From 0374617920e3d278e68c71826fec1f590921e31b Mon Sep 17 00:00:00 2001 From: Chris Marusich Date: Tue, 30 Mar 2021 22:38:05 -0700 Subject: news: Add entry announcing powerpc64le-linux support. * etc/news.scm: Add entry. --- etc/news.scm | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'etc/news.scm') diff --git a/etc/news.scm b/etc/news.scm index deedc69f6e..e735473f7c 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -12,6 +12,7 @@ ;; Copyright © 2020, 2021 Maxim Cournoyer ;; Copyright © 2021 Leo Famulari ;; Copyright © 2021 Zhu Zihao +;; Copyright © 2021 Chris Marusich ;; ;; Copying and distribution of this file, with or without modification, are ;; permitted in any medium without royalty provided the copyright notice and @@ -20,6 +21,21 @@ (channel-news (version 0) + (entry (commit "e52ec6c64a17a99ae4bb6ff02309067499915b06") + (title + (en "New supported platform: powerpc64le-linux")) + (body + (en "A new platform, powerpc64le-linux, has been added for +little-endian 64-bit Power ISA processors using the Linux-Libre kernel. This +includes POWER9 systems such as the +@uref{https://www.fsf.org/news/talos-ii-mainboard-and-talos-ii-lite-mainboard-now-fsf-certified-to-respect-your-freedom, +RYF Talos II mainboard}. This platform is available as a \"technology +preview\": although it is supported, substitutes are not yet available from +the build farm, and some packages may fail to build. In addition, Guix System +is not yet available on this platform. That said, the Guix community is +actively working on improving this support, and now is a great time to try it +and get involved!"))) + (entry (commit "9ade2b720af91acecf76278b4d9b99ace406781e") (title (en "Update on previous @command{guix-daemon} local privilege escalation") -- cgit v1.2.3 From f73b4ecb0c265987be1cb03ffc68171223c1c443 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Wed, 31 Mar 2021 17:18:14 +0200 Subject: news: Add 'fr' translation. * etc/news.scm: Add French translation of POWER9 entry. --- etc/news.scm | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'etc/news.scm') diff --git a/etc/news.scm b/etc/news.scm index e735473f7c..8f219d6962 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -23,7 +23,8 @@ (entry (commit "e52ec6c64a17a99ae4bb6ff02309067499915b06") (title - (en "New supported platform: powerpc64le-linux")) + (en "New supported platform: powerpc64le-linux") + (fr "Nouvelle plate-forme prise en charge : powerpc64le-linux")) (body (en "A new platform, powerpc64le-linux, has been added for little-endian 64-bit Power ISA processors using the Linux-Libre kernel. This @@ -34,7 +35,18 @@ preview\": although it is supported, substitutes are not yet available from the build farm, and some packages may fail to build. In addition, Guix System is not yet available on this platform. That said, the Guix community is actively working on improving this support, and now is a great time to try it -and get involved!"))) +and get involved!") + (fr "Une nouvelle plate-forme, powerpc64le-linux, a été ajoutée pour +les processeurs POWER 64-bits utilisant le noyau Linux-libre. Ça inclut les +systèmes POWER9 tels que les +@uref{https://www.fsf.org/news/talos-ii-mainboard-and-talos-ii-lite-mainboard-now-fsf-certified-to-respect-your-freedom, +cartes Talos II RYF}. Il s'agit pour le moment d'un « avant-goût » de la +technologie : bien que la plate-forme soit prise en charge, la ferme de +compilation ne fournit pas encore de substituts et certains paquets risquent +de ne pas compiler. En outre, Guix System n'est pas encore disponible sur +cette plate-forme. Ceci dit, la communauté Guix travaille activement pour +améliorer cette prise en charge et c'est maintenant un bon moment pour +l'essayer et pour s'impliquer !"))) (entry (commit "9ade2b720af91acecf76278b4d9b99ace406781e") (title -- cgit v1.2.3 From 2743a0b28dc55837f118b87cc04aa2baf1386faf Mon Sep 17 00:00:00 2001 From: Florian Pelz Date: Thu, 1 Apr 2021 19:07:45 +0200 Subject: news: Add 'de' translation. * etc/news.scm: Add German translation of POWER9 entry. --- etc/news.scm | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'etc/news.scm') diff --git a/etc/news.scm b/etc/news.scm index 8f219d6962..6d7a4a9d4f 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -24,6 +24,7 @@ (entry (commit "e52ec6c64a17a99ae4bb6ff02309067499915b06") (title (en "New supported platform: powerpc64le-linux") + (de "Neue Plattform wird unterstützt: powerpc64le-linux") (fr "Nouvelle plate-forme prise en charge : powerpc64le-linux")) (body (en "A new platform, powerpc64le-linux, has been added for @@ -36,6 +37,17 @@ the build farm, and some packages may fail to build. In addition, Guix System is not yet available on this platform. That said, the Guix community is actively working on improving this support, and now is a great time to try it and get involved!") + (de "Eine neue Plattform, powerpc64le-linux, wurde hinzugefügt. Mit +ihr können Prozessoren mit 64-Bit-Power-Befehlssatz, little-endian, mit dem +Linux-Libre-Kernel betrieben werden. Dazu gehören POWER9-Systeme wie die +@uref{https://www.fsf.org/news/talos-ii-mainboard-and-talos-ii-lite-mainboard-now-fsf-certified-to-respect-your-freedom, +RYF-zertifizierte Talos-II-Hauptplatine}. Bei der Plattform handelt es sich +um eine „Technologievorschau“; obwohl sie unterstützt wird, gibt es noch keine +Substitute von der Erstellungsfarm und bei manchen Paketen könnte die +Erstellung fehlschlagen. Des Weiteren ist Guix System auf dieser Plattform +noch nicht verfügbar. Dennoch arbeitet die Guix-Gemeinde aktiv daran, diese +Unterstützung auszubauen, und jetzt ist eine gute Gelegenheit, sie +auszuprobieren und mitzumachen!") (fr "Une nouvelle plate-forme, powerpc64le-linux, a été ajoutée pour les processeurs POWER 64-bits utilisant le noyau Linux-libre. Ça inclut les systèmes POWER9 tels que les -- cgit v1.2.3 From 72f911bf059ec3d984dbc2d22e02165940cb9983 Mon Sep 17 00:00:00 2001 From: Maxime Devos Date: Sat, 3 Apr 2021 12:19:10 +0200 Subject: news: Add entry for user account activation vulnerability. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * etc/news.scm: Add entry. Co-authored-by: Ludovic Courtès --- etc/news.scm | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'etc/news.scm') diff --git a/etc/news.scm b/etc/news.scm index 6d7a4a9d4f..9b23c7ca0f 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -13,6 +13,7 @@ ;; Copyright © 2021 Leo Famulari ;; Copyright © 2021 Zhu Zihao ;; Copyright © 2021 Chris Marusich +;; Copyright © 2021 Maxime Devos ;; ;; Copying and distribution of this file, with or without modification, are ;; permitted in any medium without royalty provided the copyright notice and @@ -21,6 +22,26 @@ (channel-news (version 0) + (entry (commit "2161820ebbbab62a5ce76c9101ebaec54dc61586") + (title + (en "Risk of local privilege escalation during user account creation")) + (body + (en "A security vulnerability that can lead to local privilege +escalation has been found in the code that creates user accounts on Guix +System---Guix on other distros is unaffected. The system is only vulnerable +during the activation of user accounts that do not already exist. + +The attack can happen when @command{guix system reconfigure} is running. +Running @command{guix system reconfigure} can trigger the creation of new user +accounts if the configuration specifies new accounts. If a user whose account +is being created manages to log in after the account has been created but +before ``skeleton files'' have been copied to its home directory, they may, by +creating an appropriately-named symbolic link in the home directory pointing +to a sensitive file, such as @file{/etc/shadow}, get root privileges. + +See @uref{https://issues.guix.gnu.org/47584} for more information on this +bug."))) + (entry (commit "e52ec6c64a17a99ae4bb6ff02309067499915b06") (title (en "New supported platform: powerpc64le-linux") -- cgit v1.2.3 From c9960ad67c7644225343e913d5fea620d97bb293 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sat, 3 Apr 2021 22:13:28 +0200 Subject: news: Recommend upgrade for account activation vulnerability. * etc/news.scm: Recommend upgrade. --- etc/news.scm | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'etc/news.scm') diff --git a/etc/news.scm b/etc/news.scm index 9b23c7ca0f..adb81dd64b 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -31,6 +31,13 @@ escalation has been found in the code that creates user accounts on Guix System---Guix on other distros is unaffected. The system is only vulnerable during the activation of user