Fix for CVE-2024-27297 in Nix v2.20.5 rolling out now.
Incident Report for Determinate
Nix 2.20.5 is fully rolled out through all of our channels.
Posted Mar 08, 2024 - 17:23 UTC
Nix 2.20.5 is rolled out to 100% of GitHub Actions, and 50% of other uses. `nix self-upgrade` is always our last endpoint to roll, and is expected to complete in approximately two hours.
Posted Mar 08, 2024 - 12:28 UTC
Nix 2.20.5 is rolling out to roughly 50% of users at this point, and we're monitoring installation results for errors.
Posted Mar 07, 2024 - 22:47 UTC
The Determinate Nix Installer is currently updating to Nix 2.20.5 to address CVE-2024-27297 / GHSA-2ffj-w4mj-pg37.

Our release process is a staged rollout, and will take a couple hours to complete. However, you can update to Nix 2.20.5 now:

sudo nix upgrade-nix --nix-store-paths-url

We're committed to the Determinate Nix Installer being stable, up to date, secure, and to maintain our flake stability guarantee. The GitHub action is the first to address this vulnerability, as part of this commitment. Users of our regular installer and GitHub Action will automatically update to Nix 2.20.5 after we complete our strict validation process.

More info:
Posted Mar 07, 2024 - 22:21 UTC
This incident affected: Determinate Nix.