Nixpkgs Security Tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2025-5915
3.9 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 months, 1 week ago
Libarchive: heap buffer over read in copy_from_lzss_window() at archive_read_support_format_rar.c

A vulnerability has been identified in the libarchive library. This flaw can lead to a heap buffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memory buffer, which can result in unpredictable program behavior, crashes (denial of service), or the disclosure of sensitive information from adjacent memory regions.

Affected products

rhcos
libarchive
  • <3.8.0

Matching in nixpkgs

pkgs.libarchive

Multi-format archive and compression library

pkgs.libarchive-qt

Qt based archiving solution with libarchive backend

pkgs.kodiPackages.vfs-libarchive

LibArchive Virtual Filesystem add-on for Kodi

pkgs.python311Packages.libarchive-c

Python interface to libarchive

pkgs.python312Packages.libarchive-c

Python interface to libarchive

pkgs.python313Packages.libarchive-c

Python interface to libarchive

pkgs.haskellPackages.libarchive-conduit

Read many archive formats with libarchive and conduit

pkgs.haskellPackages.libarchive.x86_64-linux

Haskell interface to libarchive

pkgs.haskellPackages.libarchive.aarch64-linux

Haskell interface to libarchive

pkgs.haskellPackages.libarchive.x86_64-darwin

Haskell interface to libarchive

pkgs.python311Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

pkgs.python312Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

pkgs.python313Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

pkgs.haskellPackages.libarchive.aarch64-darwin

Haskell interface to libarchive

pkgs.python312Packages.libarchive-c.x86_64-linux

Python interface to libarchive

pkgs.python312Packages.libarchive-c.aarch64-linux

Python interface to libarchive

pkgs.python312Packages.libarchive-c.x86_64-darwin

Python interface to libarchive

pkgs.python312Packages.libarchive-c.aarch64-darwin

Python interface to libarchive

pkgs.haskellPackages.libarchive-conduit.x86_64-linux

Read many archive formats with libarchive and conduit

pkgs.haskellPackages.libarchive-conduit.aarch64-linux

Read many archive formats with libarchive and conduit

pkgs.haskellPackages.libarchive-conduit.x86_64-darwin

Read many archive formats with libarchive and conduit

pkgs.haskellPackages.libarchive-conduit.aarch64-darwin

Read many archive formats with libarchive and conduit

Package maintainers: 10

CVE-2025-5918
3.9 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 months, 1 week ago
Libarchive: reading past eof may be triggered for piped file streams

A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.

Affected products

rhcos
libarchive
  • <3.8.0

Matching in nixpkgs

pkgs.libarchive

Multi-format archive and compression library

pkgs.libarchive-qt

Qt based archiving solution with libarchive backend

pkgs.kodiPackages.vfs-libarchive

LibArchive Virtual Filesystem add-on for Kodi

pkgs.python311Packages.libarchive-c

Python interface to libarchive

pkgs.python312Packages.libarchive-c

Python interface to libarchive

pkgs.python313Packages.libarchive-c

Python interface to libarchive

pkgs.haskellPackages.libarchive-conduit

Read many archive formats with libarchive and conduit

pkgs.haskellPackages.libarchive.x86_64-linux

Haskell interface to libarchive

pkgs.haskellPackages.libarchive.aarch64-linux

Haskell interface to libarchive

pkgs.haskellPackages.libarchive.x86_64-darwin

Haskell interface to libarchive

pkgs.python311Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

pkgs.python312Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

pkgs.python313Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

pkgs.haskellPackages.libarchive.aarch64-darwin

Haskell interface to libarchive

pkgs.python312Packages.libarchive-c.x86_64-linux

Python interface to libarchive

pkgs.python312Packages.libarchive-c.aarch64-linux

Python interface to libarchive

pkgs.python312Packages.libarchive-c.x86_64-darwin

Python interface to libarchive

pkgs.python312Packages.libarchive-c.aarch64-darwin

Python interface to libarchive

pkgs.haskellPackages.libarchive-conduit.x86_64-linux

Read many archive formats with libarchive and conduit

pkgs.haskellPackages.libarchive-conduit.aarch64-linux

Read many archive formats with libarchive and conduit

pkgs.haskellPackages.libarchive-conduit.x86_64-darwin

Read many archive formats with libarchive and conduit

pkgs.haskellPackages.libarchive-conduit.aarch64-darwin

Read many archive formats with libarchive and conduit

Package maintainers: 10

CVE-2025-0620
6.6 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months, 1 week ago
Samba: smbd doesn't pick up group membership changes when re-authenticating an expired smb session

A flaw was found in Samba. The smbd service daemon does not pick up group membership changes when re-authenticating an expired SMB session. This issue can expose file shares until clients disconnect and then connect again.

