* openSSH Vulnerability @ 2019-03-20 13:13 Bruce Halco 2019-03-20 14:18 ` Corinna Vinschen 0 siblings, 1 reply; 5+ messages in thread From: Bruce Halco @ 2019-03-20 13:13 UTC (permalink / raw) To: cygwin openSSH 7.9 is subject to vulnerability CVE-2019-6111. This has been fixed in at least some distributions, Debian at least. As the cygwin openSSH files are all dated October, 2018, it seems clear that the fix has not yet been applied to cygwin. Are there plans to address this? Thanks. Bruce -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: openSSH Vulnerability 2019-03-20 13:13 openSSH Vulnerability Bruce Halco @ 2019-03-20 14:18 ` Corinna Vinschen 2019-03-20 14:52 ` Bruce Halco 0 siblings, 1 reply; 5+ messages in thread From: Corinna Vinschen @ 2019-03-20 14:18 UTC (permalink / raw) To: Bruce Halco; +Cc: cygwin [-- Attachment #1: Type: text/plain, Size: 802 bytes --] On Mar 20 09:13, Bruce Halco wrote: > openSSH 7.9 is subject to vulnerability CVE-2019-6111. This has been fixed > in at least some distributions, Debian at least. Fedora (which is our role model) doesn't and the vulnerability is not deemed that critical by the upstream maintainers: https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.html Fedora's 7.9p1 has an additional patch for CVE-2018-20685 only. I was planning to wait for OpenSSH 8.0. It was originally slated for end of January or at least February, but there's no hint from the upstream maintainers yet in terms of the (obviously changed) release planning for 8.0. I can push a 7.9 with the Fedora patch for CVE-2018-20685 if that helps. Corinna -- Corinna Vinschen Cygwin Maintainer [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: openSSH Vulnerability 2019-03-20 14:18 ` Corinna Vinschen @ 2019-03-20 14:52 ` Bruce Halco 2019-03-20 15:06 ` Bill Stewart 0 siblings, 1 reply; 5+ messages in thread From: Bruce Halco @ 2019-03-20 14:52 UTC (permalink / raw) To: cygwin The problem is I have 8 customers failing PCI network scans because of CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to help. If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise I'll have to take some other action. I don't like any of my alternatives, though. I guess I'll try to convince ControlScan that since the vulnerability affects the scp client, server security is not actually compromised. In the past I've had a poor success rate trying to explain things like that. Bruce On 3/20/19 10:18 AM, Corinna Vinschen wrote: > On Mar 20 09:13, Bruce Halco wrote: >> openSSH 7.9 is subject to vulnerability CVE-2019-6111. This has been fixed >> in at least some distributions, Debian at least. > Fedora (which is our role model) doesn't and the vulnerability is not > deemed that critical by the upstream maintainers: > > https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.html > > Fedora's 7.9p1 has an additional patch for CVE-2018-20685 only. > > I was planning to wait for OpenSSH 8.0. It was originally slated > for end of January or at least February, but there's no hint from the > upstream maintainers yet in terms of the (obviously changed) release > planning for 8.0. > > I can push a 7.9 with the Fedora patch for CVE-2018-20685 if that > helps. > > > Corinna > -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: openSSH Vulnerability 2019-03-20 14:52 ` Bruce Halco @ 2019-03-20 15:06 ` Bill Stewart 2019-03-20 18:40 ` Brian Inglis 0 siblings, 1 reply; 5+ messages in thread From: Bill Stewart @ 2019-03-20 15:06 UTC (permalink / raw) To: cygwin On Wed, Mar 20, 2019 at 8:53 AM Bruce Halco wrote: > The problem is I have 8 customers failing PCI network scans because of > CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to > help. > > If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise > I'll have to take some other action. I don't like any of my > alternatives, though. > > I guess I'll try to convince ControlScan that since the vulnerability > affects the scp client, server security is not actually compromised. In > the past I've had a poor success rate trying to explain things like that. Ah, the old "it shows up on somebody's vulnerability report so it must be mitigated" problem (regardless of severity, scope, etc.). In my experience, best results are achieved by demonstrating how the vulnerability is mitigated using other security controls; e.g.: * ssh access is restricted only to certain hosts or user accounts * only trusted limited user accounts are permitted remote access ..etc. Good luck. Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: openSSH Vulnerability 2019-03-20 15:06 ` Bill Stewart @ 2019-03-20 18:40 ` Brian Inglis 0 siblings, 0 replies; 5+ messages in thread From: Brian Inglis @ 2019-03-20 18:40 UTC (permalink / raw) To: cygwin On 2019-03-20 09:06, Bill Stewart wrote: > On Wed, Mar 20, 2019 at 8:53 AM Bruce Halco wrote: >> The problem is I have 8 customers failing PCI network scans because of >> CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to >> help. >> If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise >> I'll have to take some other action. I don't like any of my >> alternatives, though. >> I guess I'll try to convince ControlScan that since the vulnerability >> affects the scp client, server security is not actually compromised. In >> the past I've had a poor success rate trying to explain things like that. > Ah, the old "it shows up on somebody's vulnerability report so it must be > mitigated" problem (regardless of severity, scope, etc.). > In my experience, best results are achieved by demonstrating how the > vulnerability is mitigated using other security controls; e.g.: > * ssh access is restricted only to certain hosts or user accounts > * only trusted limited user accounts are permitted remote access Quote the upstream maintainers comments: "Don't use scp with untrusted servers." adding "...or networks" (for MitM attacks) and send them the link: https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.html showing they are working on the CVEs: at least one of the OpenBSD maintainers is also a Portable OpenSSH maintainer The alternatives seem to be stop using scp, or rebuild from snapshots or git sources to include the unreleased patches. If you install the cygport package, with all its build tool dependencies, and the openssh package source, it is trivial to update the openssh.cygport control file to use updated sources, and download, build, and test the package using cygport. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-03-20 18:40 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-03-20 13:13 openSSH Vulnerability Bruce Halco 2019-03-20 14:18 ` Corinna Vinschen 2019-03-20 14:52 ` Bruce Halco 2019-03-20 15:06 ` Bill Stewart 2019-03-20 18:40 ` Brian Inglis
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).