From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 104492 invoked by alias); 20 Mar 2019 15:06:54 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 104485 invoked by uid 89); 20 Mar 2019 15:06:54 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.1 spammy=H*c:alternative, customers, explain X-HELO: mout.gmx.com Received: from mout.gmx.com (HELO mout.gmx.com) (74.208.4.201) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 20 Mar 2019 15:06:52 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mail.com; s=dbd5af2cbaf7; t=1553094407; bh=ijVs0F1gnmqMrywkXW1UKNxh+1R4Hn8EUGHpobO20mM=; h=X-UI-Sender-Class:References:In-Reply-To:From:Date:Subject:To; b=dggNeMhNbDldfJTjuWKcXb1g9PHrFzyjvgEA4/MSCaDGU4nMDhuFD9by7wBvIj44Q LwXGQPeXgbFwn9feqInFfgLZwv0/Vjb6JZwgl0849+SGoXV3y4NIQDXXuERWFzOWch fHqCEsyDm+RlOE9NNlbjhtvFmfCovpDHO3VjCK2Q= X-UI-Sender-Class: 214d933f-fd2f-45c7-a636-f5d79ae31a79 Received: from mail-lj1-f180.google.com ([209.85.208.180]) by mail.gmx.com (mrgmxus002 [74.208.5.15]) with ESMTPSA (Nemesis) id 0MMBdz-1h5mnL1z93-0082Im for ; Wed, 20 Mar 2019 16:06:46 +0100 Received: by mail-lj1-f180.google.com with SMTP id f18so2416678lja.10 for ; Wed, 20 Mar 2019 08:06:46 -0700 (PDT) MIME-Version: 1.0 References: <20190320141850.GT3908@calimero.vinschen.de> <08b408f2-0c5e-35f9-4e61-4fe23cb3c03d@halcomp.com> In-Reply-To: <08b408f2-0c5e-35f9-4e61-4fe23cb3c03d@halcomp.com> From: Bill Stewart Date: Wed, 20 Mar 2019 15:06:00 -0000 Message-ID: Subject: Re: openSSH Vulnerability To: cygwin@cygwin.com Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes X-SW-Source: 2019-03/txt/msg00510.txt.bz2 On Wed, Mar 20, 2019 at 8:53 AM Bruce Halco wrote: > The problem is I have 8 customers failing PCI network scans because of > CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to > help. > > If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise > I'll have to take some other action. I don't like any of my > alternatives, though. > > I guess I'll try to convince ControlScan that since the vulnerability > affects the scp client, server security is not actually compromised. In > the past I've had a poor success rate trying to explain things like that. Ah, the old "it shows up on somebody's vulnerability report so it must be mitigated" problem (regardless of severity, scope, etc.). In my experience, best results are achieved by demonstrating how the vulnerability is mitigated using other security controls; e.g.: * ssh access is restricted only to certain hosts or user accounts * only trusted limited user accounts are permitted remote access ..etc. Good luck. Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple