[staging] openssh: 8.3p1 -> 8.4p1

[dasJ]

Neither the gssapi patches nor the hpn fork seem to be updated yet.
Marked these as broken for now.

Fixes CVE-2020-15778, CVE-2020-14145

Motivation for this change

• CVE-2020-15778
• CVE-2020-14145

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

[aneeshusa]

It seems #90264 undid our ability to have different versions for openssh and openssh_hpn, can you bring that back logic back and leave openssh_hpn at the old version? THe hpn repo often takes a long time to get updates so I think it's nicer to decouple those versions so folks can make their own choices about perf vs security.

Looking at the CVEs,

• https://nvd.nist.gov/vuln/detail/CVE-2020-15778 is about scp which is the OpenSSH folks have said is outdated, inflexible, and not readily fixed; fundamentally folks will need to move away from scp towards newer protocols like rsync: https://github.com/cpandya2909/CVE-2020-15778/#openssh-reply
• https://nvd.nist.gov/vuln/detail/CVE-2020-14145 is a medium information leak

I don't think either of these warrants breaking GSSAPI as well; historically the patches have taken multiple months to appear but they've shown up much more quickly for recent releases. I'm happy to wait a few days to see if a GSSAPI patch becomes available and include it, or otherwise I think we can change openssh_gssapi to also use an older openssh version until a patch is available to unblock updating the main openssh derivation to 8.4p1.

Some data from the last ~year on lag time in GSSAPI patch update:

version	upstream release date	GSSAPI patch availability	delta
8.3p1	2020-05-27	2020-06-07	11 days
8.2p1	2020-02-14	2020-02-21	7 days
8.1p1	2019-10-09	2020-10-10	1 day
8.0p1	2019-04-17	2019-06-09	53 days

[andir]

There is now a release of a new GSSAPI patch: https://salsa.debian.org/ssh-team/openssh/-/commit/e371906fbbbbc11b0dced8fd4e0d258eb489d7c1

Would be nice to see this integrated into this PR. I'm not sure if we should block on HPN support or not.

[ajs124]

@andir how about this?

[aneeshusa]

Thanks for integrating the GSSAPI patch. Would still prefer to not mark hpnSupport as broken but instead give those users an older version as we always did before #90264.

[ajs124]

This discussion has been had a bunch of times before (e.g. in #80196 and #59806) and looking through the commit history, hpnSupport has been marked and unmarked as broken a few times, as well.

Personally, I'd much prefer having an up to date openssh instead of carrying outdated patched versions around.

[ajs124]

Anyways, apparently there's a hpn patch released now as well and it seems to build, so there you go.

[mohe2015]

What about merging this soon as this is a security update?

[andir]

All the openssh flavors did build for me. I'm merging this in.