[Nix-dev] Patching your system to deal with CVE-2016-5195

Shea Levy shea at shealevy.com
Fri Oct 21 18:32:01 CEST 2016


Hi all,

CVE-2016-5195 is a serious privilege escalation impacting all kernels
released before 10/20. The channel is currently in the process of
updating, but the cache already contains binaries for 4.8.3 and
4.4.26. If you are currently building your system against the channel or
an old checkout of nixpkgs that you cannot update, please check out a
recent revision of nixpkgs (later than
0b20f6daba35575a7d4d2a61f42830d793a12892 on 16.09, later than
76a57d83b5a4df7c3ac85b25c5ab10d6fb415eb2 on master) and add the
following to your configuration.nix:

system.replaceRuntimeDependencies = [ ({
  original = config.boot.kernelPackages.kernel;
  replacement = (import /path/to/new/nixpkgs {}).linux; /* or linux_latest if using 4.8 */
}) ];

Thanks,
Shea
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20161021/6c784bbd/attachment.sig>


More information about the nix-dev mailing list