diff options
| author | Franz Pletz <fpletz@fnordicwalking.de> | 2016-01-14 16:28:43 +0100 |
|---|---|---|
| committer | Franz Pletz <fpletz@fnordicwalking.de> | 2016-01-14 16:40:27 +0100 |
| commit | 2d657729502336bf5c9dc29e123e2d6802f7a6e9 (patch) | |
| tree | 180f2fa2b21baf10242c55a34f664f096e4b91f7 /pkgs/tools/networking | |
| parent | 0fa58f4e0104d6fb3c44cdafeb8c343b8bac549e (diff) | |
| download | nixlib-2d657729502336bf5c9dc29e123e2d6802f7a6e9.tar nixlib-2d657729502336bf5c9dc29e123e2d6802f7a6e9.tar.gz nixlib-2d657729502336bf5c9dc29e123e2d6802f7a6e9.tar.bz2 nixlib-2d657729502336bf5c9dc29e123e2d6802f7a6e9.tar.lz nixlib-2d657729502336bf5c9dc29e123e2d6802f7a6e9.tar.xz nixlib-2d657729502336bf5c9dc29e123e2d6802f7a6e9.tar.zst nixlib-2d657729502336bf5c9dc29e123e2d6802f7a6e9.zip | |
openssh: Disable roaming (security fix)
Fixes CVE-2016-0777 and CVE-0216-0778. Closes #12385.
Diffstat (limited to 'pkgs/tools/networking')
| -rw-r--r-- | pkgs/tools/networking/openssh/default.nix | 2 | ||||
| -rw-r--r-- | pkgs/tools/networking/openssh/disable-roaming.patch | 51 |
2 files changed, 52 insertions, 1 deletions
diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 3a150f19ed23..fecaabe95f94 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -36,7 +36,7 @@ stdenv.mkDerivation rec { export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s" ''; - patches = [ ./locale_archive.patch ./openssh-6.9p1-security-7.0.patch ] + patches = [ ./locale_archive.patch ./openssh-6.9p1-security-7.0.patch ./disable-roaming.patch ] ++ optional withGssapiPatches gssapiSrc; buildInputs = [ zlib openssl libedit pkgconfig pam ] diff --git a/pkgs/tools/networking/openssh/disable-roaming.patch b/pkgs/tools/networking/openssh/disable-roaming.patch new file mode 100644 index 000000000000..cd81d52f6c18 --- /dev/null +++ b/pkgs/tools/networking/openssh/disable-roaming.patch @@ -0,0 +1,51 @@ +From b842c1891b9979e30a6b53292a236ceb9231be79 Mon Sep 17 00:00:00 2001 +From: Franz Pletz <fpletz@fnordicwalking.de> +Date: Thu, 14 Jan 2016 16:25:50 +0100 +Subject: [PATCH] Disable roaming, fixes CVE-2016-0777 and CVE-0216-0778 + +Based on http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/010_ssh.patch.sig +--- + readconf.c | 5 ++--- + ssh.c | 3 --- + 2 files changed, 2 insertions(+), 6 deletions(-) + +diff --git a/readconf.c b/readconf.c +index db7d0bb..5b03f97 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -1660,7 +1660,7 @@ initialize_options(Options * options) + options->tun_remote = -1; + options->local_command = NULL; + options->permit_local_command = -1; +- options->use_roaming = -1; ++ options->use_roaming = 0; + options->visual_host_key = -1; + options->ip_qos_interactive = -1; + options->ip_qos_bulk = -1; +@@ -1835,8 +1835,7 @@ fill_default_options(Options * options) + options->tun_remote = SSH_TUNID_ANY; + if (options->permit_local_command == -1) + options->permit_local_command = 0; +- if (options->use_roaming == -1) +- options->use_roaming = 1; ++ options->use_roaming = 0; + if (options->visual_host_key == -1) + options->visual_host_key = 0; + if (options->ip_qos_interactive == -1) +diff --git a/ssh.c b/ssh.c +index 3fd5a94..e8428b5 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -1931,9 +1931,6 @@ ssh_session2(void) + fork_postauth(); + } + +- if (options.use_roaming) +- request_roaming(); +- + return client_loop(tty_flag, tty_flag ? + options.escape_char : SSH_ESCAPECHAR_NONE, id); + } +-- +2.7.0 + |