openssh: apply CVE-2018-20685 patch

author: Andreas Rammhold <andreas@rammhold.de> 2019-01-13 21:26:05 +0100
committer: Andreas Rammhold <andreas@rammhold.de> 2019-01-13 21:26:05 +0100
commit: 6d3a653f10489158e9b3c223f16c8db9b0e7bc50 (patch)
tree: eafb071563c85af834cde8df3b04803c7a91860c /pkgs/tools/networking/openssh
parent: f9bd1533773e5fd3576b07cd7a39215b0cb3dad9 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index 7b3c00894667c..6ce574b9cdc40 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -41,6 +41,15 @@ stdenv.mkDerivation rec {
 
       # See discussion in https://github.com/NixOS/nixpkgs/pull/16966
       ./dont_create_privsep_path.patch
+
+      # CVE-2018-20685, can probably be dropped with next version bump
+      # See https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
+      # for details
+      (fetchpatch {
+        name = "CVE-2018-20685.patch";
+        url = https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2.patch;
+        sha256 = "0q27i9ymr97yb628y44qi4m11hk5qikb1ji1vhvax8hp18lwskds";
+      })
     ]
     ++ optional withGssapiPatches (assert withKerberos; gssapiPatch);
author	Andreas Rammhold <andreas@rammhold.de>	2019-01-13 21:26:05 +0100
committer	Andreas Rammhold <andreas@rammhold.de>	2019-01-13 21:26:05 +0100
commit	6d3a653f10489158e9b3c223f16c8db9b0e7bc50 (patch)
tree	eafb071563c85af834cde8df3b04803c7a91860c /pkgs/tools/networking/openssh
parent	f9bd1533773e5fd3576b07cd7a39215b0cb3dad9 (diff)