CVE-2024-6299: 
NixOS vulnerability analysis and mitigation

A critical security vulnerability (CVE-2024-6299) was identified in Conduit, affecting versions prior to 0.8.0. The vulnerability involves a lack of consideration of key expiry when validating signatures, which was discovered and disclosed in June 2024. This issue affects the Conduit chat server software and its signature validation mechanism (Conduit Changelog).

The vulnerability stems from improper validation of signatures in Conduit, specifically related to key expiry checks. The issue has been assigned a CVSS v3.1 base score of 3.7 (LOW) by NVD with a vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N, while GitLab assessed it as 4.8 (MEDIUM) with a vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. The vulnerability is classified under CWE-324 (Use of a Key Past its Expiration Date) (NVD).

The vulnerability allows an attacker who has compromised an expired key to forge requests as the remote server and create PDUs (Protocol Data Units) with timestamps past the expiry date. This could potentially lead to unauthorized actions being performed on behalf of the remote server (NVD).

The vulnerability has been fixed in Conduit version 0.8.0. Administrators are strongly advised to upgrade to this version immediately, especially those running public homeservers with untrusted users. The release focuses on patching security vulnerabilities, including this critical issue (Conduit Changelog).

The Conduit development team emphasized the severity of this vulnerability by advising administrators with untrusted users on their servers to either update immediately or take their homeserver offline until they can update. They also implemented a verification process through the admin room to help identify potentially compromised servers (Conduit Changelog).