From e5934bd3ac55da1dc897a75bc89abb2733be9248 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Sun, 7 Jul 2024 02:37:19 +0200 Subject: [PATCH] Patch ssh for CVE --- deploy/flake.lock | 36 ++++++++++++++++---------------- flake.lock | 28 ++++++++++++------------- flakes/flake.lock | 26 +++++++++++------------ flakes/private/system/flake.nix | 11 ++++++++++ systems/backup-2/flake.lock | 2 +- systems/dilion/flake.lock | 2 +- systems/eldiron/flake.lock | 2 +- systems/monitoring-1/flake.lock | 2 +- systems/quatresaisons/flake.lock | 2 +- systems/zoldene/flake.lock | 2 +- 10 files changed, 62 insertions(+), 51 deletions(-) diff --git a/deploy/flake.lock b/deploy/flake.lock index 173774c..a99897e 100644 --- a/deploy/flake.lock +++ b/deploy/flake.lock @@ -2783,7 +2783,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-aQMjFircJnaQ7F/lHR7KD1kCEHqFQWPK5q52xTxJ5mI=", + "narHash": "sha256-dLi2BGW1KOrLq0JMSStCHPav+jOfBWt6iuYePpOvDLg=", "path": "../flakes", "type": "path" }, @@ -3832,7 +3832,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-Xi6/nJc0tvzKA2G78B/8wFsz5AvzdETb0L6JhWbG7CY=", + "narHash": "sha256-Yd9Vvt/0KEhv9F03pBFl92CdVVkMKZATRydj0AuPkKY=", "path": "../systems/backup-2", "type": "path" }, @@ -3855,7 +3855,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-4aJAofbJwlkzXZQ08yfQUdXFIIyhE/I1uh62TZoEwzw=", + "narHash": "sha256-dyKdDwCGS6DrHABVcaAgb8gawz3kq13kFQAZzK0FrvA=", "path": "../systems/dilion", "type": "path" }, @@ -3903,7 +3903,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-b/hJTZhCp7ypOTYcrMfOV1Ah8KWM+yc20Nnn3UWJ024=", + "narHash": "sha256-9mFf3apvj5y9USQ+nA26Mb2Ft/QdlrBVjQY2bQllFSw=", "path": "../systems/eldiron", "type": "path" }, @@ -3929,7 +3929,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-wFk8D4iOZW2iNR/5U3eaZzWWKo57CwApD8OEcfc2s+o=", + "narHash": "sha256-lk0Zt0avJlciIxcG3nscv+nRR/t0U1FdnnRvFQm6GUI=", "path": "../systems/monitoring-1", "type": "path" }, @@ -3954,7 +3954,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-WEK3g7AjtjWbnB9kQ4Guqyb8QI5xzThG5blFqAU1vNo=", + "narHash": "sha256-oyQ4ygkPMhgjJXdg5K2jxNJ487W7F51FQfyERfp2/Hw=", "path": "../systems/quatresaisons", "type": "path" }, @@ -3974,7 +3974,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-cfNImVC9wAtXY3Xl7gsGBMF1dTDcYUQ9Kxd8ZWLq7/E=", + "narHash": "sha256-G/V/UqQ+wwkek/dGJYd+nk9W0FTVCs0/oSTUPf05QV4=", "path": "../systems/zoldene", "type": "path" }, @@ -7656,7 +7656,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, @@ -7675,7 +7675,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, @@ -8527,7 +8527,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "./private/system", "type": "path" }, @@ -8888,11 +8888,11 @@ "nixpkgs": "nixpkgs_106" }, "locked": { - "lastModified": 1718531880, - "narHash": "sha256-BqLfVL7N6dO2oWB8Xo89uvO5cG8oDCRBgsk/TUnpcYs=", + "lastModified": 1720312456, + "narHash": "sha256-QTS2+W2Azb8y2lESQp4qJTDnfy3KpX+VheajRfDBcAs=", "ref": "master", - "rev": "b0236017d9da46b98017f348d7031a69526c0aeb", - "revCount": 738, + "rev": "92f3b74c6408e446e51e6c1ff57269cac4382b16", + "revCount": 742, "type": "git", "url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets" }, @@ -9140,7 +9140,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, @@ -9159,7 +9159,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, @@ -9178,7 +9178,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, @@ -9197,7 +9197,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, diff --git a/flake.lock b/flake.lock index cd512a6..f711c1f 100644 --- a/flake.lock +++ b/flake.lock @@ -2664,7 +2664,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-aQMjFircJnaQ7F/lHR7KD1kCEHqFQWPK5q52xTxJ5mI=", + "narHash": "sha256-dLi2BGW1KOrLq0JMSStCHPav+jOfBWt6iuYePpOvDLg=", "path": "./flakes", "type": "path" }, @@ -3848,7 +3848,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-Xi6/nJc0tvzKA2G78B/8wFsz5AvzdETb0L6JhWbG7CY=", + "narHash": "sha256-Yd9Vvt/0KEhv9F03pBFl92CdVVkMKZATRydj0AuPkKY=", "path": "../systems/backup-2", "type": "path" }, @@ -3871,7 +3871,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-4aJAofbJwlkzXZQ08yfQUdXFIIyhE/I1uh62TZoEwzw=", + "narHash": "sha256-dyKdDwCGS6DrHABVcaAgb8gawz3kq13kFQAZzK0FrvA=", "path": "../systems/dilion", "type": "path" }, @@ -3919,7 +3919,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-b/hJTZhCp7ypOTYcrMfOV1Ah8KWM+yc20Nnn3UWJ024=", + "narHash": "sha256-9mFf3apvj5y9USQ+nA26Mb2Ft/QdlrBVjQY2bQllFSw=", "path": "../systems/eldiron", "type": "path" }, @@ -3945,7 +3945,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-wFk8D4iOZW2iNR/5U3eaZzWWKo57CwApD8OEcfc2s+o=", + "narHash": "sha256-lk0Zt0avJlciIxcG3nscv+nRR/t0U1FdnnRvFQm6GUI=", "path": "../systems/monitoring-1", "type": "path" }, @@ -3970,7 +3970,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-WEK3g7AjtjWbnB9kQ4Guqyb8QI5xzThG5blFqAU1vNo=", + "narHash": "sha256-oyQ4ygkPMhgjJXdg5K2jxNJ487W7F51FQfyERfp2/Hw=", "path": "../systems/quatresaisons", "type": "path" }, @@ -3990,7 +3990,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-cfNImVC9wAtXY3Xl7gsGBMF1dTDcYUQ9Kxd8ZWLq7/E=", + "narHash": "sha256-G/V/UqQ+wwkek/dGJYd+nk9W0FTVCs0/oSTUPf05QV4=", "path": "../systems/zoldene", "type": "path" }, @@ -7672,7 +7672,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, @@ -7691,7 +7691,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, @@ -8543,7 +8543,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "./private/system", "type": "path" }, @@ -9149,7 +9149,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, @@ -9168,7 +9168,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, @@ -9187,7 +9187,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, @@ -9206,7 +9206,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, diff --git a/flakes/flake.lock b/flakes/flake.lock index 7fa0b4f..b0b7045 100644 --- a/flakes/flake.lock +++ b/flakes/flake.lock @@ -3753,7 +3753,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-Xi6/nJc0tvzKA2G78B/8wFsz5AvzdETb0L6JhWbG7CY=", + "narHash": "sha256-Yd9Vvt/0KEhv9F03pBFl92CdVVkMKZATRydj0AuPkKY=", "path": "../systems/backup-2", "type": "path" }, @@ -3776,7 +3776,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-4aJAofbJwlkzXZQ08yfQUdXFIIyhE/I1uh62TZoEwzw=", + "narHash": "sha256-dyKdDwCGS6DrHABVcaAgb8gawz3kq13kFQAZzK0FrvA=", "path": "../systems/dilion", "type": "path" }, @@ -3824,7 +3824,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-b/hJTZhCp7ypOTYcrMfOV1Ah8KWM+yc20Nnn3UWJ024=", + "narHash": "sha256-9mFf3apvj5y9USQ+nA26Mb2Ft/QdlrBVjQY2bQllFSw=", "path": "../systems/eldiron", "type": "path" }, @@ -3850,7 +3850,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-wFk8D4iOZW2iNR/5U3eaZzWWKo57CwApD8OEcfc2s+o=", + "narHash": "sha256-lk0Zt0avJlciIxcG3nscv+nRR/t0U1FdnnRvFQm6GUI=", "path": "../systems/monitoring-1", "type": "path" }, @@ -3875,7 +3875,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-WEK3g7AjtjWbnB9kQ4Guqyb8QI5xzThG5blFqAU1vNo=", + "narHash": "sha256-oyQ4ygkPMhgjJXdg5K2jxNJ487W7F51FQfyERfp2/Hw=", "path": "../systems/quatresaisons", "type": "path" }, @@ -3895,7 +3895,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-cfNImVC9wAtXY3Xl7gsGBMF1dTDcYUQ9Kxd8ZWLq7/E=", + "narHash": "sha256-G/V/UqQ+wwkek/dGJYd+nk9W0FTVCs0/oSTUPf05QV4=", "path": "../systems/zoldene", "type": "path" }, @@ -7499,7 +7499,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, @@ -7518,7 +7518,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, @@ -8409,7 +8409,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "./private/system", "type": "path" }, @@ -9015,7 +9015,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, @@ -9034,7 +9034,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, @@ -9053,7 +9053,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, @@ -9072,7 +9072,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, diff --git a/flakes/private/system/flake.nix b/flakes/private/system/flake.nix index ad6c58c..6045fd4 100644 --- a/flakes/private/system/flake.nix +++ b/flakes/private/system/flake.nix @@ -30,6 +30,17 @@ secrets.deleteSecretsVars = true; secrets.secretsVars = "/run/keys/vars.yml"; + programs.ssh.package = lib.mkDefault ( + pkgs.openssh.overrideAttrs(old: rec { + patches = old.patches ++ [ + # Mitigation for CVE https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt + (pkgs.fetchpatch { + url = "https://raw.githubusercontent.com/NixOS/nixpkgs/342bfe5c431fd7828fee8fa7e07a4d8fbfd18618/pkgs/tools/networking/openssh/openssh-9.6_p1-CVE-2024-6387.patch"; + sha256 = "sha256-B3Wz/eWSdOnrOcVzDv+QqzLGdFlb3jivQ8qZMC3d0Qw="; + }) + ]; + }) + ); services.openssh.enable = true; nixpkgs.overlays = diff --git a/systems/backup-2/flake.lock b/systems/backup-2/flake.lock index 7666ffe..2241f80 100644 --- a/systems/backup-2/flake.lock +++ b/systems/backup-2/flake.lock @@ -1104,7 +1104,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, diff --git a/systems/dilion/flake.lock b/systems/dilion/flake.lock index 79299f7..cd33070 100644 --- a/systems/dilion/flake.lock +++ b/systems/dilion/flake.lock @@ -599,7 +599,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, diff --git a/systems/eldiron/flake.lock b/systems/eldiron/flake.lock index b3f3753..da13d41 100644 --- a/systems/eldiron/flake.lock +++ b/systems/eldiron/flake.lock @@ -2153,7 +2153,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, diff --git a/systems/monitoring-1/flake.lock b/systems/monitoring-1/flake.lock index 942bcda..d926190 100644 --- a/systems/monitoring-1/flake.lock +++ b/systems/monitoring-1/flake.lock @@ -735,7 +735,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, diff --git a/systems/quatresaisons/flake.lock b/systems/quatresaisons/flake.lock index 01acde9..1d44989 100644 --- a/systems/quatresaisons/flake.lock +++ b/systems/quatresaisons/flake.lock @@ -712,7 +712,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, diff --git a/systems/zoldene/flake.lock b/systems/zoldene/flake.lock index 8be0d59..7c46d3a 100644 --- a/systems/zoldene/flake.lock +++ b/systems/zoldene/flake.lock @@ -455,7 +455,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=", + "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=", "path": "../../flakes/private/system", "type": "path" }, -- 2.41.0