On 2025-06-25, Salvatore Bonaccorso wrote: > CVE-2025-46415[0], CVE-2025-46416[1], CVE-2025-52991[2], > CVE-2025-52992[3], CVE-2025-52993[4].
The upstream patchset to fix this is comingled with a lot of other upstream changes, but there is some work and discussion about backporting the needed fixes: https://lists.gnu.org/archive/html/guix-devel/2025-07/msg00098.html But the comingling with other changes makes this trickier than in the past. I've just managed for the first time to get something to compile at all with the security fixes applied: https://codeberg.org/GNUtoo/guix-security-fixes/commits/branch/guix-1.4.0-2025-security-fixes But that also includes all the other unrelated changes, although it fails a few new tests now... Guix is basically a rolling release model, and up till recently, there had been little active development on the affected parts other than security fixes, so previous security fixes were a bit more reasonable to apply, even across pretty old versions... but here we are right now. Curiously, those "unrelated" changes are actually to allow running guix-daemon as an unprivledged user, which has obvious security benefits! ... Just not appropriate for Debian's typical security update model. I am not sure about the future of Guix in Debian at this point, but if we can actually get a few people working together on backporting the security fixes (either officially or unofficially), obviously that will help! live well, vagrant
signature.asc
Description: PGP signature
