Karl Voit  Jul 3, 2024

Not even #NixOS has a patched #OpenSSH version to mitigate #regreSSHion yet. 😔

OK, at least disabling sshd is very easy.

Edit/Correction: NixOS somehow decided not to change the version number for a patched OpenSSH version. So you can have 9.7p1 with the vulnerability and 9.7p1 without. 🤷 🤦‍♂️

https://github.com/NixOS/nixpkgs/pull/323761/files

So the usual "am I vulnerable?"-instructions to the CVE are useless with NixOS.

[24.05] openssh: add backported security fix patches by emilazy · Pull Request #323761 · NixOS/nixpkgs

Fixes a critical security bug allowing remote code execution as root: https://www.openssh.com/txt/release-9.8 This may be CVE-2024-6387 (currently embargoed): https://cve.mitre.org/cgi-bin/cvename....

GitHub
Show threadElis HIrwing 🌱Jul 3, 2024

@publicvoit Uh, yes? They have. https://nixpk.gs/pr-tracker.html?pr=323753

#nixos #regresshion #openssh

Show threadphaerJul 3, 2024
@sa0bse @publicvoit the link you shared is about -unstable only. That's what I'm using, but I imagine this might be about 24.05?
Show threadKarl Voit  Jul 3, 2024

@phaer @sa0bse I'm using 24.05 and I really don't care about NixOS any more.

I disabled openssh altogether and find it more than confusing that Nix is providing different versions with the same version indicator (but different hashes). 🤷

Show threadElis HIrwing 🌱
@publicvoit @phaer It's in the 24.05 channels as well though https://nixpk.gs/pr-tracker.html?pr=323761
Jul 3, 2024 at 4:54pmWeb