diff options
| author | Aneesh Agrawal <aneeshusa@gmail.com> | 2016-08-07 13:55:20 -0400 |
|---|---|---|
| committer | Franz Pletz <fpletz@fnordicwalking.de> | 2016-08-07 19:55:20 +0200 |
| commit | f6eae2efab68638259f27e0c56c3534155063543 (patch) | |
| tree | 60836c35f58b7b4198cf110f7ec1eba3b92a2345 /pkgs/tools/networking/openssh | |
| parent | 6a8673716eb97ee84b8adac9203d98e0f53b0f60 (diff) | |
| download | nixlib-f6eae2efab68638259f27e0c56c3534155063543.tar nixlib-f6eae2efab68638259f27e0c56c3534155063543.tar.gz nixlib-f6eae2efab68638259f27e0c56c3534155063543.tar.bz2 nixlib-f6eae2efab68638259f27e0c56c3534155063543.tar.lz nixlib-f6eae2efab68638259f27e0c56c3534155063543.tar.xz nixlib-f6eae2efab68638259f27e0c56c3534155063543.tar.zst nixlib-f6eae2efab68638259f27e0c56c3534155063543.zip | |
openssh: 7.2p2 -> 7.3p1 (#17493)
Also remove patch for CVE-2015-8325 that has been fixed upstream.
Diffstat (limited to 'pkgs/tools/networking/openssh')
| -rw-r--r-- | pkgs/tools/networking/openssh/CVE-2015-8325.patch | 28 | ||||
| -rw-r--r-- | pkgs/tools/networking/openssh/default.nix | 6 |
2 files changed, 3 insertions, 31 deletions
diff --git a/pkgs/tools/networking/openssh/CVE-2015-8325.patch b/pkgs/tools/networking/openssh/CVE-2015-8325.patch deleted file mode 100644 index c752726aeae7..000000000000 --- a/pkgs/tools/networking/openssh/CVE-2015-8325.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Mon Sep 17 00:00:00 2001 -From: Damien Miller <djm@mindrot.org> -Date: Wed, 13 Apr 2016 10:39:57 +1000 -Subject: [PATCH] ignore PAM environment vars when UseLogin=yes - -If PAM is configured to read user-specified environment variables -and UseLogin=yes in sshd_config, then a hostile local user may -attack /bin/login via LD_PRELOAD or similar environment variables -set via PAM. - -CVE-2015-8325, found by Shayan Sadigh, via Colin Watson ---- - session.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/session.c b/session.c -index 4859245..4653b09 100644 ---- a/session.c -+++ b/session.c -@@ -1322,7 +1322,7 @@ do_setup_env(Session *s, const char *shell) - * Pull in any environment variables that may have - * been set by PAM. - */ -- if (options.use_pam) { -+ if (options.use_pam && !options.use_login) { - char **p; - - p = fetch_pam_child_environment(); diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 6d6b43c5f8d9..dab638301820 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -27,11 +27,12 @@ with stdenv.lib; stdenv.mkDerivation rec { # Please ensure that openssh_with_kerberos still builds when # bumping the version here! - name = "openssh-7.2p2"; + name = "openssh-${version}"; + version = "7.3p1"; src = fetchurl { url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz"; - sha256 = "132lh9aanb0wkisji1d6cmsxi520m8nh7c7i9wi6m1s3l38q29x7"; + sha256 = "1k5y1wi29d47cgizbryxrhc1fbjsba2x8l5mqfa9b9nadnd9iyrz"; }; prePatch = optionalString hpnSupport @@ -44,7 +45,6 @@ stdenv.mkDerivation rec { [ ./locale_archive.patch ./fix-host-key-algorithms-plus.patch - ./CVE-2015-8325.patch # See discussion in https://github.com/NixOS/nixpkgs/pull/16966 ./dont_create_privsep_path.patch |