Hi Guixers, Please update your Guix (daemon) immediately to address important security vulnerabilities (CVE-2025-46415, CVE-2025-46416, CVE-2025-52991, CVE-2025-52992, and CVE-2025-52993). You can find the details on what these are and how they were addressed in this article on the official Guix blog:
<https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/> which also links to the related commits and pull request on Codeberg: <https://codeberg.org/guix/guix/pulls/788>. The full details of how to upgrade to make sure your Guix is no longer vulnerable, and to verify this with a Guile script, please see the above article. In short, for users of Guix System, please "guix pull", "guix system reconfigure", and restart the guix-daemon with "sudo herd restart guix-daemon". Users of Guix on another distro may need to take distro specific steps, although the general procedure is usually to update with "sudo --login guix pull" and restart the daemon with "sudo systemctl restart guix-daemon.service". On behalf of the Guix Security Team and all of our many developers and users, I want to send a big thank you to Reepca Russelstein for taking the lead on investigating and addressing these vulnerabilities along with Ludovic Courtès for guidance, contributions, and review throughout the process. Their tireless work over many weeks in coding, testing, and writing made this possible. Thanks also the teams and Nix and Lix for helping to coordinate this joint security disclosure. See <https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix-and-guix/66017> and <https://lix.systems/blog/2025-06-24-lix-cves/> for their reports. Finally, let me end by asking for more volunteers to serve on the Security Team. We could use some more people; security and Guix internal expertise is not needed! Helping to coordinate communication, delegation, and being responsive to the latest security issues is needed. Of course, particular expertise or experience, especially with Guix specifics (or other key libraries, for instance) is also useful. But really we just need a few more active participants to help us stay on top of security updates in general. Thanks everyone! John on behalf of Guix Security
