summary refs log tree commit diff
path: root/pkgs/tools/networking/openssh
diff options
context:
space:
mode:
authorJairo Llopis <yajo.sk8@gmail.com>2022-07-06 10:34:30 +0100
committerJairo Llopis <yajo.sk8@gmail.com>2022-07-06 13:28:10 +0100
commitda4c6be0187a694bdeb3efc28b29ee0e4c30702f (patch)
tree92206123c97165400c6da92e4c4a5288ce12229c /pkgs/tools/networking/openssh
parent8ef7523c8e11da7fd23e6b87371e7aa1eab718bb (diff)
downloadnixpkgs-da4c6be0187a694bdeb3efc28b29ee0e4c30702f.tar
nixpkgs-da4c6be0187a694bdeb3efc28b29ee0e4c30702f.tar.gz
nixpkgs-da4c6be0187a694bdeb3efc28b29ee0e4c30702f.tar.bz2
nixpkgs-da4c6be0187a694bdeb3efc28b29ee0e4c30702f.tar.lz
nixpkgs-da4c6be0187a694bdeb3efc28b29ee0e4c30702f.tar.xz
nixpkgs-da4c6be0187a694bdeb3efc28b29ee0e4c30702f.tar.zst
nixpkgs-da4c6be0187a694bdeb3efc28b29ee0e4c30702f.zip
openssh_gssapi: 8.4p1 -> 9.0p1
Fixes https://github.com/NixOS/nixpkgs/issues/142999, CVE-2021-28041, CVE-2021-41617, CVE-2016-20012

@moduon MT-904
Diffstat (limited to 'pkgs/tools/networking/openssh')
-rw-r--r--pkgs/tools/networking/openssh/default.nix18
-rw-r--r--pkgs/tools/networking/openssh/ssh-copy-id-fix-eof.patch21
-rw-r--r--pkgs/tools/networking/openssh/ssh-keysign-8.4.patch29
3 files changed, 5 insertions, 63 deletions
diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index 022aa22260d..55aec86bee5 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -47,32 +47,24 @@ in
 
   openssh_gssapi = common rec {
     pname = "openssh-with-gssapi";
-    version = "8.4p1";
+    version = "9.0p1";
     extraDesc = " with GSSAPI support";
 
     src = fetchurl {
       url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
-      sha256 = "091b3pxdlj47scxx6kkf4agkx8c8sdacdxx8m1dw1cby80pd40as";
+      sha256 = "12m2f9czvgmi7akp7xah6y7mrrpi280a3ksk47iwr7hy2q1475q3";
     };
 
     extraPatches = [
-      ./ssh-keysign-8.4.patch
-
-      # See https://github.com/openssh/openssh-portable/pull/206
-      ./ssh-copy-id-fix-eof.patch
+      ./ssh-keysign-8.5.patch
 
       (fetchpatch {
         name = "openssh-gssapi.patch";
-        url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%25${version}-2/debian/patches/gssapi.patch";
-        sha256 = "1z1ckzimlkm1dmr9f5fqjnjg28gsqcwx6xka0klak857548d2lp2";
+        url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%25${version}-1/debian/patches/gssapi.patch";
+        sha256 = "sha256-VG7+2dfu09nvHWuSAB6sLGMmjRCDCysl/9FR1WSF21k=";
       })
     ];
 
     extraNativeBuildInputs = [ autoreconfHook ];
-
-    extraMeta.knownVulnerabilities = [
-      "CVE-2021-28041"
-      "CVE-2021-41617"
-    ];
   };
 }
diff --git a/pkgs/tools/networking/openssh/ssh-copy-id-fix-eof.patch b/pkgs/tools/networking/openssh/ssh-copy-id-fix-eof.patch
deleted file mode 100644
index 4ba2b562f55..00000000000
--- a/pkgs/tools/networking/openssh/ssh-copy-id-fix-eof.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
-index 392f64f..a769077 100644
---- a/contrib/ssh-copy-id
-+++ b/contrib/ssh-copy-id
-@@ -247,7 +247,7 @@ installkeys_sh() {
-   #    the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
-   #    the cat adds the keys we're getting via STDIN
-   #    and if available restorecon is used to restore the SELinux context
--  INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
-+  INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
- 	cd;
- 	umask 077;
- 	mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
-@@ -258,6 +258,7 @@ installkeys_sh() {
- 	  restorecon -F .ssh ${AUTH_KEY_FILE};
- 	fi
- EOF
-+  )
- 
-   # to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
-   printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
diff --git a/pkgs/tools/networking/openssh/ssh-keysign-8.4.patch b/pkgs/tools/networking/openssh/ssh-keysign-8.4.patch
deleted file mode 100644
index 7258f4a4db1..00000000000
--- a/pkgs/tools/networking/openssh/ssh-keysign-8.4.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-diff --git a/pathnames.h b/pathnames.h
-index cb44caa4..354fdf05 100644
---- a/pathnames.h
-+++ b/pathnames.h
-@@ -124,7 +124,7 @@
- 
- /* Location of ssh-keysign for hostbased authentication */
- #ifndef _PATH_SSH_KEY_SIGN
--#define _PATH_SSH_KEY_SIGN		"/usr/libexec/ssh-keysign"
-+#define _PATH_SSH_KEY_SIGN		"ssh-keysign"
- #endif
- 
- /* Location of ssh-pkcs11-helper to support keys in tokens */
-diff --git a/sshconnect2.c b/sshconnect2.c
-index dffee90b..e9a86e59 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -1879,7 +1879,7 @@ ssh_keysign(struct ssh *ssh, struct sshkey *key, u_char **sigp, size_t *lenp,
- 		closefrom(sock + 1);
- 		debug3("%s: [child] pid=%ld, exec %s",
- 		    __func__, (long)getpid(), _PATH_SSH_KEY_SIGN);
--		execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL);
-+		execlp(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL);
- 		fatal("%s: exec(%s): %s", __func__, _PATH_SSH_KEY_SIGN,
- 		    strerror(errno));
- 	}
--- 
-2.22.0
-
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-31 04:33:23 +0000