Uncoordinated disclosure of a Nix 2.24 privilege escalation vulnerability
Incident Report for Determinate
Resolved
Our distributions of Nix are updated to 2.24.6 across the board, resolving this vulnerability: https://github.com/NixOS/nix/security/advisories/GHSA-h4vv-h3jq-v493.

* Users of our Nix flake https://flakehub.com/flake/determinateSystems/nix should update their flake to use the latest version of Nix. Users of NixOS can use this flake to get an updated Nix using the examples on that page.
* Users of Determinate can update via: `determinate-nixd upgrade`
* Users of Nix can update via `nix upgrade-nix --nix-store-paths-url https://install.determinate.systems/nix-upgrade/stable/universal`

As always, we recommend only using binary caches you trust, and avoiding binary caches maintained by unknown users.

Feel free to reach out on Discord or other support lines for further questions.

See: https://determinate.systems/discord
Posted Sep 10, 2024 - 14:51 UTC
Monitoring
Nix 2.24.6 is rolling out through all of our channels now, in a phased rollout.

Nix has also published a security advisory: https://github.com/NixOS/nix/security/advisories/GHSA-h4vv-h3jq-v493
Posted Sep 10, 2024 - 13:31 UTC
Update
A patched v2.24 release is expected first thing in the morning.

As always, we recommend only using binary caches you trust, and avoiding binary caches maintained by unknown users.
Posted Sep 10, 2024 - 00:51 UTC
Update
The affected versions of Nix are yanked from the Nix flake on FlakeHub at https://flakehub.com/flake/DeterminateSystems/nix.
Posted Sep 10, 2024 - 00:41 UTC
Update
Determinate Nix Installer has rolled back to Nix 2.23.3 pending a release of the upstream patch.

Nix Users can run `nix upgrade-nix` to accept this roll-back.

Determinate users can run `determinate-nixd upgrade` to accept this rollback.
Posted Sep 09, 2024 - 23:52 UTC
Identified
A privilege escalation vulnerability in Nix 2.24.0 and above has been disclosed. The Nix team has a resolution in process.
Posted Sep 09, 2024 - 23:27 UTC
This incident affected: Determinate Nix.
Current Status Powered by Atlassian Statuspage