CVE Review — ereshkigal — June 2026#
Date: 2026-06-17
Host: ereshkigal (x86_64-linux; media/document server, PKI CA, Nix build cache)
Source: critical_cves.json — vulnix scan of ereshkigal’s system closure, filtered to CVSS > 9
(just vulscan). 60 store paths across 19 unique package names.
Executive summary#
The June list is dominated by name-collision false positives (Haskell/PHP/.NET packages matched to unrelated product CVEs) and build-time-only components. After triage, exactly one finding was a real, network-reachable risk:
- step-ca 0.29.0 → CVE-2026-30836 (CVSS 10.0) — the running certificate authority (port 9443, LAN + Tailscale). Remediated by repackaging step-ca to 0.30.2.
Two structural defects explained why the list looked the way it did this month, and were also fixed:
- Expired whitelist entries. Five
whitelist.tomlentries carrieduntil = "2026-06-01"(cereal, lapack, python-2.7, snappy, orc). They expired andvulnixre-surfaced them. -
A dead remediation overlay.
overlays/cves.nixwas imported by nothing — every force-upgrade in it (sqlite, curl→8.14.1, thrift, orc, lapack, freerdp, gpsd) never ran, and it carried copy-paste bugs (thenetwork/zlib/diffblocks testedprev.curl’s version). It has been deleted; the only wired overlay isoverlays/default.nix.security(applied atmodules/flake/nix/nixos.nix). -
The whitelist never actually worked. Every section key used a glob (
["pname.*"]), butvulnix(1.12.1) matches sections by exactpnameorpname-version— there is no glob support, so every rule silently matched nothing (the source scan’swhitelistedarrays were all empty). All keys were rewritten to bare[pname]/ quoted["pname-version"]. After the fix the whitelist suppresses the false positives as intended: thecritical_cves.jsonentry count dropped from 60 to 32 and every name-collision package (Sentry, network, orc, snappy, Diff, ShellCheck, xunit, curl, thrift, zlib-binding) plus python-2.7 disappears from the scan. What remains is all real: glibc, go, libraw, openexr, openssl, perl, unbound.
One process note for follow-up (not changed here):
- CI (
.github/workflows/cve.yml) scans mokou, not ereshkigal. Consider adding this host.
Triage#
Tier 0 — real & network-exposed → fixed now#
| Package | CVE (CVSS) | Reachability | Action |
|---|---|---|---|
| step-ca 0.29.0 | CVE-2026-30836 (10.0) | Running CA, port 9443, LAN + Tailscale | Repackaged → 0.30.2 (upstream fix; not yet in nixpkgs) |
Tier 1 — real, in closure, NOT network-reachable → nixpkgs bump (low urgency)#
| Package | Worst CVE | Why de-prioritized |
|---|---|---|
| unbound 1.24.2 / 1.25.0 | CVE-2026-42960 (10.0) | No resolver runs (no services.unbound/dnscrypt). Transitive only; DNS-serving CVEs unreachable. |
| go 1.24.13 | CVE-2026-27143 (9.8) | Toolchain; mostly stdlib DoS. Bump nixpkgs → rebuilds inherit fixes. |
| glibc 2.40 / 2.42 | CVE-2026-5450 (9.8) | Ubiquitous, local-API. Resolves on nixpkgs bump. |
| perl 5.40 / 5.42 | CVE-2026-4176 (9.8) | CVE-2026-8376 is 32-bit-only → N/A on 64-bit host. |
| openssl 3.6.2 | CVE-2026-7383 (8.1), CVE-2026-45447 (8.8) | New this scan (recent 2026 disclosures): CMS/PKCS#7/S-MIME, AES-SIV, DHX paths. ereshkigal does no S/MIME or CMS processing, so reachability is low. Resolves on nixpkgs openssl bump. |
| thrift 0.22.0 | 11 real Apache Thrift CVEs (<0.23.0) | Transitive, not a service. Fix is 0.23.0 — not yet in nixpkgs; whitelisted short-term (until 2026-09-01). |
Tier 2 — real, very low reachability (file-parse libs; no hostile-media workflow)#
openexr 3.3.8/3.4.10 (14 CVEs, EXR-parse RCE), libraw 0.22.1 (RAW-parse RCE), zlib 1.3.2 (MiniZip/untgz contrib, not core). Transitive image libs; reachable only by parsing untrusted media, which this host does not do. Resolve on nixpkgs bump.
