Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssh: 9.7p1 -> 9.8p1 (fixes CVE-2024-6387 “regreSSHion” RCE) #323753

Merged
merged 1 commit into from
Jul 1, 2024
Merged

openssh: 9.7p1 -> 9.8p1 (fixes CVE-2024-6387 “regreSSHion” RCE) #323753

merged 1 commit into from
Jul 1, 2024

Conversation

emilazy
Copy link
Member

@emilazy emilazy commented Jul 1, 2024
edited
Loading

Fixes a critical security bug allowing remote code execution as root: https://www.openssh.com/txt/release-9.8

This is CVE-2024-6387:

Description of changes

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@emilazy
openssh: 9.7p1 -> 9.8p1
a3a8d16 
Fixes a critical security bug allowing remote code execution as root:
<https://www.openssh.com/txt/release-9.8>

This may be CVE-2024-6387 (currently embargoed):
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6387>
@emilazy
Copy link
Member Author

emilazy commented Jul 1, 2024

@ofborg test openssh

@alyssais
Copy link
Member

alyssais commented Jul 1, 2024

Let's be optimistic here in the interests of getting the fix out ASAP. We can still monitor for test/build failures and fix them as follow up. Hydra will run the NixOS tests before updating nixos-unstable{,-small} anyway.

@alyssais alyssais merged commit 7f993cd into NixOS:master Jul 1, 2024
16 of 21 checks passed
@github-actions GitHub Actions

This comment was marked as outdated.

Sign in to view
@github-actions github-actions bot mentioned this pull request Jul 1, 2024
Closed
1 task
@github-actions GitHub Actions

This comment was marked as outdated.

Sign in to view
@emilazy
Copy link
Member Author

emilazy commented Jul 1, 2024

CVE report: https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt

@emilazy
Copy link
Member Author

emilazy commented Jul 1, 2024

Stable backports:

Working on openssh_{hpn,gssapi} now.

@emilazy
Copy link
Member Author

emilazy commented Jul 1, 2024
edited
Loading

@ofborg ofborg bot requested review from dasJ and Conni2461 July 1, 2024 09:46
@github-actions GitHub Actions

This comment was marked as outdated.

Sign in to view
1 similar comment
@github-actions GitHub Actions

This comment was marked as duplicate.

Sign in to view
@github-actions github-actions bot mentioned this pull request Jul 1, 2024
Closed
1 task
@github-actions GitHub Actions

This comment was marked as outdated.

Sign in to view
@github-actions GitHub Actions

This comment was marked as outdated.

Sign in to view
@emilazy
Copy link
Member Author

emilazy commented Jul 1, 2024

are you doing okay there backport bot?

@emilazy
Copy link
Member Author

emilazy commented Jul 1, 2024

From @LeSuisse on Matrix:

Going through the Qualys advisory they exploit via the DSA key parsing code which we disabled in April
It should give us some time until someone exploit it via another route

Note that this only applies to the currently‐known practical exploit, which has only been demonstrated on 32‐bit Linux, not the underlying bug; it’s entirely likely that someone will come up with a more effective exploit that works on x86-64 and might use a different route of exploitation soon. Please update your server as soon as this PR hits your channel (or the stable backport), consider switching over to a -small channel if you can, and definitely upgrade to 24.05 ASAP if you’re not on it yet!

@emilazy emilazy changed the title openssh: 9.7p1 -> 9.8p1 openssh: 9.7p1 -> 9.8p1 (fixes CVE-2024-6387 “regreSSHion” RCE) Jul 1, 2024
@emilazy
Copy link
Member Author

emilazy commented Jul 1, 2024

From the Qualys advisory:

Finally, if sshd cannot be updated or recompiled, this signal handler
race condition can be fixed by simply setting LoginGraceTime to 0 in the
configuration file. This makes sshd vulnerable to a denial of service
(the exhaustion of all MaxStartups connections), but it makes it safe
from the remote code execution presented in this advisory.

You may want to consider setting services.openssh.settings.LoginGraceTime = 0; in your NixOS configuration while waiting for the channels.

