Karl Voit  Jul 3, 2024

Not even #NixOS has a patched #OpenSSH version to mitigate #regreSSHion yet. 😔

OK, at least disabling sshd is very easy.

Edit/Correction: NixOS somehow decided not to change the version number for a patched OpenSSH version. So you can have 9.7p1 with the vulnerability and 9.7p1 without. 🤷 🤦‍♂️

https://github.com/NixOS/nixpkgs/pull/323761/files

So the usual "am I vulnerable?"-instructions to the CVE are useless with NixOS.

[24.05] openssh: add backported security fix patches by emilazy · Pull Request #323761 · NixOS/nixpkgs

Fixes a critical security bug allowing remote code execution as root: https://www.openssh.com/txt/release-9.8 This may be CVE-2024-6387 (currently embargoed): https://cve.mitre.org/cgi-bin/cvename....

GitHub
Show threadMarieJul 3, 2024
@publicvoit it is patched on all active channels, not sure what you mean?
Show threadKarl Voit  

@marie I just updated my system and got 0g1s8yd0biawp32fl3i7kdbi219jx6aq-openssh-9.7p1 which is part of the list "you're fucked".

My config: https://github.com/novoid/nixos-config

So what's my mistake?

GitHub - novoid/nixos-config: NixOS + flakes + home-manager with xfce, zsh, tmux, ...

NixOS + flakes + home-manager with xfce, zsh, tmux, ... - novoid/nixos-config

GitHub
Jul 3, 2024 at 3:14pmWeb
Show threadMarieJul 3, 2024
@publicvoit the stable channels got a backport of the patch to an older version, because a newer openssh version would be a breaking change