Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[staging] openssh: 8.3p1 -> 8.4p1 #99959

Merged
merged 1 commit into from Nov 3, 2020
Merged

[staging] openssh: 8.3p1 -> 8.4p1 #99959

merged 1 commit into from Nov 3, 2020

Conversation

dasJ
Copy link
Member

@dasJ dasJ commented Oct 7, 2020

Neither the gssapi patches nor the hpn fork seem to be updated yet.
Marked these as broken for now.

Fixes CVE-2020-15778, CVE-2020-14145

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@ofborg ofborg bot requested review from aneeshusa and edolstra October 7, 2020 15:22
@dasJ dasJ changed the base branch from master to staging October 7, 2020 15:24
@dasJ dasJ force-pushed the upd/openssh branch 2 times, most recently from 7ba4a93 to f0471ad Compare October 7, 2020 15:26
@aneeshusa
Copy link
Contributor

It seems #90264 undid our ability to have different versions for openssh and openssh_hpn, can you bring that back logic back and leave openssh_hpn at the old version? THe hpn repo often takes a long time to get updates so I think it's nicer to decouple those versions so folks can make their own choices about perf vs security.

Looking at the CVEs,

I don't think either of these warrants breaking GSSAPI as well; historically the patches have taken multiple months to appear but they've shown up much more quickly for recent releases. I'm happy to wait a few days to see if a GSSAPI patch becomes available and include it, or otherwise I think we can change openssh_gssapi to also use an older openssh version until a patch is available to unblock updating the main openssh derivation to 8.4p1.

Some data from the last ~year on lag time in GSSAPI patch update:

version upstream release date GSSAPI patch availability delta
8.3p1 2020-05-27 2020-06-07 11 days
8.2p1 2020-02-14 2020-02-21 7 days
8.1p1 2019-10-09 2020-10-10 1 day
8.0p1 2019-04-17 2019-06-09 53 days

@andir
Copy link
Member

andir commented Oct 23, 2020
edited

There is now a release of a new GSSAPI patch: https://salsa.debian.org/ssh-team/openssh/-/commit/e371906fbbbbc11b0dced8fd4e0d258eb489d7c1

Would be nice to see this integrated into this PR. I'm not sure if we should block on HPN support or not.

@ajs124
Copy link
Member

ajs124 commented Oct 29, 2020

@andir how about this?

@aneeshusa
Copy link
Contributor

Thanks for integrating the GSSAPI patch. Would still prefer to not mark hpnSupport as broken but instead give those users an older version as we always did before #90264.

@ajs124
Copy link
Member

ajs124 commented Oct 29, 2020

This discussion has been had a bunch of times before (e.g. in #80196 and #59806) and looking through the commit history, hpnSupport has been marked and unmarked as broken a few times, as well.

Personally, I'd much prefer having an up to date openssh instead of carrying outdated patched versions around.

@ajs124
Copy link
Member

ajs124 commented Oct 29, 2020

Anyways, apparently there's a hpn patch released now as well and it seems to build, so there you go.

@dasJ dasJ changed the title openssh: 8.3p1 -> 8.4p1 [staging] openssh: 8.3p1 -> 8.4p1 Nov 1, 2020
@mohe2015
Copy link
Contributor

mohe2015 commented Nov 3, 2020

What about merging this soon as this is a security update?

@andir
Copy link
Member

andir commented Nov 3, 2020

All the openssh flavors did build for me. I'm merging this in.

@andir andir merged commit be6e50a into NixOS:staging Nov 3, 2020
@ajs124 ajs124 deleted the upd/openssh branch November 3, 2020 15:03
@dasJ dasJ mentioned this pull request Nov 3, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aneeshusa aneeshusa aneeshusa approved these changes

@edolstra edolstra Awaiting requested review from edolstra

@FRidh FRidh Awaiting requested review from FRidh

@jonringer jonringer Awaiting requested review from jonringer

@mmahut mmahut Awaiting requested review from mmahut

@stigtsp stigtsp Awaiting requested review from stigtsp

@thoughtpolice thoughtpolice Awaiting requested review from thoughtpolice

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 501+ 10.rebuild-darwin: 1001-2500 10.rebuild-linux: 501+ 10.rebuild-linux: 2501-5000
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@dasJ @aneeshusa @andir @ajs124 @mohe2015