Karl Voit  Jul 3, 2024

Not even #NixOS has a patched #OpenSSH version to mitigate #regreSSHion yet. 😔

OK, at least disabling sshd is very easy.

Edit/Correction: NixOS somehow decided not to change the version number for a patched OpenSSH version. So you can have 9.7p1 with the vulnerability and 9.7p1 without. 🤷 🤦‍♂️

https://github.com/NixOS/nixpkgs/pull/323761/files

So the usual "am I vulnerable?"-instructions to the CVE are useless with NixOS.

[24.05] openssh: add backported security fix patches by emilazy · Pull Request #323761 · NixOS/nixpkgs

Fixes a critical security bug allowing remote code execution as root: https://www.openssh.com/txt/release-9.8 This may be CVE-2024-6387 (currently embargoed): https://cve.mitre.org/cgi-bin/cvename....

GitHub
Show threadElis HIrwing 🌱Jul 3, 2024

@publicvoit Uh, yes? They have. https://nixpk.gs/pr-tracker.html?pr=323753

#nixos #regresshion #openssh

Show threadphaerJul 3, 2024
@sa0bse @publicvoit the link you shared is about -unstable only. That's what I'm using, but I imagine this might be about 24.05?
Show threadKarl Voit  

@phaer @sa0bse I'm using 24.05 and I really don't care about NixOS any more.

I disabled openssh altogether and find it more than confusing that Nix is providing different versions with the same version indicator (but different hashes). 🤷

Jul 3, 2024 at 3:57pmWeb
Show threadphaerJul 3, 2024

@publicvoit @sa0bse my intention was to help with a possible misunderstanding: In my experience, many experienced users tend to use -unstable - where sshd has been updated for a while. 24.05 indeed isn't afaik.

Nixos most probably isn't for everyone. I love it, but it definitely depends on ones workflows, routines and preferences whether it's advantages are worth to deal with its failings

Show threadElis HIrwing 🌱Jul 3, 2024
@publicvoit @phaer It's in the 24.05 channels as well though https://nixpk.gs/pr-tracker.html?pr=323761
Show threadXandor SchieferJul 4, 2024

@publicvoit @phaer @sa0bse Nix's hashes are very similar to git commit hashes.

If, in an arbitrary software project, you backported a bugfix from a stable branch into an LTS branch by cherry picking it, the new commit on the LTS branch would look very similar to the original. But their hashes would be different because the commits' parents and some metadata would be different. Same with Nix packages, and any input to a package affects the hash, even if one transitive dependency is different.

Show threadXandor SchieferJul 4, 2024

@publicvoit @phaer @sa0bse Also right from the beginning, 24.05 had the fix backported. The stable branch is definitely not an afterthought. Although most advanced users do indeed run unstable on their personal machines, this is not recommended for production systems.

The reason they have the same version numbers is because they're the same version ATM. 24.05 has just been cut from unstable, so the chances of any given package having diverged are low at this point.

Show threadXandor SchieferJul 4, 2024

@publicvoit @phaer @sa0bse Even 23.11 got the backport right away: https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199658842

For reference, here are the guidelines on what can make it into release branches: https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#changes-acceptable-for-releases, which includes security fixes.

openssh: 9.7p1 -> 9.8p1 (fixes CVE-2024-6387 “regreSSHion” RCE) by emilazy · Pull Request #323753 · NixOS/nixpkgs

Fixes a critical security bug allowing remote code execution as root: https://www.openssh.com/txt/release-9.8 This is CVE-2024-6387: https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt...

GitHub
Show threadKarl Voit  Jul 4, 2024

@zeorin @phaer @sa0bse
@sandro @justinas

Well I do have a differen opinion (but I'm not qualified to do so for NixOS).

As long as humans should use NixOS, they should be able to easily determine the patch-level of a package.
https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_VERSION_NUMBER.html
-> NixOS is patching without increasing the patch level number.

Any general direction on how to determine if you're running a bad version fails here.

No, a patched version is not the same version than the one before.

#badidea

OpenSSL

OpenSSL
Show threadSandro  Jul 4, 2024

@publicvoit @zeorin @phaer @sa0bse @justinas NixOS is a bit different than other systems. You would either check the nixpkgs source or use a nix repl to print what patches openssh contains.

nixos-rebuild repl
> :p pkgs.openssh.patches

And bumping the version number is necessary for almost any other distro to function. Also bumping that creates new problems like sometimes unnecessary rebuilds, incompatibilities if it is parsed, new decision when to bump and probably more.

Show threadSandro  Jul 4, 2024
@publicvoit @zeorin @phaer @sa0bse @justinas Also badly constructed overlays could actually remove those patches again. Also it is pretty easy to patch your system with and overlay and setting the output to services.ssh.package.
Show threadKarl Voit  Jul 4, 2024

@sandro @zeorin @phaer @sa0bse @justinas A very sincere thank you from me to you for explaining all those things! 🙇

I still don't like it as it is but it seems as if there are at least some reasons to do it that way.