Tier 3 — confirmed FALSE POSITIVES (name collisions) → whitelist hygiene#
| Package | Reality | Whitelist action |
|---|---|---|
| Diff 1.0.2 | Haskell Diff ≠ Drupal Diff | already whitelisted |
| Sentry 4.0.2 | Haskell process-monitor ≠ MobileIron/Telestream/getsentry | added (was missing) |
| ShellCheck / shellcheck 0.11.0 | CVE is the VS Code extension | whitelisted; added lowercase variant |
| curl 0.4.46/0.4.49 | Haskell binding ≠ system curl 8.x | already whitelisted |
| network 3.2.8.0 | Haskell lib ≠ Fidelis Network/Deception | whitelisted; +3 new IDs (CVE-2021-35050, CVE-2022-0486, CVE-2022-0997) |
| xunit 2.9.2 | .NET ≠ Jenkins xUnit plugin | already whitelisted |
| snappy 1.2.2 | Google Snappy (C++) ≠ PHP knp-snappy | re-issued as permanent FP (was expired) |
| orc 0.4.41 | GStreamer ORC ≠ Apache ORC | re-issued as permanent FP (was expired) |
| zlib 0.7.1.1 | Haskell binding | whitelisted; +CVE-2026-27820 (Ruby zlib gem) |
Tier 4 — EOL / build-time → policy#
- python 2.7.18.12 (28 CVEs, EOL) — build-time only. Traced to
toplevel → etc → direnvrc → nix-direnv → resholve → python-2.7.18: resholve (the Oil/Python-2 script hardener) is run by nix-direnv at build time. Absent from the runtime closure — none of the 28 CVEs are reachable on the deployed system. resholve has no python3 build in nixpkgs yet. Whitelisted as build-time-only (until 2026-12-01); re-check when resholve migrates to Oils/python3. nix-direnv retained per maintainer preference. - go-1.22 bootstrap (45 CVEs) — build-time only, never runs or serves; accepted (one CVE already whitelisted with the build-time rationale).
Changes applied (this review)#
overlays/default.nix— added abuildGoModulerepackage of step-ca 0.30.2 (upstreamsmallstep/certificatesv0.30.2,forceFetchGit, freshvendorHash) to close CVE-2026-30836.overlays/cves.nix— deleted (dead code, never imported).whitelist.toml—- Fixed all section keys from non-matching globs (
["pname.*"]) to vulnix’s exact format: bare[pname]for false positives, quoted["python-2.7.18.12"]where a real same-pname package coexists (python3) or a version must be pinned. This is what made the whitelist take effect for the first time. - Added
Sentry, lowercaseshellcheck; re-issuedsnappy/orcas permanent false positives; added newnetwork/zlibCVE IDs; re-scopedthrift(real Apache Thrift CVEs,until 2026-09-01); listed the full python-2.7 CVE set as build-time-only (until 2026-12-01); bumped stalecereal/lapackdates; removed the never-matchinggo-1.*-bootstrapblock (go is a bump-nixpkgs item).
- Fixed all section keys from non-matching globs (
Residual / follow-up#
- Bump nixpkgs to clear Tier 1/2 (glibc, go, perl, openexr, libraw, unbound) when convenient.
- Re-scan and confirm the whitelist is actually applied (empty
whitelistedarrays in the source scan). - Upgrade thrift → 0.23.0 and re-check resholve/python3 when nixpkgs ships them; drop the corresponding whitelist entries.
- Consider adding ereshkigal to the CI CVE scan.
Verification#
nom build .#nixosConfigurations.ereshkigal.config.system.build.toplevel
just vulscan # regenerate critical_cves.json with the updated whitelist
Expect: step-ca and thrift absent, Tier-3 false positives absent from affected_by,
python-2.7 absent. Confirm transitivity claims with
nix why-depends ./result <store-path>.