Patch ssh for CVE

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2024-07-07 02:37:19 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2024-07-07 02:40:48 +0200
commit: e5934bd3ac55da1dc897a75bc89abb2733be9248 (patch)
tree: fcb04a8db6b187e122840670ff7f22c71c90f877 /flakes/private
parent: fbf4b741b3b064c65a1b22cc1334b035c54793ee (diff)
download: Nix-e5934bd3ac55da1dc897a75bc89abb2733be9248.tar.gz
Nix-e5934bd3ac55da1dc897a75bc89abb2733be9248.tar.zst
Nix-e5934bd3ac55da1dc897a75bc89abb2733be9248.zip
1 files changed, 11 insertions, 0 deletions
diff --git a/flakes/private/system/flake.nix b/flakes/private/system/flake.nix
index ad6c58c..6045fd4 100644
--- a/flakes/private/system/flake.nix
+++ b/flakes/private/system/flake.nix
@@ -30,6 +30,17 @@
          secrets.deleteSecretsVars = true;
          secrets.secretsVars = "/run/keys/vars.yml";
+          programs.ssh.package = lib.mkDefault (
+            pkgs.openssh.overrideAttrs(old: rec {
+              patches = old.patches ++ [
+                # Mitigation for CVE https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
+                (pkgs.fetchpatch {
+                  url = "https://raw.githubusercontent.com/NixOS/nixpkgs/342bfe5c431fd7828fee8fa7e07a4d8fbfd18618/pkgs/tools/networking/openssh/openssh-9.6_p1-CVE-2024-6387.patch";
+                  sha256 = "sha256-B3Wz/eWSdOnrOcVzDv+QqzLGdFlb3jivQ8qZMC3d0Qw=";
+                })
+              ];
+            })
+          );
          services.openssh.enable = true;
          nixpkgs.overlays =
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2024-07-07 02:37:19 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2024-07-07 02:40:48 +0200
commit	e5934bd3ac55da1dc897a75bc89abb2733be9248 (patch)
tree	fcb04a8db6b187e122840670ff7f22c71c90f877 /flakes/private
parent	fbf4b741b3b064c65a1b22cc1334b035c54793ee (diff)
download	Nix-e5934bd3ac55da1dc897a75bc89abb2733be9248.tar.gz Nix-e5934bd3ac55da1dc897a75bc89abb2733be9248.tar.zst Nix-e5934bd3ac55da1dc897a75bc89abb2733be9248.zip

diff --git a/flakes/private/system/flake.nix b/flakes/private/system/flake.nix index ad6c58c..6045fd4 100644 --- a/flakes/private/system/flake.nix +++ b/flakes/private/system/flake.nix
@@ -30,6 +30,17 @@
30	secrets.deleteSecretsVars = true;	30	secrets.deleteSecretsVars = true;
31	secrets.secretsVars = "/run/keys/vars.yml";	31	secrets.secretsVars = "/run/keys/vars.yml";
32		32
		33	programs.ssh.package = lib.mkDefault (
		34	pkgs.openssh.overrideAttrs(old: rec {
		35	patches = old.patches ++ [
		36	# Mitigation for CVE https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
		37	(pkgs.fetchpatch {
		38	url = "https://raw.githubusercontent.com/NixOS/nixpkgs/342bfe5c431fd7828fee8fa7e07a4d8fbfd18618/pkgs/tools/networking/openssh/openssh-9.6_p1-CVE-2024-6387.patch";
		39	sha256 = "sha256-B3Wz/eWSdOnrOcVzDv+QqzLGdFlb3jivQ8qZMC3d0Qw=";
		40	})
		41	];
		42	})
		43	);
33	services.openssh.enable = true;	44	services.openssh.enable = true;
34		45
35	nixpkgs.overlays =	46	nixpkgs.overlays =