Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssh_{hpn,gssapi}: add backported security fix patches #323768

Merged
merged 1 commit into from
Jul 1, 2024
Merged

openssh_{hpn,gssapi}: add backported security fix patches #323768

merged 1 commit into from
Jul 1, 2024

Conversation

emilazy
Copy link
Member

@emilazy emilazy commented Jul 1, 2024
edited by alyssais
Loading

Fixes a critical security bug allowing remote code execution as root: https://www.openssh.com/txt/release-9.8

This may be CVE-2024-6387 (currently embargoed): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6387

Thanks to upstream and Sam James for the backport: gentoo/gentoo@1633ef4

Please don’t use these packages on the open internet if you care a lot about security.

Description of changes

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@emilazy emilazy added 1.severity: security Issues which raise a security issue, or PRs that fix one backport release-23.11 backport release-24.05 Backport PR automatically labels Jul 1, 2024
@emilazy emilazy mentioned this pull request Jul 1, 2024
Merged
13 tasks
@emilazy
openssh_{hpn,gssapi}: add backported security fix patches
e215591 
Fixes a critical security bug allowing remote code execution as root:
<https://www.openssh.com/txt/release-9.8>

This may be CVE-2024-6387 (currently embargoed):
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6387>

Thanks to upstream and Sam James <sam@gentoo.org> for the backport:
<gentoo/gentoo@1633ef4>

Please don’t use these packages on the open internet if you care
a lot about security.
@emilazy emilazy force-pushed the openssh-hpn-gssapi-regresshion branch from 9a0d61b to e215591 Compare July 1, 2024 09:34
@ofborg ofborg bot requested a review from wahjava July 1, 2024 10:43
@alyssais alyssais merged commit e328c86 into NixOS:master Jul 1, 2024
34 of 38 checks passed
@github-actions github-actions bot mentioned this pull request Jul 1, 2024
Merged
1 task
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 1, 2024

Successfully created backport PR for release-23.11:

@github-actions github-actions bot mentioned this pull request Jul 1, 2024
Merged
1 task
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 1, 2024

Successfully created backport PR for release-24.05:

@me-and
Copy link
Contributor

me-and commented Jul 2, 2024

What's the need for these patches on OpenSSH 9.8p1? The patches claim to be backports, so I'd have thought they'd only be needed for earlier releases that don't have the full upstream fixes.

That is, why is it necessary to have both this change and #323753?

@alyssais
Copy link
Member

alyssais commented Jul 2, 2024

They are not applied to 9.8p1. This PR backports them for non-upstream variants of OpenSSH that have not yet caught up with 9.8p1.

@me-and
Copy link
Contributor

me-and commented Jul 2, 2024

Ah yes, of course! I completely misread the patch. Thank you for explaining.

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/security-advisory-openssh-cve-2024-6387-regresshion-update-your-servers-asap/48220/19

@mweinelt mweinelt mentioned this pull request Jul 4, 2024
Open
@emilazy emilazy deleted the openssh-hpn-gssapi-regresshion branch August 26, 2024 01:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alyssais alyssais alyssais approved these changes

@wahjava wahjava Awaiting requested review from wahjava

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10 backport release-24.05 Backport PR automatically
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@emilazy @me-and @alyssais @nixos-discourse