From 189036f2c87f725da47214faf38796bb89c77945 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Moritz=20B=C3=B6hme?= <mail@moritzboeh.me>
Date: Mon, 1 Jul 2024 21:39:05 +0200
Subject: [PATCH] fix: openssh CVE-2024-6387

---
 flake.lock                   | 6 +++---
 modules/security/default.nix | 2 ++
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/flake.lock b/flake.lock
index 8783f04..b632025 100644
--- a/flake.lock
+++ b/flake.lock
@@ -720,11 +720,11 @@
     },
     "master": {
       "locked": {
-        "lastModified": 1719764577,
-        "narHash": "sha256-304HNA/XvmyfD7JZfpqF4dEBnbUYci/gMZvDThXmYkE=",
+        "lastModified": 1719834384,
+        "narHash": "sha256-M6Vr7LbYeesXrG3hjAExzIfYFxrncrs1dpnp7zdeUN4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "19581e2ce8bc43f898ef724f8072ebf62bebb325",
+        "rev": "c08bd9add4732d87fde747e15b8fc053dfd1234b",
         "type": "github"
       },
       "original": {
diff --git a/modules/security/default.nix b/modules/security/default.nix
index 3fcd4fb..e7b42fe 100644
--- a/modules/security/default.nix
+++ b/modules/security/default.nix
@@ -1,5 +1,6 @@
 { config
 , lib
+, pkgs
 , ...
 }: {
   ## System security tweaks
@@ -69,6 +70,7 @@
 
   # SSH
   services.openssh = {
+    package = pkgs.master.openssh; # HACK: to fix CVE-2024-6387
     settings = {
       # Disable ssh password login
       PasswordAuthentication = lib.mkDefault false;