Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[staging] openssh: 8.3p1 -> 8.4p1 #99959

Merged
merged 1 commit into from Nov 3, 2020
Merged

Conversation

@dasJ
Copy link
Member

@dasJ dasJ commented Oct 7, 2020

Neither the gssapi patches nor the hpn fork seem to be updated yet.
Marked these as broken for now.

Fixes CVE-2020-15778, CVE-2020-14145

Motivation for this change
  • CVE-2020-15778
  • CVE-2020-14145
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
@ofborg ofborg bot requested review from aneeshusa and edolstra Oct 7, 2020
@dasJ dasJ changed the base branch from master to staging Oct 7, 2020
@dasJ dasJ force-pushed the helsinki-systems:upd/openssh branch 2 times, most recently from 7ba4a93 to f0471ad Oct 7, 2020
@aneeshusa
Copy link
Contributor

@aneeshusa aneeshusa commented Oct 8, 2020

It seems #90264 undid our ability to have different versions for openssh and openssh_hpn, can you bring that back logic back and leave openssh_hpn at the old version? THe hpn repo often takes a long time to get updates so I think it's nicer to decouple those versions so folks can make their own choices about perf vs security.

Looking at the CVEs,

I don't think either of these warrants breaking GSSAPI as well; historically the patches have taken multiple months to appear but they've shown up much more quickly for recent releases. I'm happy to wait a few days to see if a GSSAPI patch becomes available and include it, or otherwise I think we can change openssh_gssapi to also use an older openssh version until a patch is available to unblock updating the main openssh derivation to 8.4p1.

Some data from the last ~year on lag time in GSSAPI patch update:

version upstream release date GSSAPI patch availability delta
8.3p1 2020-05-27 2020-06-07 11 days
8.2p1 2020-02-14 2020-02-21 7 days
8.1p1 2019-10-09 2020-10-10 1 day
8.0p1 2019-04-17 2019-06-09 53 days
@andir
Copy link
Member

@andir andir commented Oct 23, 2020

There is now a release of a new GSSAPI patch: https://salsa.debian.org/ssh-team/openssh/-/commit/e371906fbbbbc11b0dced8fd4e0d258eb489d7c1

Would be nice to see this integrated into this PR. I'm not sure if we should block on HPN support or not.

@ajs124 ajs124 force-pushed the helsinki-systems:upd/openssh branch from f0471ad to 6f49aca Oct 27, 2020
@ajs124
Copy link
Member

@ajs124 ajs124 commented Oct 29, 2020

@andir how about this?

@aneeshusa
Copy link
Contributor

@aneeshusa aneeshusa commented Oct 29, 2020

Thanks for integrating the GSSAPI patch. Would still prefer to not mark hpnSupport as broken but instead give those users an older version as we always did before #90264.

@ajs124
Copy link
Member

@ajs124 ajs124 commented Oct 29, 2020

This discussion has been had a bunch of times before (e.g. in #80196 and #59806) and looking through the commit history, hpnSupport has been marked and unmarked as broken a few times, as well.

Personally, I'd much prefer having an up to date openssh instead of carrying outdated patched versions around.

Fixes CVE-2020-15778, CVE-2020-14145
@ajs124 ajs124 force-pushed the helsinki-systems:upd/openssh branch from 6f49aca to 02390ed Oct 29, 2020
@ajs124
Copy link
Member

@ajs124 ajs124 commented Oct 29, 2020

Anyways, apparently there's a hpn patch released now as well and it seems to build, so there you go.

@dasJ dasJ changed the title openssh: 8.3p1 -> 8.4p1 [staging] openssh: 8.3p1 -> 8.4p1 Nov 1, 2020
@mohe2015
Copy link

@mohe2015 mohe2015 commented Nov 3, 2020

What about merging this soon as this is a security update?

@andir
Copy link
Member

@andir andir commented Nov 3, 2020

All the openssh flavors did build for me. I'm merging this in.

@andir andir merged commit be6e50a into NixOS:staging Nov 3, 2020
19 checks passed
19 checks passed
tests
Details
action
Details
Evaluation Performance Report Evaluator Performance Report
Details
Wait for ofborg
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="02390ed"; rev="02390ed7256d7a98449d368be9148be3ec5dd41f"; } ./pkgs/t
Details
grahamcofborg-eval-lib-tests nix-build --arg pkgs import ./. {} ./lib/tests/release.nix
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="02390ed"; rev="02390ed7256d7a98449d368be9148be3ec5dd41f"; } ./nixos/
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="02390ed"; rev="02390ed7256d7a98449d368be9148be3ec5dd41f"; } ./nixos/
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="02390ed"; rev="02390ed7256d7a98449d368be9148be3ec5dd41f"; } ./nixos/
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="02390ed"; rev="02390ed7256d7a98449d368be9148be3ec5dd41f"; } ./pkgs/t
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="02390ed"; rev="02390ed7256d7a98449d368be9148be3ec5dd41f"; } ./pkgs/t
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="02390ed"; rev="02390ed7256d7a98449d368be9148be3ec5dd41f"; } ./pkgs/t
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
openssh, openssh.passthru.tests on aarch64-linux Success
Details
openssh, openssh.passthru.tests on x86_64-linux Success
Details
@ajs124 ajs124 deleted the helsinki-systems:upd/openssh branch Nov 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants
You can’t perform that action at this time.