diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index fabcda902be3..064f68947b80 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -50,6 +50,7 @@ stdenv.mkDerivation rec { # See discussion in https://github.com/NixOS/nixpkgs/pull/16966 ./dont_create_privsep_path.patch + ./fix-CVE-2016-8858.patch ] ++ optional withGssapiPatches gssapiSrc; @@ -92,7 +93,7 @@ stdenv.mkDerivation rec { description = "An implementation of the SSH protocol"; license = stdenv.lib.licenses.bsd2; platforms = platforms.unix; - maintainers = with maintainers; [ eelco ]; + maintainers = with maintainers; [ eelco aneeshusa ]; broken = hpnSupport; # probably after 6.7 update }; } diff --git a/pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch b/pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch new file mode 100644 index 000000000000..e526161083c0 --- /dev/null +++ b/pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch @@ -0,0 +1,11 @@ +diff -u -r1.126 -r1.127 +--- ssh/kex.c 2016/09/28 21:44:52 1.126 ++++ ssh/kex.c 2016/10/10 19:28:48 1.127 +@@ -461,6 +461,7 @@ + if (kex == NULL) + return SSH_ERR_INVALID_ARGUMENT; + ++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); + ptr = sshpkt_ptr(ssh, &dlen); + if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) + return r;