Sébastien Gendre <[email protected]> writes: > For the methods listed here: https://guix.gnu.org/en/download/ > They will all provide the version 1.5.0 of Guix and Guix System, so > probably the vulnerable version of Guix-daemon ?
Indeed so, 1.5.0 is vulnerable, https://guix.gnu.org/download/ provides the last release, currently vulnerable 1.5.0. > For the methods listed here: https://guix.gnu.org/en/download/latest/ > Do they provide all the fixed version of Guix-daemon ? Continuous Integration, at the time of writing, last built Guix System and Guix binary on June 16. I believe this is still vulnerable. > > For the method suggested on the manual, there is a bash script to > download: https://guix.gnu.org/guix-install.sh > After executing it, does the user get the fixed version of Guix-daemon ? This script currently downloads from GNU_URL="https://ftpmirror.gnu.org/gnu/guix/", which can only be vulnerable 1.5.0 at the time of writing, despite the GNU bash script itself is updated more often. > > I probably forget other method of installation. But if you get > information about it, don't hesitate to share it. There was discussion of offering some more recent Guix archive bundle at https://codeberg.org/guix/artwork/pulls/61 but it did not happen AFAIK. Regards, Florian