Affected products

rhcos
samba
  • <4.21.6
samba4

Matching in nixpkgs

pkgs.samba

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.samba4

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.sambaFull

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.samba4Full

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.samba.x86_64-linux

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.samba.aarch64-linux

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.samba.x86_64-darwin

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.samba4.x86_64-linux

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.samba.aarch64-darwin

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.samba4.aarch64-linux

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.samba4.x86_64-darwin

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.samba4.aarch64-darwin

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.sambamba.x86_64-linux

SAM/BAM processing tool

pkgs.sambaFull.x86_64-linux

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.sambamba.x86_64-darwin

SAM/BAM processing tool

pkgs.sambaFull.aarch64-linux

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.sambaFull.x86_64-darwin

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.samba4Full.aarch64-linux

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.samba4Full.x86_64-darwin

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.sambaFull.aarch64-darwin

Standard Windows interoperability suite of programs for Linux and Unix

pkgs.samba4Full.aarch64-darwin

Standard Windows interoperability suite of programs for Linux and Unix

Package maintainers: 2

CVE-2025-49241
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months, 1 week ago
WordPress oik <= 4.15.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in bobbingwide oik allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects oik: from n/a through 4.15.1.

Affected products

oik
  • =<4.15.1

Matching in nixpkgs

pkgs.libvoikko.x86_64-linux

Finnish language processing library

pkgs.libvoikko.aarch64-linux

Finnish language processing library

pkgs.libvoikko.x86_64-darwin

Finnish language processing library

pkgs.libvoikko.aarch64-darwin

Finnish language processing library

Package maintainers: 1

CVE-2011-10007
8.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months, 1 week ago
File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted file name

File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted filename. A file handle is opened with the 2 argument form of `open()` allowing an attacker controlled filename to provide the MODE parameter to `open()`, turning the filename into a command to be executed. Example: $ mkdir /tmp/poc; echo > "/tmp/poc/|id" $ perl -MFile::Find::Rule \     -E 'File::Find::Rule->grep("foo")->in("/tmp/poc")' uid=1000(user) gid=1000(user) groups=1000(user),100(users)

Affected products

File-Find-Rule
  • =<0.34

Matching in nixpkgs

pkgs.perl538Packages.FileFindRule

File::Find::Rule is a friendlier interface to File::Find

pkgs.perl540Packages.FileFindRule

File::Find::Rule is a friendlier interface to File::Find

pkgs.perl538Packages.FileFindRulePerl

Common rules for searching for Perl things

pkgs.perl540Packages.FileFindRulePerl

Common rules for searching for Perl things

CVE-2023-45050
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months, 1 week ago
WordPress Jetpack Plugin <= 12.8-a.1 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic Jetpack – WP Security, Backup, Speed, & Growth allows Stored XSS.This issue affects Jetpack – WP Security, Backup, Speed, & Growth: from n/a through 12.8-a.1.

Affected products

jetpack
  • =<12.8-a.1

Matching in nixpkgs

pkgs.wordpressPackages.plugins.jetpack

CVE-2022-3328
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months, 2 weeks ago
Race condition in snap-confine's must_mkdir_and_open_with_perms()

Race condition in snap-confine's must_mkdir_and_open_with_perms()

Affected products

snapd
  • <2.61.1

Matching in nixpkgs

pkgs.snapdragon-profiler

An profiler for Android devices running Snapdragon chips

pkgs.snapdragon-profiler.x86_64-linux

An profiler for Android devices running Snapdragon chips

CVE-2024-0567
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months, 2 weeks ago
Gnutls: rejects certificate chain with distributed trust

A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.

