Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
[staging] openssh: 8.3p1 -> 8.4p1 #99959
Neither the gssapi patches nor the hpn fork seem to be updated yet.
Fixes CVE-2020-15778, CVE-2020-14145
Motivation for this change
It seems #90264 undid our ability to have different versions for openssh and openssh_hpn, can you bring that back logic back and leave openssh_hpn at the old version? THe hpn repo often takes a long time to get updates so I think it's nicer to decouple those versions so folks can make their own choices about perf vs security.
Looking at the CVEs,
I don't think either of these warrants breaking GSSAPI as well; historically the patches have taken multiple months to appear but they've shown up much more quickly for recent releases. I'm happy to wait a few days to see if a GSSAPI patch becomes available and include it, or otherwise I think we can change openssh_gssapi to also use an older openssh version until a patch is available to unblock updating the main openssh derivation to 8.4p1.
Some data from the last ~year on lag time in GSSAPI patch update:
There is now a release of a new GSSAPI patch: https://salsa.debian.org/ssh-team/openssh/-/commit/e371906fbbbbc11b0dced8fd4e0d258eb489d7c1
Would be nice to see this integrated into this PR. I'm not sure if we should block on HPN support or not.
Personally, I'd much prefer having an up to date openssh instead of carrying outdated patched versions around.