Security Advisory: Privilege Escalations in Nix, Lix and Guix

https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix-and-guix/66017

#security #nixpkgs #nixos #nix #lix #guix

Lix releases are now out, please upgrade. A detailed writeup about the issue and the mitigations is at https://lix.systems/blog/2025-06-24-lix-cves/, scroll a bit down for for instructions on how to protect yourselves.

See also the Discourse announcement post at https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix-and-guix/66017, which also links to the various Nixpkgs PRs for those that use Lix from Nixpkgs.

#Nix#Lix

An official announcement will come soon, but if you are using the #Lix package manager, it's recommended you upgrade NOW.

For more details, read https://lix.systems/blog/2025-06-24-lix-cves/.

This blog post will be updated with more information as we go (PRs in nixpkgs, etc.).

#NixOS

Security pre-disclosure:

A critical security advisory for #Nix and #Lix (and #Guix) will be published tomorrow at 14:00 UTC.

If you're building untrusted derivations, you must upgrade to ensure your systems remain secure.

Lix versions 2.91, 2.92, 2.93, and main will receive upgrades on all known channels to Lix. Lix 2.90 WILL NOT receive upgrades.

More details are available in the pre-disclosure post:
https://discourse.nixos.org/t/pre-disclosure-announcement-security-advisory-for-nix-and-lix-on-june-24-2025/65831

Please stay alert for the full announcement tomorrow at 14:00 UTC.

in case someone here didn't hear about this, it seems there will be a security release for lix, nix and guix on the 24th

#lix #nix #guix #nixos