Mastodawn

Not even #NixOS has a patched #OpenSSH version to mitigate #regreSSHion yet. 😔

OK, at least disabling sshd is very easy.

Edit/Correction: NixOS somehow decided not to change the version number for a patched OpenSSH version. So you can have 9.7p1 with the vulnerability and 9.7p1 without. 🤷 🤦‍♂️

https://github.com/NixOS/nixpkgs/pull/323761/files

So the usual "am I vulnerable?"-instructions to the CVE are useless with NixOS.

[24.05] openssh: add backported security fix patches by emilazy · Pull Request #323761 · NixOS/nixpkgs

Fixes a critical security bug allowing remote code execution as root: https://www.openssh.com/txt/release-9.8 This may be CVE-2024-6387 (currently embargoed): https://cve.mitre.org/cgi-bin/cvename....

GitHub

Justinas Jul 3, 2024

@publicvoit I'm pretty sure the patches have already reached all supported versions of NixOS, and even the newly-EOL 23.11

https://discourse.nixos.org/t/security-advisory-openssh-cve-2024-6387-regresshion-update-your-servers-asap/48220/19

Security advisory: OpenSSH CVE-2024-6387 “regreSSHion” – update your servers ASAP

A critical‐severity OpenSSH security vulnerability has been disclosed that can lead to remote code execution as root. We have fixed this by upgrading OpenSSH on unstable and backporting a patch fix from upstream to 24.05 and 23.11, and that fix has now reached all the channels. openssh_hpn and openssh_gssapi are also affected and have been patched. If you have an internet‐exposed machine running an OpenSSH server, you should update as soon as possible. If you’re on unstable, you may want to ch...

NixOS Discourse

@justinas see https://graz.social/@publicvoit/112723208983785264

Karl Voit :emacs: :orgmode: (@[email protected])

@[email protected] I just updated my system and got 0g1s8yd0biawp32fl3i7kdbi219jx6aq-openssh-9.7p1 which is part of the list "you're fucked". My config: https://github.com/novoid/nixos-config So what's my mistake?

graz.social

Justinas Jul 3, 2024

@publicvoit for 24.05 (which I assume you're using), the version remained at 9.7p1, but patches were included to mitigate the CVE. https://github.com/NixOS/nixpkgs/commit/10c832d0548e9e3a6df7eb51e68c2783212a303e

NixOS' stable channels are usually conservative about bumping to the next "major" release of a package (whatever major means for the upstream - the goal is to avoid any breaking changes).

I do understand that it is hard to tell whether a package was upgraded if the version string does not change. If you diff your system profile (e.g. via `nix store diff-closures` or `nvd`) you should see that after the upgrade you're using a different derivation of `openssh` (different hash), but at that point you're essentially comparing the compiled binaries, so it is hard to tell what actually changed.

openssh: add backported security fix patches · NixOS/nixpkgs@10c832d

Fixes a critical security bug allowing remote code execution as root: <https://www.openssh.com/txt/release-9.8> This may be CVE-2024-6387 (currently embargoed): <https://cve.mitre.org/cgi...

GitHub

@justinas Stupid decicsion not to change the version number and patch level indicator but thank you very much for the clarification.

@publicvoit @justinas NixOS never does that because it's package manager does no comparison based on version numbers. We also dodge stupid things like +real1.2.3 Debian sometimes has. Also it is pretty hard to decide when to bump that number, so we are not doing it. Eg does a compile fix for FreeBSD justify a version bump? Maybe? But then we trigger rebuilds for platforms that don't need one.

Marie Jul 3, 2024

@publicvoit it is patched on all active channels, not sure what you mean?

@marie I just updated my system and got 0g1s8yd0biawp32fl3i7kdbi219jx6aq-openssh-9.7p1 which is part of the list "you're fucked".

My config: https://github.com/novoid/nixos-config

So what's my mistake?

GitHub - novoid/nixos-config: NixOS + flakes + home-manager with xfce, zsh, tmux, ...

NixOS + flakes + home-manager with xfce, zsh, tmux, ... - novoid/nixos-config

GitHub

Marie Jul 3, 2024

@publicvoit the stable channels got a backport of the patch to an older version, because a newer openssh version would be a breaking change

Peter J. Jones Jul 3, 2024

#NixOS upgraded the unstable branch to OpenSSH 9.8 and patched OpenSSH 9.7 in the 24.05 release branch Monday morning:

https://github.com/NixOS/nixpkgs/pull/323753

openssh: 9.7p1 -> 9.8p1 (fixes CVE-2024-6387 “regreSSHion” RCE) by emilazy · Pull Request #323753 · NixOS/nixpkgs

Fixes a critical security bug allowing remote code execution as root: https://www.openssh.com/txt/release-9.8 This is CVE-2024-6387: https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt...

