From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 74437 invoked by alias); 20 Mar 2019 14:52:51 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 74429 invoked by uid 89); 20 Mar 2019 14:52:51 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-1.4 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS autolearn=ham version=3.3.1 spammy=afford, HX-Languages-Length:1371, compromised, customers X-HELO: mout.perfora.net Received: from mout.perfora.net (HELO mout.perfora.net) (74.208.4.196) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 20 Mar 2019 14:52:49 +0000 Received: from [192.168.0.2] ([24.209.49.167]) by mrelay.perfora.net (mreueus002 [74.208.5.2]) with ESMTPSA (Nemesis) id 0MWRXY-1hUDzh3RwQ-00XYSg for ; Wed, 20 Mar 2019 15:52:47 +0100 Subject: Re: openSSH Vulnerability To: cygwin@cygwin.com References: <20190320141850.GT3908@calimero.vinschen.de> From: Bruce Halco Message-ID: <08b408f2-0c5e-35f9-4e61-4fe23cb3c03d@halcomp.com> Date: Wed, 20 Mar 2019 14:52:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: <20190320141850.GT3908@calimero.vinschen.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-SW-Source: 2019-03/txt/msg00509.txt.bz2 The problem is I have 8 customers failing PCI network scans because of CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to help. If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise I'll have to take some other action. I don't like any of my alternatives, though. I guess I'll try to convince ControlScan that since the vulnerability affects the scp client, server security is not actually compromised.  In the past I've had a poor success rate trying to explain things like that. Bruce On 3/20/19 10:18 AM, Corinna Vinschen wrote: > On Mar 20 09:13, Bruce Halco wrote: >> openSSH 7.9 is subject to vulnerability CVE-2019-6111. This has been fixed >> in at least some distributions, Debian at least. > Fedora (which is our role model) doesn't and the vulnerability is not > deemed that critical by the upstream maintainers: > > https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.html > > Fedora's 7.9p1 has an additional patch for CVE-2018-20685 only. > > I was planning to wait for OpenSSH 8.0. It was originally slated > for end of January or at least February, but there's no hint from the > upstream maintainers yet in terms of the (obviously changed) release > planning for 8.0. > > I can push a 7.9 with the Fedora patch for CVE-2018-20685 if that > helps. > > > Corinna > -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple