[22.05] openssh: use 9.6p1 by default, patched against CVE-2024-6387

[osnyx]

@flyingcircusio/release-managers

Package openssh-9.6p1 with patches against CVE-2024-6387 and use it as new platform default.

PL-132768

Release process

Impact: sshd.service will be restarted

Changelog:

• openssh: apply patches for GHSA-2x8c-95vh-gfv4, default package used changes 9.0p1 -> 9.6p1
  • fixes a remote code execution vulnerability https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
  • additionally also backport a fix for a minor logic error in ObscureKeystrokeTiming
  • note that this only updates the openssh_9_6 package, which is used by the in-path ssh command and the sshd.service of the platform
  • This might affect the defaults for cryptographic algorithms, see the openssh release notes for details

PR release workflow (internal)

• PR has internal ticket
• internal issue ID (PL-…) part of branch name
• internal issue ID mentioned in PR description text
• ticket is on Platform agile board
• ticket state set to Pull request ready
• if ticket is more urgent than within the next few days, directly contact a member of the Platform team

Design notes

• Provide a feature toggle if the change might need to be adjusted/reverted quickly depending on context. Consider whether the default should be on or off. Example: rate limiting.
• All customer-facing features and (NixOS) options need to be discoverable from documentation. Add or update relevant documentation such that hosted and guided customers can understand it as well.

Security implications

• Security requirements defined? (WHERE)
  • patch a remote code execution vulnerability in openSSH https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
  • must not introduce any know regressions
• Security requirements tested? (EVIDENCE)
  • automated tests still pass
  • successfully tested restarting openssh and connecting on a vm in dev