release notes: add a bunch of them

Also fix typos introduced by the commits I read.

I have run the addDrvOutputDependencies release note past Ericson since
I was confused by what the heck it was doing, and he was saying it was
reasonable.

Change-Id: Id015353b00938682f7faae7de43df7f991a5237e

1 files changed, 21 insertions, 0 deletions

diff --git a/doc/manual/rl-next/cve-fod-fix.md b/doc/manual/rl-next/cve-fod-fix.md
new file mode 100644
index 000000000..4499f639b
--- /dev/null
+++ b/doc/manual/rl-next/cve-fod-fix.md
@@ -0,0 +1,21 @@
+---
+synopsis: "Fix CVE-2024-27297 (GHSA-2ffj-w4mj-pg37)"
+cls: 266
+credits: [puck, jade, thufschmitt, tomberek, valentin]
+category: Fixes
+---
+
+Since Lix fixed-output derivations run in the host network namespace (which we
+wish to change in the future, see
+[lix#285](https://git.lix.systems/lix-project/lix/issues/285)), they may open
+abstract-namespace Unix sockets to each other and to programs on the host. Lix
+contained a now-fixed time-of-check/time-of-use vulnerability where one
+derivation could send writable handles to files in their final location in the
+store to another over an abstract-namespace Unix socket, exit, then the other
+derivation could wait for Lix to hash the paths and overwrite them.
+
+The impact of this vulnerability is that two malicious fixed-output derivations
+could create a poisoned path for the sources to Bash or similarly important
+software containing a backdoor, leading to local privilege execution.
+
+CppNix advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37