Merge #214196: openssh: 9.1p1 -> 9.2p1

nixos/doc/manual/release-notes/rl-2305.section.md

@@ -66,6 +66,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - `borgbackup` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available as [`services.borgbackup.jobs.<name>.inhibitsSleep`](#opt-services.borgbackup.jobs._name_.inhibitsSleep).
 
+- The `ssh` client tool now disables the `~C` escape sequence by default. This can be re-enabled by setting `EnableEscapeCommandline yes`
+
 - `podman` now uses the `netavark` network stack. Users will need to delete all of their local containers, images, volumes, etc, by running `podman system reset --force` once before upgrading their systems.
 
 - `git-bug` has been updated to at least version 0.8.0, which includes backwards incompatible changes. The `git-bug-migration` package can be used to upgrade existing repositories.

pkgs/tools/networking/openssh/default.nix

@@ -6,11 +6,11 @@ in
 
   openssh = common rec {
     pname = "openssh";
-    version = "9.1p1";
+    version = "9.2p1";
 
     src = fetchurl {
       url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
-      hash = "sha256-GfhQCcfj4jeH8CNvuxV4OSq01L+fjsX+a8HNfov90og=";
+      hash = "sha256-P2bb8WVftF9Q4cVtpiqwEhjCKIB7ITONY068351xz0Y=";
     };
 
     extraPatches = [ ./ssh-keysign-8.5.patch ];
@@ -37,6 +37,13 @@ in
         stripLen = 1;
         sha256 = "sha256-p3CmMqTgrqFZUo4ZuqaPLczAhjmPufkCvptVW5dI+MI=";
       })
+
+      (fetchpatch {
+        name = "CVE-2023-25136.patch";
+        url = "https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/017_sshd.patch.sig";
+        stripLen = 1;
+        hash = "sha256-ol/YXXb2gJNBfvg9JKmIEdwGK8RaDfW53aKKT6HU++M=";
+      })
     ];
 
     extraNativeBuildInputs = [ autoreconfHook ];