[PATCH] gnu: openssh: Update to 9.6p1 [security-fixes].

Done

Details

3 participants

Jack Hill
John Kehayias
Marcel van der Boom

Owner: unassigned

Submitted by: Jack Hill

Severity: normal

Jack Hill wrote on 21 Dec 2023 06:33

Recipients:(address . guix-patches@gnu.org)

Message-ID:e54b8cccc03a565c16bcbfc562fd966d5ef08e1c.1703136788.git.jackhill@jackhill.us

Fixes CVE-2023-48795.

* gnu/packages/ssh.scm (openssh): Update to 9.6p1

[arguments]<#:parallel-tests?>: Disable.

Change-Id: I8b7707894d904ec8bcccb943908fff2e69a1a027

---

This may fix additional security problem as well, but the openssh

release notes don't list them:

https://www.openssh.com/releasenotes.html#9.6p1

gnu/packages/ssh.scm | 7 +++++--

1 file changed, 5 insertions(+), 2 deletions(-)

Toggle diff (33 lines)diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index 47089b197d..565ac3b079 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -198,7 +198,7 @@ (define-public libssh2
 (define-public openssh
   (package
    (name "openssh")
-   (version "9.5p1")
+   (version "9.6p1")
    (source
     (origin
       (method url-fetch)
@@ -206,11 +206,14 @@ (define-public openssh
                           "openssh-" version ".tar.gz"))
       (patches (search-patches "openssh-trust-guix-store-directory.patch"))
       (sha256
-       (base32 "0sq8hqk6f0x6djgvqawjbwwxpwd8r1nzjahqfl7m9yx7kfvyf9ph"))))
+       (base32 "0z3pgam8b4z05lvdb78iv06p204qwl7b94a3cnnwba2mfb0120li"))))
    (build-system gnu-build-system)
    (arguments
     (list
      #:test-target "tests"
+     ;; Not all of the tests can be run in parallel
+     ;; https://marc.info/?l=openssh-unix-dev&m=170313565518842&w=2
+     #:parallel-tests? #f
      ;; Otherwise, the test scripts try to use a nonexistent directory and fail.
      #:make-flags
      #~(list "REGRESSTMP=\"$${BUILDDIR}/regress\"")

base-commit: aa22cdd363d3b2cf64586ccee918531aa53ef365
-- 
2.41.0

John Kehayias wrote on 21 Dec 2023 20:28

Recipients:(name . Jack Hill)(address . jackhill@jackhill.us)(address . 67948-done@debbugs.gnu.org)

Message-ID:87a5q3qrsq.fsf@protonmail.com

On Thu, Dec 21, 2023 at 12:33 AM, Jack Hill wrote:

Toggle quote (49 lines)> Fixes CVE-2023-48795.
>
> * gnu/packages/ssh.scm (openssh): Update to 9.6p1
> [arguments]<#:parallel-tests?>: Disable.
>
> Change-Id: I8b7707894d904ec8bcccb943908fff2e69a1a027
> ---
>
> This may fix additional security problem as well, but the openssh
> release notes don't list them:
>
> https://www.openssh.com/releasenotes.html#9.6p1
>
>
>  gnu/packages/ssh.scm | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
> index 47089b197d..565ac3b079 100644
> --- a/gnu/packages/ssh.scm
> +++ b/gnu/packages/ssh.scm
> @@ -198,7 +198,7 @@ (define-public libssh2
>  (define-public openssh
>    (package
>     (name "openssh")
> -   (version "9.5p1")
> +   (version "9.6p1")
>     (source
>      (origin
>        (method url-fetch)
> @@ -206,11 +206,14 @@ (define-public openssh
>                            "openssh-" version ".tar.gz"))
>        (patches (search-patches "openssh-trust-guix-store-directory.patch"))
>        (sha256
> -       (base32 "0sq8hqk6f0x6djgvqawjbwwxpwd8r1nzjahqfl7m9yx7kfvyf9ph"))))
> +       (base32 "0z3pgam8b4z05lvdb78iv06p204qwl7b94a3cnnwba2mfb0120li"))))
>     (build-system gnu-build-system)
>     (arguments
>      (list
>       #:test-target "tests"
> +     ;; Not all of the tests can be run in parallel
> +     ;; https://marc.info/?l=openssh-unix-dev&m=170313565518842&w=2
> +     #:parallel-tests? #f
>       ;; Otherwise, the test scripts try to use a nonexistent directory and fail.
>       #:make-flags
>       #~(list "REGRESSTMP=\"$${BUILDDIR}/regress\"")
>
> base-commit: aa22cdd363d3b2cf64586ccee918531aa53ef365

Thanks for this one as well! Pushed as

04b63ea195cbcbcf519b7dd52546c6d56be6741b.

Closed

Marcel van der Boom wrote on 24 Dec 2023 09:10

[PATCH] gnu: openssh: Update to 9.6p1 [security-fixes].

Recipients:(address . 67948@debbugs.gnu.org)

Message-ID:87edfcm35k.fsf@hsdev.com

Note that this breaks OpenSSH building on powerpc64le platforms

See:

https://github.com/openssh/openssh-portable/commit/1036d77b34a5fa15e56f516b81b9928006848cbd

for upstream patch

John Kehayias wrote on 31 Dec 2023 21:02

Recipients:(name . Marcel van der Boom)(address . marcel@van-der-boom.nl)

Message-ID:874jfyqgxf.fsf@protonmail.com

Hi,

On Sun, Dec 24, 2023 at 09:10 AM, Marcel van der Boom wrote:

Toggle quote (8 lines)

> Note that this breaks OpenSSH building on powerpc64le platforms

> See:

> https://github.com/openssh/openssh-portable/commit/1036d77b34a5fa15e56f516b81b9928006848cbd

> for upstream patch

Looks like you just sent this to the debbugs address so no one got it.

I've cc'ed the original author manually.

I happened to see this when searching for something else, so it would be

good to open a separate issue (or better yet with a patch) for this. You

could CC Efraim as he is usually on top of powerpc64le stuff in my

experience.

Thanks,

John

Your comment

This issue is archived.

To comment on this conversation send an email to 67948@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 67948

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date