Patch Openssh for Roundup #15 #21500
Conversation
grahamc
added
1.severity: security
9.needs: port to stable
|
I'm feeling a bit inclined to wait for @vcunat to take a look. What do y'all think? |
|
No need for that, really. If you had a look and are convinced it will work... |
|
Just woke up, but the reason I haven't updated openssh yet is I've been waiting for updated GSSAPI patches from upstream (Debian). I ran some quick builds and I couldn't get this to build with GSSAPI enabled, hence why I hadn't made a PR. Can you get this to build with GSSAPI? If not, we'll need to weigh leaving open CVEs w/ an old version of openssh, or breaking GSSAPI support. I haven't looked at the systemd stuff yet. |
|
|
|
I only remember |
|
I was wrong (edited above immediately). I haven't tested anything that has no top-level attribute :-) |
|
Yeah, it builds on master and this PR breaks it. |
|
I think Debian has updated the GSSAPI patch, looking at the git log for the master branch at https://anonscm.debian.org/cgit/pkg-ssh/openssh.git, if we want to give that a try. |
|
Specifically https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/plain/debian/patches/gssapi.patch?id=255b8554a50b5c75fca63f76b1ac837c0d4fb7aa may be an updated version, I believe. |
|
Yes, applies and I'm testing the build already. |
|
Changes around daemonization and testing LGTM as well. Building + testing this locally now. |
|
LMK how it goes @aneeshusa and I'll merge / backport straight away. :) |
|
Also -- I really appreciate all the help on this one. |
|
Nice teamwork :-) |
samueldr
removed
the
9.needs: port to stable
Motivation for this change
#21457 (comment)
cc @vcunat @aneeshusa @LnL7
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)