aboutsummaryrefslogtreecommitdiff
path: root/nix/configuration.nix
diff options
context:
space:
mode:
authorKokaKiwi <kokakiwi+git@kokakiwi.net>2024-07-01 14:02:27 +0200
committerKokaKiwi <kokakiwi+git@kokakiwi.net>2024-07-01 14:04:25 +0200
commitb89b625f46003e0a018eaede1a6923c93b423755 (patch)
tree4c06fec0a9cb1cdb94306a0b20ee35c117d61c66 /nix/configuration.nix
parentfa510688d770884e7059596a89e7bc761f9e2586 (diff)
downloadnixcfg-b89b625f46003e0a018eaede1a6923c93b423755.tar.gz
nixcfg-b89b625f46003e0a018eaede1a6923c93b423755.zip
openssh: Temporary patch for CVE-2024-6387 mitigation
Diffstat (limited to 'nix/configuration.nix')
-rw-r--r--nix/configuration.nix17
1 files changed, 17 insertions, 0 deletions
diff --git a/nix/configuration.nix b/nix/configuration.nix
index 68751a2..ab7b11a 100644
--- a/nix/configuration.nix
+++ b/nix/configuration.nix
@@ -78,6 +78,23 @@ SystemMaxUse=1G
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
+ # FIXME: Temporary patch for OpenSSH (CVE-2024-6387)
+ # Patches from backport PR: https://github.com/NixOS/nixpkgs/pull/323765
+ programs.ssh.package = pkgs.openssh.overrideAttrs(prev: {
+ patches = prev.patches ++ [
+ (pkgs.fetchpatch {
+ url = "https://raw.githubusercontent.com/emilazy/nixpkgs/c21c340818954576c6401ad460a9d42bab030bc4/pkgs/tools/networking/openssh/openssh-9.6_p1-CVE-2024-6387.patch";
+ hash = "sha256-B3Wz/eWSdOnrOcVzDv+QqzLGdFlb3jivQ8qZMC3d0Qw=";
+ })
+ (pkgs.fetchpatch {
+ url = "https://raw.githubusercontent.com/emilazy/nixpkgs/c21c340818954576c6401ad460a9d42bab030bc4/pkgs/tools/networking/openssh/openssh-9.6_p1-chaff-logic.patch";
+ hash = "sha256-lepBEFxKTAwg379iCD8KQCZVAzs3qNSSyUTOcartpK4=";
+ })
+ ];
+
+ doCheck = false;
+ });
+
virtualisation.docker = {
enable = true;
extraOptions = "--config-file=${pkgs.writeText "daemon.json" (builtins.toJSON {