Merge pull request #53896 from andir/openssh

openssh: apply CVE-2018-20685 patch
2019-01-13 22:45:09 +01:00 · 2019-01-13 22:45:09 +01:00 · 2013d86a5d
commit 2013d86a5d
parent ac38750e32 6d3a653f10
1 changed files with 9 additions and 0 deletions
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@ -41,6 +41,15 @@ stdenv.mkDerivation rec {

      # See discussion in https://github.com/NixOS/nixpkgs/pull/16966
      ./dont_create_privsep_path.patch
+
+      # CVE-2018-20685, can probably be dropped with next version bump
+      # See https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
+      # for details
+      (fetchpatch {
+        name = "CVE-2018-20685.patch";
+        url = https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2.patch;
+        sha256 = "0q27i9ymr97yb628y44qi4m11hk5qikb1ji1vhvax8hp18lwskds";
+      })
    ]
    ++ optional withGssapiPatches (assert withKerberos; gssapiPatch);