Karl Voit  Jul 3, 2024

Not even #NixOS has a patched #OpenSSH version to mitigate #regreSSHion yet. 😔

OK, at least disabling sshd is very easy.

Edit/Correction: NixOS somehow decided not to change the version number for a patched OpenSSH version. So you can have 9.7p1 with the vulnerability and 9.7p1 without. 🤷 🤦‍♂️

https://github.com/NixOS/nixpkgs/pull/323761/files

So the usual "am I vulnerable?"-instructions to the CVE are useless with NixOS.

[24.05] openssh: add backported security fix patches by emilazy · Pull Request #323761 · NixOS/nixpkgs

Fixes a critical security bug allowing remote code execution as root: https://www.openssh.com/txt/release-9.8 This may be CVE-2024-6387 (currently embargoed): https://cve.mitre.org/cgi-bin/cvename....

GitHub
Show threadPeter J. Jones

@publicvoit

#NixOS upgraded the unstable branch to OpenSSH 9.8 and patched OpenSSH 9.7 in the 24.05 release branch Monday morning:

https://github.com/NixOS/nixpkgs/pull/323753

openssh: 9.7p1 -> 9.8p1 (fixes CVE-2024-6387 “regreSSHion” RCE) by emilazy · Pull Request #323753 · NixOS/nixpkgs

Fixes a critical security bug allowing remote code execution as root: https://www.openssh.com/txt/release-9.8 This is CVE-2024-6387: https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt...

GitHub
Jul 3, 2024 at 3:12pmWeb
Show threadKarl Voit  Jul 3, 2024
@devalot https://graz.social/@publicvoit/112723208983785264
Karl Voit :emacs: :orgmode: (@[email protected])

@[email protected] I just updated my system and got 0g1s8yd0biawp32fl3i7kdbi219jx6aq-openssh-9.7p1 which is part of the list "you're fucked". My config: https://github.com/novoid/nixos-config So what's my mistake?

graz.social
Show threadPeter J. JonesJul 3, 2024

@publicvoit

Are you worried about the hash or the version number?

Unfortunately the version number wasn't changed when the patch was applied:

https://github.com/NixOS/nixpkgs/pull/323761/files

[24.05] openssh: add backported security fix patches by emilazy · Pull Request #323761 · NixOS/nixpkgs

Fixes a critical security bug allowing remote code execution as root: https://www.openssh.com/txt/release-9.8 This may be CVE-2024-6387 (currently embargoed): https://cve.mitre.org/cgi-bin/cvename....

GitHub
Show threadKarl Voit  Jul 3, 2024
@devalot Stupid decicsion not to change the version number and patch level indicator but thank you very much for the clarification.