diff options
author | Jairo Llopis <yajo.sk8@gmail.com> | 2022-07-06 10:34:30 +0100 |
---|---|---|
committer | Jairo Llopis <yajo.sk8@gmail.com> | 2022-07-06 13:28:10 +0100 |
commit | da4c6be0187a694bdeb3efc28b29ee0e4c30702f (patch) | |
tree | 92206123c97165400c6da92e4c4a5288ce12229c /pkgs/tools/networking/openssh | |
parent | 8ef7523c8e11da7fd23e6b87371e7aa1eab718bb (diff) | |
download | nixpkgs-da4c6be0187a694bdeb3efc28b29ee0e4c30702f.tar nixpkgs-da4c6be0187a694bdeb3efc28b29ee0e4c30702f.tar.gz nixpkgs-da4c6be0187a694bdeb3efc28b29ee0e4c30702f.tar.bz2 nixpkgs-da4c6be0187a694bdeb3efc28b29ee0e4c30702f.tar.lz nixpkgs-da4c6be0187a694bdeb3efc28b29ee0e4c30702f.tar.xz nixpkgs-da4c6be0187a694bdeb3efc28b29ee0e4c30702f.tar.zst nixpkgs-da4c6be0187a694bdeb3efc28b29ee0e4c30702f.zip |
openssh_gssapi: 8.4p1 -> 9.0p1
Fixes https://github.com/NixOS/nixpkgs/issues/142999, CVE-2021-28041, CVE-2021-41617, CVE-2016-20012 @moduon MT-904
Diffstat (limited to 'pkgs/tools/networking/openssh')
-rw-r--r-- | pkgs/tools/networking/openssh/default.nix | 18 | ||||
-rw-r--r-- | pkgs/tools/networking/openssh/ssh-copy-id-fix-eof.patch | 21 | ||||
-rw-r--r-- | pkgs/tools/networking/openssh/ssh-keysign-8.4.patch | 29 |
3 files changed, 5 insertions, 63 deletions
diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 022aa22260d..55aec86bee5 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -47,32 +47,24 @@ in openssh_gssapi = common rec { pname = "openssh-with-gssapi"; - version = "8.4p1"; + version = "9.0p1"; extraDesc = " with GSSAPI support"; src = fetchurl { url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz"; - sha256 = "091b3pxdlj47scxx6kkf4agkx8c8sdacdxx8m1dw1cby80pd40as"; + sha256 = "12m2f9czvgmi7akp7xah6y7mrrpi280a3ksk47iwr7hy2q1475q3"; }; extraPatches = [ - ./ssh-keysign-8.4.patch - - # See https://github.com/openssh/openssh-portable/pull/206 - ./ssh-copy-id-fix-eof.patch + ./ssh-keysign-8.5.patch (fetchpatch { name = "openssh-gssapi.patch"; - url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%25${version}-2/debian/patches/gssapi.patch"; - sha256 = "1z1ckzimlkm1dmr9f5fqjnjg28gsqcwx6xka0klak857548d2lp2"; + url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%25${version}-1/debian/patches/gssapi.patch"; + sha256 = "sha256-VG7+2dfu09nvHWuSAB6sLGMmjRCDCysl/9FR1WSF21k="; }) ]; extraNativeBuildInputs = [ autoreconfHook ]; - - extraMeta.knownVulnerabilities = [ - "CVE-2021-28041" - "CVE-2021-41617" - ]; }; } diff --git a/pkgs/tools/networking/openssh/ssh-copy-id-fix-eof.patch b/pkgs/tools/networking/openssh/ssh-copy-id-fix-eof.patch deleted file mode 100644 index 4ba2b562f55..00000000000 --- a/pkgs/tools/networking/openssh/ssh-copy-id-fix-eof.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id -index 392f64f..a769077 100644 ---- a/contrib/ssh-copy-id -+++ b/contrib/ssh-copy-id -@@ -247,7 +247,7 @@ installkeys_sh() { - # the -z `tail ...` checks for a trailing newline. The echo adds one if was missing - # the cat adds the keys we're getting via STDIN - # and if available restorecon is used to restore the SELinux context -- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF) -+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF - cd; - umask 077; - mkdir -p $(dirname "${AUTH_KEY_FILE}") && -@@ -258,6 +258,7 @@ installkeys_sh() { - restorecon -F .ssh ${AUTH_KEY_FILE}; - fi - EOF -+ ) - - # to defend against quirky remote shells: use 'exec sh -c' to get POSIX; - printf "exec sh -c '%s'" "${INSTALLKEYS_SH}" diff --git a/pkgs/tools/networking/openssh/ssh-keysign-8.4.patch b/pkgs/tools/networking/openssh/ssh-keysign-8.4.patch deleted file mode 100644 index 7258f4a4db1..00000000000 --- a/pkgs/tools/networking/openssh/ssh-keysign-8.4.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff --git a/pathnames.h b/pathnames.h -index cb44caa4..354fdf05 100644 ---- a/pathnames.h -+++ b/pathnames.h -@@ -124,7 +124,7 @@ - - /* Location of ssh-keysign for hostbased authentication */ - #ifndef _PATH_SSH_KEY_SIGN --#define _PATH_SSH_KEY_SIGN "/usr/libexec/ssh-keysign" -+#define _PATH_SSH_KEY_SIGN "ssh-keysign" - #endif - - /* Location of ssh-pkcs11-helper to support keys in tokens */ -diff --git a/sshconnect2.c b/sshconnect2.c -index dffee90b..e9a86e59 100644 ---- a/sshconnect2.c -+++ b/sshconnect2.c -@@ -1879,7 +1879,7 @@ ssh_keysign(struct ssh *ssh, struct sshkey *key, u_char **sigp, size_t *lenp, - closefrom(sock + 1); - debug3("%s: [child] pid=%ld, exec %s", - __func__, (long)getpid(), _PATH_SSH_KEY_SIGN); -- execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL); -+ execlp(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL); - fatal("%s: exec(%s): %s", __func__, _PATH_SSH_KEY_SIGN, - strerror(errno)); - } --- -2.22.0 - |