openssh: Temporary patch for CVE-2024-6387 mitigation

This commit is contained in:
Jill 2024-07-01 14:02:27 +02:00
parent fa510688d7
commit b89b625f46
No known key found for this signature in database
GPG key ID: 09A5A2688F13FAC1

View file

@ -78,6 +78,23 @@ SystemMaxUse=1G
services.openssh.enable = true; services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false; services.openssh.settings.PasswordAuthentication = false;
# FIXME: Temporary patch for OpenSSH (CVE-2024-6387)
# Patches from backport PR: https://github.com/NixOS/nixpkgs/pull/323765
programs.ssh.package = pkgs.openssh.overrideAttrs(prev: {
patches = prev.patches ++ [
(pkgs.fetchpatch {
url = "https://raw.githubusercontent.com/emilazy/nixpkgs/c21c340818954576c6401ad460a9d42bab030bc4/pkgs/tools/networking/openssh/openssh-9.6_p1-CVE-2024-6387.patch";
hash = "sha256-B3Wz/eWSdOnrOcVzDv+QqzLGdFlb3jivQ8qZMC3d0Qw=";
})
(pkgs.fetchpatch {
url = "https://raw.githubusercontent.com/emilazy/nixpkgs/c21c340818954576c6401ad460a9d42bab030bc4/pkgs/tools/networking/openssh/openssh-9.6_p1-chaff-logic.patch";
hash = "sha256-lepBEFxKTAwg379iCD8KQCZVAzs3qNSSyUTOcartpK4=";
})
];
doCheck = false;
});
virtualisation.docker = { virtualisation.docker = {
enable = true; enable = true;
extraOptions = "--config-file=${pkgs.writeText "daemon.json" (builtins.toJSON { extraOptions = "--config-file=${pkgs.writeText "daemon.json" (builtins.toJSON {