Nixpkgs security tracker
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse ignored reference https://o…
-
@LeSuisse
ignored
21 packages
- gollama
- nextjs-ollama-llm-ui
- python312Packages.ollama
- python313Packages.ollama
- python314Packages.ollama
- python312Packages.llm-ollama
- python313Packages.llm-ollama
- python314Packages.llm-ollama
- haskellPackages.ollama-haskell
- gnomeExtensions.ollama-indicator
- python312Packages.langchain-ollama
- python313Packages.langchain-ollama
- python314Packages.langchain-ollama
- home-assistant-component-tests.ollama
- tests.home-assistant-components.ollama
- python312Packages.llama-index-llms-ollama
- python313Packages.llama-index-llms-ollama
- python312Packages.llama-index-embeddings-ollama
- python313Packages.llama-index-embeddings-ollama
- pkgsRocm.python3Packages.llama-index-llms-ollama
- pkgsRocm.python3Packages.llama-index-embeddings-ollama
- @LeSuisse accepted
- @LeSuisse published on GitHub
Missing Signature Verification for Updates in Ollama
Ollama for Windows does not perform integrity or authenticity verification of downloaded update executables. Unlike other platforms, the Windows implementation of the update verification routine unconditionally returns success so no digital signature or trust validation is performed before staging or executing update payloads, enabling attacker‑supplied executables to be accepted and later executed by the application. Critically, Ollama for Windows performs silent automatic updates, so the malicious payload may be installed automatically without user awareness. Maintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.
References
-
https://cert.pl/en/posts/2026/04/CVE-2026-42248/ third-party-advisory
Ignored references (1)
-
https://ollama.com/ product
Affected products
- =<0.17.5
Matching in nixpkgs
pkgs.ollama
Get up and running with large language models locally
pkgs.ollama-cpu
Get up and running with large language models locally
pkgs.ollama-cuda
Get up and running with large language models locally, using CUDA for NVIDIA GPU acceleration
pkgs.ollama-rocm
Get up and running with large language models locally, using ROCm for AMD GPU acceleration
pkgs.ollama-vulkan
Get up and running with large language models locally, using Vulkan for generic GPU acceleration
Ignored packages (21)
pkgs.gollama
Go manage your Ollama models
pkgs.nextjs-ollama-llm-ui
Simple chat web interface for Ollama LLMs
pkgs.python312Packages.ollama
Ollama Python library
pkgs.python313Packages.ollama
Ollama Python library
pkgs.python314Packages.ollama
Ollama Python library
pkgs.python312Packages.llm-ollama
LLM plugin providing access to Ollama models using HTTP API
pkgs.python313Packages.llm-ollama
LLM plugin providing access to Ollama models using HTTP API
pkgs.python314Packages.llm-ollama
LLM plugin providing access to Ollama models using HTTP API
pkgs.haskellPackages.ollama-haskell
Haskell client for ollama
pkgs.gnomeExtensions.ollama-indicator
An indicator that let you run models with Ollama.
pkgs.python312Packages.langchain-ollama
Integration package connecting Ollama and LangChain
pkgs.python313Packages.langchain-ollama
Integration package connecting Ollama and LangChain
pkgs.python314Packages.langchain-ollama
Integration package connecting Ollama and LangChain
pkgs.home-assistant-component-tests.ollama
Open source home automation that puts local control and privacy first
pkgs.tests.home-assistant-components.ollama
Open source home automation that puts local control and privacy first
pkgs.python312Packages.llama-index-llms-ollama
LlamaIndex LLMS Integration for ollama
pkgs.python313Packages.llama-index-llms-ollama
LlamaIndex LLMS Integration for ollama
Package maintainers
-
@abysssol abysssol <abysssol@pm.me>
-
@dit7ya Mostly Void <7rat13@gmail.com>
-
@prusnak Pavol Rusnak <pavol@rusnak.io>