-
-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openssh: 9.7p1 -> 9.8p1 (fixes CVE-2024-6387 “regreSSHion” RCE) #323753
Conversation
Fixes a critical security bug allowing remote code execution as root: <https://www.openssh.com/txt/release-9.8> This may be CVE-2024-6387 (currently embargoed): <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6387>
@ofborg test openssh |
Let's be optimistic here in the interests of getting the fix out ASAP. We can still monitor for test/build failures and fix them as follow up. Hydra will run the NixOS tests before updating nixos-unstable{,-small} anyway. |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
Stable backports:
Working on |
This comment was marked as outdated.
This comment was marked as outdated.
1 similar comment
This comment was marked as duplicate.
This comment was marked as duplicate.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
are you doing okay there backport bot? |
Note that this only applies to the currently‐known practical exploit, which has only been demonstrated on 32‐bit Linux, not the underlying bug; it’s entirely likely that someone will come up with a more effective exploit that works on x86-64 and might use a different route of exploitation soon. Please update your server as soon as this PR hits your channel (or the stable backport), consider switching over to a |
From the Qualys advisory:
You may want to consider setting |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
* NixOS/nixpkgs#323753 * 24.05 as 23.11 not supported anymore * mitigates CVE-2024-6387 while waiting for the fix to land 24.05 Signed-off-by: Ville Ilvonen <[email protected]>
See NixOS/nixpkgs#323753 for details. Changes: * git: temporarily comment out dottime patch (it doesn't apply, but it's not critical) * third-party/cgit: use an older git version where dottime patch still applies * 3p/crate2nix: remove crate2nix patches included in latest release * tvix: remove unneeded defaultCrateOverrides (upstreamed to nixpkgs) * tvix: regenerate Cargo.nix * tvix/nix-compat: remove unnused AtermWriteable::aterm_bytes pub(crate) function * tvix/nix-compat: remove redundant trait bounds * tvix/glue: use clone_into() to set drv.{builder,system} * tools/crate2nix: apply workaround for numtide/treefmt#327 * toold/depotfmt: expose treefmt config as passthru * tools/crate2nix: undo some more hacks in the crate2nix-check drv Change-Id: Ifbcedeb3e8f81b2f6ec1dbf10189bfa6dfd9c75c Co-Authored-By: Florian Klink <[email protected]> Reviewed-on: https://cl.tvl.fyi/c/depot/+/11907 Reviewed-by: tazjin <[email protected]> Tested-by: BuildkiteCI Reviewed-by: flokli <[email protected]>
See NixOS/nixpkgs#323753 for details. Changes: * git: temporarily comment out dottime patch (it doesn't apply, but it's not critical) * third-party/cgit: use an older git version where dottime patch still applies * 3p/crate2nix: remove crate2nix patches included in latest release * tvix: remove unneeded defaultCrateOverrides (upstreamed to nixpkgs) * tvix: regenerate Cargo.nix * tvix/nix-compat: remove unnused AtermWriteable::aterm_bytes pub(crate) function * tvix/nix-compat: remove redundant trait bounds * tvix/glue: use clone_into() to set drv.{builder,system} * tools/crate2nix: apply workaround for numtide/treefmt#327 * toold/depotfmt: expose treefmt config as passthru * tools/crate2nix: undo some more hacks in the crate2nix-check drv Change-Id: Ifbcedeb3e8f81b2f6ec1dbf10189bfa6dfd9c75c Co-Authored-By: Florian Klink <[email protected]> Reviewed-on: https://cl.tvl.fyi/c/depot/+/11907 Reviewed-by: tazjin <[email protected]> Tested-by: BuildkiteCI Reviewed-by: flokli <[email protected]>
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
Fixes a critical security bug allowing remote code execution as root: https://www.openssh.com/txt/release-9.8
This is CVE-2024-6387:
Description of changes
Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.