From: Bruce Halco <bruce@halcomp.com>
To: cygwin@cygwin.com
Subject: Re: openSSH Vulnerability
Date: Wed, 20 Mar 2019 14:52:00 -0000 [thread overview]
Message-ID: <08b408f2-0c5e-35f9-4e61-4fe23cb3c03d@halcomp.com> (raw)
In-Reply-To: <20190320141850.GT3908@calimero.vinschen.de>
The problem is I have 8 customers failing PCI network scans because of
CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to
help.
If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise
I'll have to take some other action. I don't like any of my
alternatives, though.
I guess I'll try to convince ControlScan that since the vulnerability
affects the scp client, server security is not actually compromised. In
the past I've had a poor success rate trying to explain things like that.
Bruce
On 3/20/19 10:18 AM, Corinna Vinschen wrote:
> On Mar 20 09:13, Bruce Halco wrote:
>> openSSH 7.9 is subject to vulnerability CVE-2019-6111. This has been fixed
>> in at least some distributions, Debian at least.
> Fedora (which is our role model) doesn't and the vulnerability is not
> deemed that critical by the upstream maintainers:
>
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.html
>
> Fedora's 7.9p1 has an additional patch for CVE-2018-20685 only.
>
> I was planning to wait for OpenSSH 8.0. It was originally slated
> for end of January or at least February, but there's no hint from the
> upstream maintainers yet in terms of the (obviously changed) release
> planning for 8.0.
>
> I can push a 7.9 with the Fedora patch for CVE-2018-20685 if that
> helps.
>
>
> Corinna
>
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2019-03-20 14:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-20 13:13 Bruce Halco
2019-03-20 14:18 ` Corinna Vinschen
2019-03-20 14:52 ` Bruce Halco [this message]
2019-03-20 15:06 ` Bill Stewart
2019-03-20 18:40 ` Brian Inglis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=08b408f2-0c5e-35f9-4e61-4fe23cb3c03d@halcomp.com \
--to=bruce@halcomp.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).