diff options
author | Jill <kokakiwi@deuxfleurs.fr> | 2024-07-02 13:26:15 +0000 |
---|---|---|
committer | Jill <kokakiwi@deuxfleurs.fr> | 2024-07-02 13:26:15 +0000 |
commit | 62ff09234dc514a699b1aefabcde84d39cac4e1b (patch) | |
tree | ae210f421e4f8233ea71bf87b63e799d385e904b | |
parent | 98feb96d2766e76fdcac45b82af84d3c2baddd86 (diff) | |
parent | b89b625f46003e0a018eaede1a6923c93b423755 (diff) | |
download | nixcfg-62ff09234dc514a699b1aefabcde84d39cac4e1b.tar.gz nixcfg-62ff09234dc514a699b1aefabcde84d39cac4e1b.zip |
Merge pull request 'openssh: Temporary patch for CVE-2024-6387 mitigation' (#30) from KokaKiwi/nixcfg:openssh-mitigation into main
Reviewed-on: https://git.deuxfleurs.fr/Deuxfleurs/nixcfg/pulls/30
-rw-r--r-- | nix/configuration.nix | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/nix/configuration.nix b/nix/configuration.nix index 68751a2..ab7b11a 100644 --- a/nix/configuration.nix +++ b/nix/configuration.nix @@ -78,6 +78,23 @@ SystemMaxUse=1G services.openssh.enable = true; services.openssh.settings.PasswordAuthentication = false; + # FIXME: Temporary patch for OpenSSH (CVE-2024-6387) + # Patches from backport PR: https://github.com/NixOS/nixpkgs/pull/323765 + programs.ssh.package = pkgs.openssh.overrideAttrs(prev: { + patches = prev.patches ++ [ + (pkgs.fetchpatch { + url = "https://raw.githubusercontent.com/emilazy/nixpkgs/c21c340818954576c6401ad460a9d42bab030bc4/pkgs/tools/networking/openssh/openssh-9.6_p1-CVE-2024-6387.patch"; + hash = "sha256-B3Wz/eWSdOnrOcVzDv+QqzLGdFlb3jivQ8qZMC3d0Qw="; + }) + (pkgs.fetchpatch { + url = "https://raw.githubusercontent.com/emilazy/nixpkgs/c21c340818954576c6401ad460a9d42bab030bc4/pkgs/tools/networking/openssh/openssh-9.6_p1-chaff-logic.patch"; + hash = "sha256-lepBEFxKTAwg379iCD8KQCZVAzs3qNSSyUTOcartpK4="; + }) + ]; + + doCheck = false; + }); + virtualisation.docker = { enable = true; extraOptions = "--config-file=${pkgs.writeText "daemon.json" (builtins.toJSON { |