Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 673a73602f5b
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 5b1f864242ef
Choose a head ref
  • 5 commits
  • 2 files changed
  • 2 contributors

Commits on Oct 19, 2019

  1. openssh: 7.9p1 -> 8.1p1 

    https://www.openwall.com/lists/oss-security/2019/04/18/1
    @dtzWill @edef1c
    dtzWill authored and edef1c committed Oct 19, 2019

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    thoughtpolice Austin Seipp
    GPG key ID: 25D2038DEB08021D
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    9199729 View commit details

  2. nixos: add release note for openssh upgrade \o/

    @dtzWill @edef1c
    dtzWill authored and edef1c committed Oct 19, 2019
    Copy the full SHA
    6db7c9c View commit details

  3. openssh: mark hpnSupport as broken 

    We're hoping to deprecate HPN support, given that as far as we
can tell, nobody is using it, and the patches seem rather unmaintained.
    @edef1c
    edef1c committed Oct 19, 2019
    1
    Copy the full SHA
    e6d641d View commit details

  4. openssh: don't let configure override SSH_KEYSIGN 

    While 9fe1028 ensured that the
ssh-keysign path is searched for in PATH if not absolute,
it doesn't prevent the configure script from defaulting to an
absolute path in $out/libexec, making the whole effort rather
pointless.
    @edef1c
    edef1c committed Oct 19, 2019
    Copy the full SHA
    9bfec80 View commit details

  5. Merge pull request #59806 

    openssh: 7.9p1 -> 8.1p1
    @edef1c
    edef1c authored Oct 19, 2019
    Copy the full SHA
    5b1f864 View commit details
Showing with 17 additions and 7 deletions.
  1. +8 −0 nixos/doc/manual/release-notes/rl-2003.xml
  2. +9 −7 pkgs/tools/networking/openssh/default.nix
8 changes: 8 additions & 0 deletions nixos/doc/manual/release-notes/rl-2003.xml
View file
Original file line number Diff line number Diff line change
@@ -108,6 +108,14 @@
<listitem>
<para>SD images are now compressed by default using <literal>bzip2</literal>.</para>
</listitem>
<listitem>
<para>
OpenSSH has been upgraded from 7.9 to 8.1, improving security and adding features
but with potential incompatibilities. Consult the
<link xlink:href="https://www.openssh.com/txt/release-8.1">
release announcement</link> for more information.
</para>
</listitem>
</itemizedlist>
</section>
</section>
16 changes: 9 additions & 7 deletions pkgs/tools/networking/openssh/default.nix
View file
Original file line number Diff line number Diff line change
@@ -13,16 +13,16 @@ let
gssapiPatch = fetchpatch {
name = "openssh-gssapi.patch";
url = "https://salsa.debian.org/ssh-team/openssh/raw/"
+ "d80ebbf028196b2478beebf5a290b97f35e1eed9"
+ "e50a98bda787a3b9f53ed67bdccbbac0bde1f9ae"
+ "/debian/patches/gssapi.patch";
sha256 = "14j9cabb3gkhkjc641zbiv29mbvsmgsvis3fbj8ywsd21zc7m2wv";
sha256 = "14j9cabb3gkhkjc641zbiv29mbvsmgsvis3fbj8ywsd21zc7m2hv";
};

in
with stdenv.lib;
stdenv.mkDerivation rec {
pname = "openssh";
version = if hpnSupport then "7.8p1" else "7.9p1";
version = if hpnSupport then "7.8p1" else "8.1p1";

src = if hpnSupport then
fetchurl {
@@ -32,7 +32,7 @@ stdenv.mkDerivation rec {
else
fetchurl {
url = "mirror://openbsd/OpenSSH/portable/${pname}-${version}.tar.gz";
sha256 = "1b8sy6v0b8v4ggmknwcqx3y1rjcpsll0f1f8f4vyv11x4ni3njvb";
sha256 = "1zwk3g57gb13br206k6jdhgnp6y1nibwswzraqspbl1m73pxpx82";
};

patches =
@@ -42,6 +42,8 @@ stdenv.mkDerivation rec {
# See discussion in https://github.com/NixOS/nixpkgs/pull/16966
./dont_create_privsep_path.patch

./ssh-keysign.patch
] ++ optional hpnSupport
# CVE-2018-20685, can probably be dropped with next version bump
# See https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
# for details
@@ -50,9 +52,6 @@ stdenv.mkDerivation rec {
url = https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2.patch;
sha256 = "0q27i9ymr97yb628y44qi4m11hk5qikb1ji1vhvax8hp18lwskds";
})

./ssh-keysign.patch
]
++ optional withGssapiPatches (assert withKerberos; gssapiPatch);

postPatch =
@@ -89,6 +88,8 @@ stdenv.mkDerivation rec {
++ optional stdenv.isDarwin "--disable-libutil"
++ optional (!linkOpenssl) "--without-openssl";

buildFlags = [ "SSH_KEYSIGN=ssh-keysign" ];

enableParallelBuilding = true;

hardeningEnable = [ "pie" ];
@@ -111,5 +112,6 @@ stdenv.mkDerivation rec {
license = stdenv.lib.licenses.bsd2;
platforms = platforms.unix ++ platforms.windows;
maintainers = with maintainers; [ eelco aneeshusa ];
broken = hpnSupport;
};
}