GitHub

@devalot https://graz.social/@publicvoit/112723208983785264

Karl Voit :emacs: :orgmode: (@[email protected])

@[email protected] I just updated my system and got 0g1s8yd0biawp32fl3i7kdbi219jx6aq-openssh-9.7p1 which is part of the list "you're fucked". My config: https://github.com/novoid/nixos-config So what's my mistake?

graz.social

Peter J. Jones Jul 3, 2024

Are you worried about the hash or the version number?

Unfortunately the version number wasn't changed when the patch was applied:

https://github.com/NixOS/nixpkgs/pull/323761/files

[24.05] openssh: add backported security fix patches by emilazy · Pull Request #323761 · NixOS/nixpkgs

Fixes a critical security bug allowing remote code execution as root: https://www.openssh.com/txt/release-9.8 This may be CVE-2024-6387 (currently embargoed): https://cve.mitre.org/cgi-bin/cvename....

GitHub

@devalot Stupid decicsion not to change the version number and patch level indicator but thank you very much for the clarification.

Elis HIrwing 🌱Jul 3, 2024

@publicvoit Uh, yes? They have. https://nixpk.gs/pr-tracker.html?pr=323753

#nixos #regresshion #openssh

phaer Jul 3, 2024

@sa0bse @publicvoit the link you shared is about -unstable only. That's what I'm using, but I imagine this might be about 24.05?

@phaer @sa0bse I'm using 24.05 and I really don't care about NixOS any more.

I disabled openssh altogether and find it more than confusing that Nix is providing different versions with the same version indicator (but different hashes). 🤷

phaer Jul 3, 2024

@publicvoit @sa0bse my intention was to help with a possible misunderstanding: In my experience, many experienced users tend to use -unstable - where sshd has been updated for a while. 24.05 indeed isn't afaik.

Nixos most probably isn't for everyone. I love it, but it definitely depends on ones workflows, routines and preferences whether it's advantages are worth to deal with its failings

Elis HIrwing 🌱Jul 3, 2024

@publicvoit @phaer It's in the 24.05 channels as well though https://nixpk.gs/pr-tracker.html?pr=323761

Xandor Schiefer Jul 4, 2024

@publicvoit @phaer @sa0bse Nix's hashes are very similar to git commit hashes.

If, in an arbitrary software project, you backported a bugfix from a stable branch into an LTS branch by cherry picking it, the new commit on the LTS branch would look very similar to the original. But their hashes would be different because the commits' parents and some metadata would be different. Same with Nix packages, and any input to a package affects the hash, even if one transitive dependency is different.

Xandor Schiefer Jul 4, 2024

@publicvoit @phaer @sa0bse Also right from the beginning, 24.05 had the fix backported. The stable branch is definitely not an afterthought. Although most advanced users do indeed run unstable on their personal machines, this is not recommended for production systems.

The reason they have the same version numbers is because they're the same version ATM. 24.05 has just been cut from unstable, so the chances of any given package having diverged are low at this point.

Xandor Schiefer Jul 4, 2024

@publicvoit @phaer @sa0bse Even 23.11 got the backport right away: https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199658842

For reference, here are the guidelines on what can make it into release branches: https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#changes-acceptable-for-releases, which includes security fixes.

openssh: 9.7p1 -> 9.8p1 (fixes CVE-2024-6387 “regreSSHion” RCE) by emilazy · Pull Request #323753 · NixOS/nixpkgs

Fixes a critical security bug allowing remote code execution as root: https://www.openssh.com/txt/release-9.8 This is CVE-2024-6387: https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt...

GitHub

@zeorin @phaer @sa0bse
@sandro @justinas

Well I do have a differen opinion (but I'm not qualified to do so for NixOS).

As long as humans should use NixOS, they should be able to easily determine the patch-level of a package.
https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_VERSION_NUMBER.html
-> NixOS is patching without increasing the patch level number.

Any general direction on how to determine if you're running a bad version fails here.

No, a patched version is not the same version than the one before.

OpenSSL

OpenSSL

@publicvoit @zeorin @phaer @sa0bse @justinas NixOS is a bit different than other systems. You would either check the nixpkgs source or use a nix repl to print what patches openssh contains.

nixos-rebuild repl
> :p pkgs.openssh.patches

And bumping the version number is necessary for almost any other distro to function. Also bumping that creates new problems like sometimes unnecessary rebuilds, incompatibilities if it is parsed, new decision when to bump and probably more.

@publicvoit @zeorin @phaer @sa0bse @justinas Also badly constructed overlays could actually remove those patches again. Also it is pretty easy to patch your system with and overlay and setting the output to services.ssh.package.

@sandro @zeorin @phaer @sa0bse @justinas A very sincere thank you from me to you for explaining all those things! 🙇

I still don't like it as it is but it seems as if there are at least some reasons to do it that way.

Elis HIrwing 🌱Jul 3, 2024

@phaer @publicvoit It's in the 24.05 channels as well though https://nixpk.gs/pr-tracker.html?pr=323761