accounts that do not already exist. +This bug is fixed and Guix System users are advised to upgrade their system, +with a command along the lines of: + +@example +guix system reconfigure /run/current-system/configuration.scm +@end example + The attack can happen when @command{guix system reconfigure} is running. Running @command{guix system reconfigure} can trigger the creation of new user accounts if the configuration specifies new accounts. If a user whose account -- cgit v1.2.3 From 3b6247ba6d531be61b85e8b0c02ff4d7118593f5 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sat, 3 Apr 2021 22:19:28 +0200 Subject: news: Clarify time window for account activation vulnerability. * etc/news.scm: Tweak wording about skeleton files. --- etc/news.scm | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'etc/news.scm') diff --git a/etc/news.scm b/etc/news.scm index adb81dd64b..3e5b2d7824 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -42,9 +42,10 @@ The attack can happen when @command{guix system reconfigure} is running. Running @command{guix system reconfigure} can trigger the creation of new user accounts if the configuration specifies new accounts. If a user whose account is being created manages to log in after the account has been created but -before ``skeleton files'' have been copied to its home directory, they may, by -creating an appropriately-named symbolic link in the home directory pointing -to a sensitive file, such as @file{/etc/shadow}, get root privileges. +before ``skeleton files'' copied to its home directory have the right +ownership, they may, by creating an appropriately-named symbolic link in the +home directory pointing to a sensitive file, such as @file{/etc/shadow}, get +root privileges. See @uref{https://issues.guix.gnu.org/47584} for more information on this bug."))) -- cgit v1.2.3 From 86617c92c6a795668b2eca3d3c3b285cb742cb24 Mon Sep 17 00:00:00 2001 From: Florian Pelz Date: Sun, 4 Apr 2021 06:47:42 +0200 Subject: news: Add 'de' translation. * etc/news.scm: Add German translation of user activation entry. --- etc/news.scm | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) (limited to 'etc/news.scm') diff --git a/etc/news.scm b/etc/news.scm index 3e5b2d7824..65d83061df 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -24,7 +24,8 @@ (entry (commit "2161820ebbbab62a5ce76c9101ebaec54dc61586") (title - (en "Risk of local privilege escalation during user account creation")) + (en "Risk of local privilege escalation during user account creation") + (de "Risiko lokaler Rechteausweitung während der Erstellung von Benutzerkonten")) (body (en "A security vulnerability that can lead to local privilege escalation has been found in the code that creates user accounts on Guix @@ -48,7 +49,31 @@ home directory pointing to a sensitive file, such as @file{/etc/shadow}, get root privileges. See @uref{https://issues.guix.gnu.org/47584} for more information on this -bug."))) +bug.") + (de "Eine Sicherheitslücke, die eine lokale Rechteausweitung zur +Folge haben kann, wurde in dem Code gefunden, mit dem Benutzerkonten auf Guix +System angelegt werden — Guix auf anderen Distributionen ist nicht betroffen. +Das System kann nur während der Aktivierung noch nicht existierender +Benutzerkonten angegriffen werden. + +Der Fehler wurde behoben und wir empfehlen Nutzern von Guix System, ihre +Systeme zu aktualisieren, mit einem Befehl wie: + +@example +guix system reconfigure /run/current-system/configuration.scm +@end example + +Der Angriff kann erfolgen, während @command{guix system reconfigure} läuft. +Wenn @command{guix system reconfigure} ausgeführt wird, kann das die Erzeugung +neuer Benutzerkonten auslösen, wenn in der Konfiguration neue Konten angegeben +wurden. Wenn ein Benutzer, dessen Konto gerade angelegt wird, es +fertigbringt, sich anzumelden, bevor „Skeleton-Dateien“ in seinem Persönlichen +Verzeichnis den richtigen Besitzer haben, kann er durch Anlegen einer gezielt +benannten symbolischen Verknüpfung in seinem Persönlichen Verzeichnis auf eine +sensible Datei wie @file{/etc/shadow} Administratorrechte erlangen. + +Siehe @uref{https://issues.guix.gnu.org/47584} für mehr Informationen zu +diesem Fehler."))) (entry (commit "e52ec6c64a17a99ae4bb6ff02309067499915b06") (title -- cgit v1.2.3