P-E-Meunier

**Name of the Vulnerable Software and Affected Versions** Nix versions 1.11 through 2.18.7 Nix versions 1.11 through 2.24.7 **Description** The issue is related to the Nix package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, `<nix/fetchurl.nix>` did not verify TLS certificates on HTTPS connections. This could lead to connection details such as full URLs or credentials leaking in case of a man-in-the-middle (MITM) attack. A user may be affected by the risk of leaking credentials if they have a `netrc` file for authentication, or rely on derivations with `impureEnvVars` set to use credentials from the environment. The commonplace trust-on-first-use (TOFU) technique of updating dependencies by specifying an invalid hash and obtaining it from a remote store was also vulnerable to a MITM injecting arbitrary store objects. **Recommendations** For Nix versions 1.11 through 2.18.7, update to version 2.18.8 or later. For Nix versions 1.11 through 2.24.7, update to version 2.24.8 or later. As a temporary workaround, implement (authenticated) fetching with `pkgs.fetchurl` from Nixpkgs, using `impureEnvVars` and `curlOpts` as needed.