Patch ssh for CVE

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2024-07-07 02:37:19 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2024-07-07 02:40:48 +0200
commit: e5934bd3ac55da1dc897a75bc89abb2733be9248 (patch)
tree: fcb04a8db6b187e122840670ff7f22c71c90f877 /flakes
parent: fbf4b741b3b064c65a1b22cc1334b035c54793ee (diff)
download: Nix-e5934bd3ac55da1dc897a75bc89abb2733be9248.tar.gz
Nix-e5934bd3ac55da1dc897a75bc89abb2733be9248.tar.zst
Nix-e5934bd3ac55da1dc897a75bc89abb2733be9248.zip
2 files changed, 24 insertions, 13 deletions
diff --git a/flakes/flake.lock b/flakes/flake.lock
index 7fa0b4f..b0b7045 100644
--- a/flakes/flake.lock
+++ b/flakes/flake.lock
@@ -3753,7 +3753,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-Xi6/nJc0tvzKA2G78B/8wFsz5AvzdETb0L6JhWbG7CY=",
+        "narHash": "sha256-Yd9Vvt/0KEhv9F03pBFl92CdVVkMKZATRydj0AuPkKY=",
        "path": "../systems/backup-2",
        "type": "path"
      },
@@ -3776,7 +3776,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-4aJAofbJwlkzXZQ08yfQUdXFIIyhE/I1uh62TZoEwzw=",
+        "narHash": "sha256-dyKdDwCGS6DrHABVcaAgb8gawz3kq13kFQAZzK0FrvA=",
        "path": "../systems/dilion",
        "type": "path"
      },
@@ -3824,7 +3824,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-b/hJTZhCp7ypOTYcrMfOV1Ah8KWM+yc20Nnn3UWJ024=",
+        "narHash": "sha256-9mFf3apvj5y9USQ+nA26Mb2Ft/QdlrBVjQY2bQllFSw=",
        "path": "../systems/eldiron",
        "type": "path"
      },
@@ -3850,7 +3850,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-wFk8D4iOZW2iNR/5U3eaZzWWKo57CwApD8OEcfc2s+o=",
+        "narHash": "sha256-lk0Zt0avJlciIxcG3nscv+nRR/t0U1FdnnRvFQm6GUI=",
        "path": "../systems/monitoring-1",
        "type": "path"
      },
@@ -3875,7 +3875,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-WEK3g7AjtjWbnB9kQ4Guqyb8QI5xzThG5blFqAU1vNo=",
+        "narHash": "sha256-oyQ4ygkPMhgjJXdg5K2jxNJ487W7F51FQfyERfp2/Hw=",
        "path": "../systems/quatresaisons",
        "type": "path"
      },
@@ -3895,7 +3895,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-cfNImVC9wAtXY3Xl7gsGBMF1dTDcYUQ9Kxd8ZWLq7/E=",
+        "narHash": "sha256-G/V/UqQ+wwkek/dGJYd+nk9W0FTVCs0/oSTUPf05QV4=",
        "path": "../systems/zoldene",
        "type": "path"
      },
@@ -7499,7 +7499,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=",
+        "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=",
        "path": "../../flakes/private/system",
        "type": "path"
      },
@@ -7518,7 +7518,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=",
+        "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=",
        "path": "../../flakes/private/system",
        "type": "path"
      },
@@ -8409,7 +8409,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=",
+        "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=",
        "path": "./private/system",
        "type": "path"
      },
@@ -9015,7 +9015,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=",
+        "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=",
        "path": "../../flakes/private/system",
        "type": "path"
      },
@@ -9034,7 +9034,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=",
+        "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=",
        "path": "../../flakes/private/system",
        "type": "path"
      },
@@ -9053,7 +9053,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=",
+        "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=",
        "path": "../../flakes/private/system",
        "type": "path"
      },
@@ -9072,7 +9072,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-xOq12ZNaKx6JEyOLDl0ulTSbS2TLh6M+TM4X40zykLE=",
+        "narHash": "sha256-K8onwBVKHqV/fe12dgHC5ecUpjU88FEVtgTVTS80l3E=",
        "path": "../../flakes/private/system",
        "type": "path"
      },
diff --git a/flakes/private/system/flake.nix b/flakes/private/system/flake.nix
index ad6c58c..6045fd4 100644
--- a/flakes/private/system/flake.nix
+++ b/flakes/private/system/flake.nix
@@ -30,6 +30,17 @@
          secrets.deleteSecretsVars = true;
          secrets.secretsVars = "/run/keys/vars.yml";
+          programs.ssh.package = lib.mkDefault (
+            pkgs.openssh.overrideAttrs(old: rec {
+              patches = old.patches ++ [
+                # Mitigation for CVE https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
+                (pkgs.fetchpatch {
+                  url = "https://raw.githubusercontent.com/NixOS/nixpkgs/342bfe5c431fd7828fee8fa7e07a4d8fbfd18618/pkgs/tools/networking/openssh/openssh-9.6_p1-CVE-2024-6387.patch";
+                  sha256 = "sha256-B3Wz/eWSdOnrOcVzDv+QqzLGdFlb3jivQ8qZMC3d0Qw=";
+                })
+              ];
+            })
+          );
          services.openssh.enable = true;
          nixpkgs.overlays =
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2024-07-07 02:37:19 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2024-07-07 02:40:48 +0200
commit	e5934bd3ac55da1dc897a75bc89abb2733be9248 (patch)
tree	fcb04a8db6b187e122840670ff7f22c71c90f877 /flakes
parent	fbf4b741b3b064c65a1b22cc1334b035c54793ee (diff)
download	Nix-e5934bd3ac55da1dc897a75bc89abb2733be9248.tar.gz Nix-e5934bd3ac55da1dc897a75bc89abb2733be9248.tar.zst Nix-e5934bd3ac55da1dc897a75bc89abb2733be9248.zip