On Mon, 25 Aug 2025 15:33:34 +0200 Arnaud Mounier <[email protected]> wrote: > I'll plan to do my updates like this: > > 1. <user>@fd $> sudo -i guix pull
This only upgrades the daemon if you installed guix with guix-install.sh. Once done you will also need to either reboot or run this command if you use systemd (or adapt it for /etc/init.d if you don't): > sudo systemctl restart guix-daemon.service If you however just did 'sudo apt install guix' to install Guix, then the daemon will not be upgraded with the command above, and it will most likely contain security vulnerabilities (The Guix daemon from Guix 1.4.0 contains several privilege escalation vulnerabilities). The "2.5 Upgrading Guix" section of the manual[1] was updated a few days ago to reflect that and also contains instructions to upgrade the daemon when guix was installed with 'sudo apt install guix', and it has more details on the issue as well. Also note that so far all the known security vulnerabilities in Guix don't necessarily have a CVE but they have a very detailed explanation of the vulnerability with code and instructions to use that code to test if the vulnerabilities are present[2][3][4]. So you can also use that to do some checks. However note the the code for the CVE 2024-2797 requires to use guix time-machine more or less like that: > guix time-machine --commit=v1.4.0 -- guix build -f \ > fixed-output-derivation-corruption.scm -M4 References: ----------- [1]https://guix.gnu.org/manual/devel/en/guix.html#Upgrading-Guix [2]https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/ [3]https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability/ [4]https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/ Denis.
pgp4wROnrpL72.pgp
Description: OpenPGP digital signature
