Hi all, Nathan Zadoks has offered to allow users to download the new glibc from his hydra while we wait for hydra.nixos.org to catch up. To fetch it, as root run:
# nix-store -r /nix/store/5fbwy40pa4pqr97jdgbyaal1y1ns6hb1-glibc-2.21 --option binary-caches https://code.nathan7.eu/hydra --option binary-cache-public-keys colossus.nathan7.eu:4iYLGVtL9WTE0OXgPQgQex0BIYopHxFuIYTERQ0dhCc= Obviously this assumes you trust his hydra to be providing a real result! You can then add this line to your configuration.nix: > system.replaceRuntimeDependencies = [ ({ original = pkgs.glibc; > replacement = builtins.storePath > /nix/store/5fbwy40pa4pqr97jdgbyaal1y1ns6hb1-glibc-2.21; }) ]; and do a nixos-rebuild against the channel to get a secured system until the channel is updated. Regards, Shea On 2016-02-16 11:36, Shea Levy wrote: > Fixed patch pushed to master, 15.09, and 14.12. > > On 2016-02-16 10:58, Shea Levy wrote: >> There was an error with the patch, we're cooking up a fix now. >> >> On 2016-02-16 10:37, Shea Levy wrote: >>> Hi all, >>> >>> I've just merged the patch to fix CVE-2015-7547, a buffer overrun >>> in >>> glibc with working POC exploit, into master and 15.09. It will take >>> some >>> time for the channel to update, so please use your judgment as to >>> whether you want to wait for that or switch to building from git >>> until >>> it catches up. Please check out pkgs.replaceDependency >>> >>> >>> >>> (https://github.com/NixOS/nixpkgs/blob/15aa139a1a131b3e34a0b49425d87cffbf93d905/pkgs/build-support/replace-dependency.nix) >>> >>> for an alternative that won't require a full rebuild in the mean >>> time. >>> >>> Eelco, Rob, can we do anything to ensure hydra capacity for the >>> rebuild? >>> >>> ~Shea >>> _______________________________________________ >>> nix-dev mailing list >>> [email protected] >>> http://lists.science.uu.nl/mailman/listinfo/nix-dev >> >> _______________________________________________ >> nix-dev mailing list >> [email protected] >> http://lists.science.uu.nl/mailman/listinfo/nix-dev > > _______________________________________________ > nix-dev mailing list > [email protected] > http://lists.science.uu.nl/mailman/listinfo/nix-dev _______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
