New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[staging] openssh: 8.3p1 -> 8.4p1 #99959
Conversation
7ba4a93
to
f0471ad
Compare
It seems #90264 undid our ability to have different versions for openssh and openssh_hpn, can you bring that back logic back and leave openssh_hpn at the old version? THe hpn repo often takes a long time to get updates so I think it's nicer to decouple those versions so folks can make their own choices about perf vs security. Looking at the CVEs,
I don't think either of these warrants breaking GSSAPI as well; historically the patches have taken multiple months to appear but they've shown up much more quickly for recent releases. I'm happy to wait a few days to see if a GSSAPI patch becomes available and include it, or otherwise I think we can change openssh_gssapi to also use an older openssh version until a patch is available to unblock updating the main openssh derivation to 8.4p1. Some data from the last ~year on lag time in GSSAPI patch update:
|
There is now a release of a new GSSAPI patch: https://salsa.debian.org/ssh-team/openssh/-/commit/e371906fbbbbc11b0dced8fd4e0d258eb489d7c1 Would be nice to see this integrated into this PR. I'm not sure if we should block on HPN support or not. |
@andir how about this? |
Thanks for integrating the GSSAPI patch. Would still prefer to not mark |
This discussion has been had a bunch of times before (e.g. in #80196 and #59806) and looking through the commit history, Personally, I'd much prefer having an up to date openssh instead of carrying outdated patched versions around. |
Anyways, apparently there's a hpn patch released now as well and it seems to build, so there you go. |
What about merging this soon as this is a security update? |
All the openssh flavors did build for me. I'm merging this in. |
Neither the gssapi patches nor the hpn fork seem to be updated yet.
Marked these as broken for now.
Fixes CVE-2020-15778, CVE-2020-14145
Motivation for this change
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)