news: Add entry for the ‘content-addressed-mirrors’ security fix.

* etc/news.scm: Add entry.

Change-Id: Ia96a6f80d6ec557e222f2b5ee17e7c79c0eb3cbf

1 files changed, 28 insertions, 0 deletions

diff --git a/etc/news.scm b/etc/news.scm
index c7b292d617..0a367cc95d 100644
--- a/etc/news.scm
+++ b/etc/news.scm
@@ -40,6 +40,34 @@
 (channel-news
  (version 0)
 
+ (entry (commit "1618ca7aa2ee8b6519ee9fd0b965e15eca2bfe45")
+        (title
+         (en "New @command{guix-daemon} privilege escalation vulnerability
+fixed"))
+        (body
+         (en "A new vulnerability was identified and fixed in the build
+daemon, @command{guix-daemon} (CVE ID assignment pending).  Everyone is
+strongly advised to upgrade @command{guix-daemon}.  Guix System users can do
+this with commands along these lines:
+
+@example
+sudo guix system reconfigure /run/current-system/configuration.scm
+sudo herd restart guix-daemon
+@end example
+
+If you are using Guix on another distro, run @command{info \"(guix) Upgrading
+Guix\"} or visit
+@uref{https://guix.gnu.org/manual/devel/en/html_node/Upgrading-Guix.html} to
+learn how to upgrade Guix.
+
+This vulnerability lies in the @code{builtin:download} derivation builder:
+anyone with access to the daemon can craft a @code{content-addressed-mirrors}
+Scheme procedure that the daemon will execute as a build user (or as the
+daemon user, when running @command{guix-daemon} unprivileged).  An attacker
+could use this to gain build user privileges and thereafter compromise builds
+performed on the system.  See @uref{https://codeberg.org/guix/guix/pulls/2419}
+for more information.")))
+
  (entry (commit "3e45fc0f37d027516ac3d112ca7768d698eeac74")
         (title
          (en "All Rust applications repackaged")