway-opa-rhel8 * rhosdt/tempo-jaeger-query-rhel8 * Matching in nixpkgs pkgs.libssh SSH client library nixos-unstable - nixpkgs-unstable 0.11.2 pkgs.libssh2 Client-side C library implementing the SSH2 protocol nixos-unstable - nixpkgs-unstable 1.11.1 pkgs.haskellPackages.libssh libssh bindings nixos-unstable - nixpkgs-unstable 0.1.0.0 pkgs.python312Packages.ansible-pylibssh Python bindings to client functionality of libssh specific to Ansible use case nixos-unstable - nixpkgs-unstable 1.2.2 pkgs.python313Packages.ansible-pylibssh Python bindings to client functionality of libssh specific to Ansible use case nixos-unstable - nixpkgs-unstable 1.2.2 pkgs.tests.pkg-config.defaultPkgConfigPackages.libssh2 Test whether libssh2-1.11.1 exposes pkg-config modules libssh2 nixos-unstable - nixpkgs-unstable libssh2 Package maintainers: 3 @svanderburg Sander van der Burg <s.vanderburg@tudelft.nl> @SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com> @geluk Johan Geluk <johan+nix@geluk.io>
pkgs.libssh2 Client-side C library implementing the SSH2 protocol nixos-unstable - nixpkgs-unstable 1.11.1
pkgs.python312Packages.ansible-pylibssh Python bindings to client functionality of libssh specific to Ansible use case nixos-unstable - nixpkgs-unstable 1.2.2
pkgs.python313Packages.ansible-pylibssh Python bindings to client functionality of libssh specific to Ansible use case nixos-unstable - nixpkgs-unstable 1.2.2
pkgs.tests.pkg-config.defaultPkgConfigPackages.libssh2 Test whether libssh2-1.11.1 exposes pkg-config modules libssh2 nixos-unstable - nixpkgs-unstable libssh2
CVE-2025-6032 created 4 months ago Podman: podman missing tls verification A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack. Affected products rhcos * podman <5.5.2 * container-tools:rhel8 * container-tools:rhel8/podman Matching in nixpkgs pkgs.podman Program for managing pods, containers and container images nixos-unstable - nixpkgs-unstable 5.6.1 pkgs.podman-tui Podman Terminal UI nixos-unstable - nixpkgs-unstable 1.8.0 pkgs.podman-bootc Streamlining podman+bootc interactions nixos-unstable - nixpkgs-unstable 0.1.2 pkgs.podman-compose Implementation of docker-compose with podman backend nixos-unstable - nixpkgs-unstable 1.5.0 pkgs.podman-desktop Graphical tool for developing on containers and Kubernetes nixos-unstable - nixpkgs-unstable 1.21.0 pkgs.nomad-driver-podman Podman task driver for Nomad nixos-unstable - nixpkgs-unstable 0.6.3 pkgs.python312Packages.podman Python bindings for Podman's RESTful API nixos-unstable - nixpkgs-unstable 5.6.0 pkgs.python313Packages.podman Python bindings for Podman's RESTful API nixos-unstable - nixpkgs-unstable 5.6.0 Package maintainers: 8 @cpcloud Phillip Cloud @saschagrunert Sascha Grunert <mail@saschagrunert.de> @vdemeester Vincent Demeester <vincent@sbr.pm> @evan-goode Evan Goode <mail@evangoo.de> @sikmir Nikolay Korotkiy <sikmir@disroot.org> @booxter Ihar Hrachyshka <ihar.hrachyshka@gmail.com> @aaronjheng Aaron Jheng <wentworth@outlook.com> @fabaff Fabian Affolter <mail@fabian-affolter.ch>
pkgs.podman Program for managing pods, containers and container images nixos-unstable - nixpkgs-unstable 5.6.1
pkgs.podman-compose Implementation of docker-compose with podman backend nixos-unstable - nixpkgs-unstable 1.5.0
pkgs.podman-desktop Graphical tool for developing on containers and Kubernetes nixos-unstable - nixpkgs-unstable 1.21.0
pkgs.python312Packages.podman Python bindings for Podman's RESTful API nixos-unstable - nixpkgs-unstable 5.6.0
pkgs.python313Packages.podman Python bindings for Podman's RESTful API nixos-unstable - nixpkgs-unstable 5.6.0
CVE-2025-6547 created 4 months ago On Node.js < 3, pbkdf2 silently disregards Uint8Array input, returning static keys Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2. Affected products pbkdf2 ==<=3.1.2 Matching in nixpkgs pkgs.fastpbkdf2 Fast PBKDF2-HMAC-{SHA1,SHA256,SHA512} implementation in C nixos-unstable - nixpkgs-unstable 1.0.0 pkgs.python312Packages.pbkdf2 nixos-unstable - nixpkgs-unstable pbkdf2-1.3 pkgs.python313Packages.pbkdf2 nixos-unstable - nixpkgs-unstable pbkdf2-1.3 pkgs.python312Packages.fastpbkdf2 Python bindings for fastpbkdf2 nixos-unstable - nixpkgs-unstable fastpbkdf2-0.2 pkgs.python313Packages.fastpbkdf2 Python bindings for fastpbkdf2 nixos-unstable - nixpkgs-unstable fastpbkdf2-0.2 pkgs.chickenPackages_5.chickenEggs.pbkdf2 Password-Based Key Derivation Function as defined in RFC2898 nixos-unstable - nixpkgs-unstable pbkdf2-1.3 Package maintainers: 2 @ledif Adam Fidel <refuse@gmail.com> @jqueiroz Jonathan Queiroz <nixos@johnjq.com>
pkgs.fastpbkdf2 Fast PBKDF2-HMAC-{SHA1,SHA256,SHA512} implementation in C nixos-unstable - nixpkgs-unstable 1.0.0
pkgs.python312Packages.fastpbkdf2 Python bindings for fastpbkdf2 nixos-unstable - nixpkgs-unstable fastpbkdf2-0.2
pkgs.python313Packages.fastpbkdf2 Python bindings for fastpbkdf2 nixos-unstable - nixpkgs-unstable fastpbkdf2-0.2
pkgs.chickenPackages_5.chickenEggs.pbkdf2 Password-Based Key Derivation Function as defined in RFC2898 nixos-unstable - nixpkgs-unstable pbkdf2-1.3