@bgohla bgohla mentioned this pull request Jul 1, 2024
Closed
1 task
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/security-advisory-openssh-cve-2024-6387-regresshion-update-your-servers-asap/48220/1

@r-vdp r-vdp mentioned this pull request Jul 1, 2024
Merged
13 tasks
r-vdp added a commit to r-vdp/nixpkgs that referenced this pull request Jul 1, 2024
@r-vdp
Fix ssh in initrd for systemd-initrd
79d8116 
Broken in NixOS#323753
@ivan770 ivan770 mentioned this pull request Jul 1, 2024
Closed
1 task
vilvo added a commit to vilvo/ghaf-infra that referenced this pull request Jul 1, 2024
@vilvo
update: channel 24.05, mitigate CVE-2024-6387
e71a6dc 
* NixOS/nixpkgs#323753
* 24.05 as 23.11 not supported anymore
* mitigates CVE-2024-6387 while waiting for the
  fix to land 24.05

Signed-off-by: Ville Ilvonen <[email protected]>
@vilvo vilvo mentioned this pull request Jul 1, 2024
Closed
github-actions bot pushed a commit that referenced this pull request Jul 1, 2024
@r-vdp @github-actions
Fix ssh in initrd for systemd-initrd
8091273 
Broken in #323753

(cherry picked from commit 79d8116)
tvlbot pushed a commit to tvlfyi/tvix that referenced this pull request Jul 1, 2024
@tazjin @flokli
chore(3p/sources): bump to OpenSSH vulnerability hotfix
a6cb9cb 
See NixOS/nixpkgs#323753 for details.

Changes:

* git: temporarily comment out dottime patch (it doesn't apply, but it's not critical)
* third-party/cgit: use an older git version where dottime patch still applies
* 3p/crate2nix: remove crate2nix patches included in latest release
* tvix: remove unneeded defaultCrateOverrides (upstreamed to nixpkgs)
* tvix: regenerate Cargo.nix
* tvix/nix-compat: remove unnused AtermWriteable::aterm_bytes pub(crate) function
* tvix/nix-compat: remove redundant trait bounds
* tvix/glue: use clone_into() to set drv.{builder,system}
* tools/crate2nix: apply workaround for numtide/treefmt#327
* toold/depotfmt: expose treefmt config as passthru
* tools/crate2nix: undo some more hacks in the crate2nix-check drv

Change-Id: Ifbcedeb3e8f81b2f6ec1dbf10189bfa6dfd9c75c
Co-Authored-By: Florian Klink <[email protected]>
Reviewed-on: https://cl.tvl.fyi/c/depot/+/11907
Reviewed-by: tazjin <[email protected]>
Tested-by: BuildkiteCI
Reviewed-by: flokli <[email protected]>
tvlbot pushed a commit to tvlfyi/kit that referenced this pull request Jul 1, 2024
@tazjin @flokli
chore(3p/sources): bump to OpenSSH vulnerability hotfix
0d0f313 
See NixOS/nixpkgs#323753 for details.

Changes:

* git: temporarily comment out dottime patch (it doesn't apply, but it's not critical)
* third-party/cgit: use an older git version where dottime patch still applies
* 3p/crate2nix: remove crate2nix patches included in latest release
* tvix: remove unneeded defaultCrateOverrides (upstreamed to nixpkgs)
* tvix: regenerate Cargo.nix
* tvix/nix-compat: remove unnused AtermWriteable::aterm_bytes pub(crate) function
* tvix/nix-compat: remove redundant trait bounds
* tvix/glue: use clone_into() to set drv.{builder,system}
* tools/crate2nix: apply workaround for numtide/treefmt#327
* toold/depotfmt: expose treefmt config as passthru
* tools/crate2nix: undo some more hacks in the crate2nix-check drv

Change-Id: Ifbcedeb3e8f81b2f6ec1dbf10189bfa6dfd9c75c
Co-Authored-By: Florian Klink <[email protected]>
Reviewed-on: https://cl.tvl.fyi/c/depot/+/11907
Reviewed-by: tazjin <[email protected]>
Tested-by: BuildkiteCI
Reviewed-by: flokli <[email protected]>
CHN-beta pushed a commit to CHN-beta/nixpkgs that referenced this pull request Jul 2, 2024
@r-vdp @CHN-beta
Fix ssh in initrd for systemd-initrd
c380742 
Broken in NixOS#323753
@me-and me-and mentioned this pull request Jul 2, 2024
Merged
13 tasks
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/security-advisory-openssh-cve-2024-6387-regresshion-update-your-servers-asap/48220/19

@mweinelt mweinelt mentioned this pull request Jul 4, 2024
Open
chayleaf pushed a commit to chayleaf/nixpkgs that referenced this pull request Jul 11, 2024
@r-vdp @chayleaf
Fix ssh in initrd for systemd-initrd
45b9fd5 
Broken in NixOS#323753
@emilazy emilazy deleted the openssh-9.8p1 branch August 26, 2024 01:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alyssais alyssais alyssais approved these changes

@dasJ dasJ Awaiting requested review from dasJ

@Conni2461 Conni2461 Awaiting requested review from Conni2461

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 101-500 10.rebuild-linux: 101-500 backport release-24.05 Backport PR automatically
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@emilazy @alyssais @nixos-discourse