Add 1.11.10 release notes

(cherry picked from commit 0fb60e4e0f66cc42c7c274acfcf00b51f6c829c4)
This commit is contained in:
Eelco Dolstra 2017-06-12 13:56:38 +02:00
parent 38b7d55af1
commit 1dcadadf74
No known key found for this signature in database
GPG key ID: 8170B4726D7198DE
2 changed files with 32 additions and 0 deletions

View file

@ -13,6 +13,7 @@
--> -->
<xi:include href="rl-1.12.xml" /> <xi:include href="rl-1.12.xml" />
<xi:include href="rl-1.11.10.xml" />
<xi:include href="rl-1.11.xml" /> <xi:include href="rl-1.11.xml" />
<xi:include href="rl-1.10.xml" /> <xi:include href="rl-1.10.xml" />
<xi:include href="rl-1.9.xml" /> <xi:include href="rl-1.9.xml" />

View file

@ -0,0 +1,31 @@
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="ssec-relnotes-1.11.10">
<title>Release 1.11.10 (2017-06-12)</title>
<para>This release fixes a security bug in Nixs “build user” build
isolation mechanism. Previously, Nix builders had the ability to
create setuid binaries owned by a <literal>nixbld</literal>
user. Such a binary could then be used by an attacker to assume a
<literal>nixbld</literal> identity and interfere with subsequent
builds running under the same UID.</para>
<para>To prevent this issue, Nix now disallows builders to create
setuid and setgid binaries. On Linux, this is done using a seccomp BPF
filter. Note that this imposes a small performance penalty (e.g. 1%
when building GNU Hello). Using seccomp, we now also prevent the
creation of extended attributes and POSIX ACLs since these cannot be
represented in the NAR format and (in the case of POSIX ACLs) allow
bypassing regular Nix store permissions. On OS X, the restriction is
implemented using the existing sandbox mechanism, which now uses a
minimal “allow all except the creation of setuid/setgid binaries”
profile when regular sandboxing is disabled. On other platforms, the
“build user” mechanism is now disabled.</para>
<para>Thanks go to Linus Heckemann for discovering and reporting this
bug.</para>
</section>