Latest openssh has a fix for this vulnerability that allows RCE. I’m on nixos channel 24.05. Just updated my system and the openssh version I have is 9.7p1. The fix is in version 9.8. When will it be rolled out? Are there any recommendations for users running openssh on public servers?
This is discussed here
SSH CVE
It looks like master, nixpkgs-unstable, and nixos-unstable-small are “green” in the Pull request tracker.
So hopefully fairly soon as it all flows through the process.
I’m impressed by the quick response from the community to the issue…
Note that on 24.05 we use a minimal fix from upstream for this issue, so you will still see 9.7p1 even when fully patched. If you can use the -small channels you can get the fix now; otherwise it will still be a few more hours while the full channel builds finish.
3 Likes