Karl Voit  Jul 3, 2024

Not even #NixOS has a patched #OpenSSH version to mitigate #regreSSHion yet. 😔

OK, at least disabling sshd is very easy.

Edit/Correction: NixOS somehow decided not to change the version number for a patched OpenSSH version. So you can have 9.7p1 with the vulnerability and 9.7p1 without. 🤷 🤦‍♂️

https://github.com/NixOS/nixpkgs/pull/323761/files

So the usual "am I vulnerable?"-instructions to the CVE are useless with NixOS.

[24.05] openssh: add backported security fix patches by emilazy ¡ Pull Request #323761 ¡ NixOS/nixpkgs

Fixes a critical security bug allowing remote code execution as root: https://www.openssh.com/txt/release-9.8 This may be CVE-2024-6387 (currently embargoed): https://cve.mitre.org/cgi-bin/cvename....

GitHub
Show threadJustinasJul 3, 2024

@publicvoit I'm pretty sure the patches have already reached all supported versions of NixOS, and even the newly-EOL 23.11

https://discourse.nixos.org/t/security-advisory-openssh-cve-2024-6387-regresshion-update-your-servers-asap/48220/19

Security advisory: OpenSSH CVE-2024-6387 “regreSSHion” – update your servers ASAP

A critical‐severity OpenSSH security vulnerability has been disclosed that can lead to remote code execution as root. We have fixed this by upgrading OpenSSH on unstable and backporting a patch fix from upstream to 24.05 and 23.11, and that fix has now reached all the channels. openssh_hpn and openssh_gssapi are also affected and have been patched. If you have an internet‐exposed machine running an OpenSSH server, you should update as soon as possible. If you’re on unstable, you may want to ch...

NixOS Discourse
Show threadKarl Voit  
@justinas see https://graz.social/@publicvoit/112723208983785264
Karl Voit :emacs: :orgmode: (@[email protected])

@[email protected] I just updated my system and got 0g1s8yd0biawp32fl3i7kdbi219jx6aq-openssh-9.7p1 which is part of the list "you're fucked". My config: https://github.com/novoid/nixos-config So what's my mistake?

graz.social
Jul 3, 2024 at 3:14pmWeb
Show threadJustinasJul 3, 2024

@publicvoit for 24.05 (which I assume you're using), the version remained at 9.7p1, but patches were included to mitigate the CVE. https://github.com/NixOS/nixpkgs/commit/10c832d0548e9e3a6df7eb51e68c2783212a303e

NixOS' stable channels are usually conservative about bumping to the next "major" release of a package (whatever major means for the upstream - the goal is to avoid any breaking changes).

I do understand that it is hard to tell whether a package was upgraded if the version string does not change. If you diff your system profile (e.g. via `nix store diff-closures` or `nvd`) you should see that after the upgrade you're using a different derivation of `openssh` (different hash), but at that point you're essentially comparing the compiled binaries, so it is hard to tell what actually changed.

openssh: add backported security fix patches ¡ NixOS/nixpkgs@10c832d

Fixes a critical security bug allowing remote code execution as root: <https://www.openssh.com/txt/release-9.8> This may be CVE-2024-6387 (currently embargoed): <https://cve.mitre.org/cgi...

GitHub
Show threadKarl Voit  Jul 3, 2024
@justinas Stupid decicsion not to change the version number and patch level indicator but thank you very much for the clarification.
Show threadSandro  Jul 4, 2024
@publicvoit @justinas NixOS never does that because it's package manager does no comparison based on version numbers. We also dodge stupid things like +real1.2.3 Debian sometimes has. Also it is pretty hard to decide when to bump that number, so we are not doing it. Eg does a compile fix for FreeBSD justify a version bump? Maybe? But then we trigger rebuilds for platforms that don't need one.