diff options
| author | Robin Gloster <mail@glob.in> | 2016-08-12 09:46:53 +0000 |
|---|---|---|
| committer | Robin Gloster <mail@glob.in> | 2016-08-12 09:46:53 +0000 |
| commit | b7787d932ec9cbd82ea6bc7c69d8df159b606fdc (patch) | |
| tree | c4b6af2e6b49732ce5c6982cb8512ce9b7f1f34d /pkgs/tools/networking/openssh | |
| parent | bc025e83bd6c44df38851ef23da53359a0e62841 (diff) | |
| parent | 532b2222965377e77ed884c463ee2751fb51dba3 (diff) | |
| download | nixlib-b7787d932ec9cbd82ea6bc7c69d8df159b606fdc.tar nixlib-b7787d932ec9cbd82ea6bc7c69d8df159b606fdc.tar.gz nixlib-b7787d932ec9cbd82ea6bc7c69d8df159b606fdc.tar.bz2 nixlib-b7787d932ec9cbd82ea6bc7c69d8df159b606fdc.tar.lz nixlib-b7787d932ec9cbd82ea6bc7c69d8df159b606fdc.tar.xz nixlib-b7787d932ec9cbd82ea6bc7c69d8df159b606fdc.tar.zst nixlib-b7787d932ec9cbd82ea6bc7c69d8df159b606fdc.zip | |
Merge remote-tracking branch 'upstream/master' into hardened-stdenv
Diffstat (limited to 'pkgs/tools/networking/openssh')
| -rw-r--r-- | pkgs/tools/networking/openssh/CVE-2015-8325.patch | 28 | ||||
| -rw-r--r-- | pkgs/tools/networking/openssh/default.nix | 6 |
2 files changed, 3 insertions, 31 deletions
diff --git a/pkgs/tools/networking/openssh/CVE-2015-8325.patch b/pkgs/tools/networking/openssh/CVE-2015-8325.patch deleted file mode 100644 index c752726aeae7..000000000000 --- a/pkgs/tools/networking/openssh/CVE-2015-8325.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Mon Sep 17 00:00:00 2001 -From: Damien Miller <djm@mindrot.org> -Date: Wed, 13 Apr 2016 10:39:57 +1000 -Subject: [PATCH] ignore PAM environment vars when UseLogin=yes - -If PAM is configured to read user-specified environment variables -and UseLogin=yes in sshd_config, then a hostile local user may -attack /bin/login via LD_PRELOAD or similar environment variables -set via PAM. - -CVE-2015-8325, found by Shayan Sadigh, via Colin Watson ---- - session.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/session.c b/session.c -index 4859245..4653b09 100644 ---- a/session.c -+++ b/session.c -@@ -1322,7 +1322,7 @@ do_setup_env(Session *s, const char *shell) - * Pull in any environment variables that may have - * been set by PAM. - */ -- if (options.use_pam) { -+ if (options.use_pam && !options.use_login) { - char **p; - - p = fetch_pam_child_environment(); diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index a0cb0795a261..8f4c0aa54dfa 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -27,11 +27,12 @@ with stdenv.lib; stdenv.mkDerivation rec { # Please ensure that openssh_with_kerberos still builds when # bumping the version here! - name = "openssh-7.2p2"; + name = "openssh-${version}"; + version = "7.3p1"; src = fetchurl { url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz"; - sha256 = "132lh9aanb0wkisji1d6cmsxi520m8nh7c7i9wi6m1s3l38q29x7"; + sha256 = "1k5y1wi29d47cgizbryxrhc1fbjsba2x8l5mqfa9b9nadnd9iyrz"; }; prePatch = optionalString hpnSupport @@ -44,7 +45,6 @@ stdenv.mkDerivation rec { [ ./locale_archive.patch ./fix-host-key-algorithms-plus.patch - ./CVE-2015-8325.patch # See discussion in https://github.com/NixOS/nixpkgs/pull/16966 ./dont_create_privsep_path.patch |