Background On Friday, March 29th, 2024, a historical and sophisticated security vulnerability (CVE-2024-3094) was discovered in the XZ Utils package and liblzma api in version 5.6.0 and 5.6.1. While this vulnerability mostly affects Debian and RedHat distributions, there was some interesting discussion regarding xz and Nix.
How did this affect Nix and NixOS? The truth is not a whole lot in reality. I saw conflicting reports, but supposedly, the tarballs of xz that Nix downloads were not infected.
@starman @GarlicToast true but I don’t think you can use nix and not know about the xz exploit within minutes of it being found out.
Do you have an RSS feed of CVEs impacting Nixos?
Anti Commercial AI thingy
CC BY-NC-SA 4.0
I believe the point they were making is that if you are techy enough to use nix, they are likely the type to keep up to date with news like this.