Affected products

gnutls
  • *
  • <3.8.3
cockpit
odf4/cephcsi-rhel9
  • *
odf4/odf-cli-rhel9
  • *
odf4/mcg-core-rhel9
  • *
odf4/odf-console-rhel9
  • *
odf4/mcg-rhel9-operator
  • *
odf4/ocs-rhel9-operator
  • *
odf4/odf-rhel9-operator
  • *
odf4/odr-rhel9-operator
  • *
odf4/mcg-operator-bundle
  • *
odf4/ocs-operator-bundle
  • *
odf4/odf-operator-bundle
  • *
odf4/odf-must-gather-rhel9
  • *
odf4/odf-cosi-sidecar-rhel9
  • *
odf4/odr-hub-operator-bundle
  • *
odf4/ocs-client-console-rhel9
  • *
odf4/rook-ceph-rhel9-operator
  • *
odf4/ocs-client-rhel9-operator
  • *
openshift-logging/vector-rhel9
  • *
odf4/ocs-client-operator-bundle
  • *
odf4/ocs-metrics-exporter-rhel9
  • *
openshift-logging/fluentd-rhel9
  • *
odf4/odr-cluster-operator-bundle
  • *
odf4/odf-csi-addons-sidecar-rhel9
  • *
odf4/odf-csi-addons-rhel9-operator
  • *
odf4/odf-csi-addons-operator-bundle
  • *
odf4/odf-multicluster-console-rhel9
  • *
openshift-logging/eventrouter-rhel9
  • *
odf4/odf-multicluster-rhel9-operator
  • *
openshift-logging/logging-loki-rhel9
  • *
odf4/odf-multicluster-operator-bundle
  • *
openshift-logging/loki-rhel9-operator
  • *
openshift-logging/opa-openshift-rhel9
  • *
openshift-logging/elasticsearch6-rhel9
  • *
openshift-logging/loki-operator-bundle
  • *
openshift-logging/logging-curator5-rhel9
  • *
openshift-logging/lokistack-gateway-rhel9
  • *
openshift-logging/elasticsearch-proxy-rhel9
  • *
openshift-logging/logging-view-plugin-rhel9
  • *
openshift-logging/elasticsearch-rhel9-operator
  • *
openshift-logging/elasticsearch-operator-bundle
  • *
openshift-logging/cluster-logging-rhel9-operator
  • *
openshift-logging/log-file-metric-exporter-rhel9
  • *
openshift-logging/cluster-logging-operator-bundle
  • *

Matching in nixpkgs

pkgs.cockpit

Web-based graphical interface for servers

pkgs.python312Packages.python3-gnutls.x86_64-linux

Python wrapper for the GnuTLS library

pkgs.python312Packages.python3-gnutls.aarch64-linux

Python wrapper for the GnuTLS library

pkgs.python312Packages.python3-gnutls.x86_64-darwin

Python wrapper for the GnuTLS library

pkgs.python312Packages.python3-gnutls.aarch64-darwin

Python wrapper for the GnuTLS library

Package maintainers: 4

CVE-2025-40908
9.1 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 6 months, 2 weeks ago
YAML-LibYAML prior to 0.903.0 for Perl uses 2-args open, allowing existing files to be modified

YAML-LibYAML prior to 0.903.0 for Perl uses 2-args open, allowing existing files to be modified

Affected products

YAML-LibYAML
  • <0.903.0

Matching in nixpkgs

pkgs.perl538Packages.YAMLLibYAML

Perl YAML Serialization using XS and libyaml

pkgs.perl540Packages.YAMLLibYAML

Perl YAML Serialization using XS and libyaml

pkgs.perl540Packages.YAMLLibYAML.x86_64-linux

Perl YAML Serialization using XS and libyaml

pkgs.perl540Packages.YAMLLibYAML.aarch64-linux

Perl YAML Serialization using XS and libyaml

pkgs.perl540Packages.YAMLLibYAML.x86_64-darwin

Perl YAML Serialization using XS and libyaml

pkgs.perl540Packages.YAMLLibYAML.aarch64-darwin

Perl YAML Serialization using XS and libyaml

CVE-2025-5054
4.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months, 2 weeks ago
Race Condition in Canonical Apport

Race condition in Canonical apport up to and including 2.32.0 allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces. When handling a crash, the function `_check_global_pid_and_forward`, which detects if the crashing process resided in a container, was being called before `consistency_checks`, which attempts to detect if the crashing process had been replaced. Because of this, if a process crashed and was quickly replaced with a containerized one, apport could be made to forward the core dump to the container, potentially leaking sensitive information. `consistency_checks` is now being called before `_check_global_pid_and_forward`. Additionally, given that the PID-reuse race condition cannot be reliably detected from userspace alone, crashes are only forwarded to containers if the kernel provided a pidfd, or if the crashing process was unprivileged (i.e., if dump mode == 1).

Affected products

apport
  • <2.20.11-0ubuntu82.7
  • <2.20.9-0ubuntu7.29+esm1
  • <2.28.1-0ubuntu3.6
  • <2.32.0-0ubuntu5.1
  • <2.20.1-0ubuntu2.30+esm5
  • <2.30.0-0ubuntu4.3
  • <2.32.0-0ubuntu6
  • <2.20.11-0ubuntu27.28
  • =<2.32.0
  • <2.33.0-0ubuntu1

Matching in nixpkgs

Package maintainers: 1