From: Brian Inglis <Brian.Inglis@SystematicSw.ab.ca>
To: cygwin@cygwin.com
Subject: Re: openSSH Vulnerability
Date: Wed, 20 Mar 2019 18:40:00 -0000 [thread overview]
Message-ID: <d101fb90-57f3-56f0-c362-2f61c8c897ae@SystematicSw.ab.ca> (raw)
In-Reply-To: <CANV9t=R5bRRqJ=FwpA1NQhg5=nddGYDVdOyEuo=H8fOwHHv0gQ@mail.gmail.com>
On 2019-03-20 09:06, Bill Stewart wrote:
> On Wed, Mar 20, 2019 at 8:53 AM Bruce Halco wrote:
>> The problem is I have 8 customers failing PCI network scans because of
>> CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to
>> help.
>> If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise
>> I'll have to take some other action. I don't like any of my
>> alternatives, though.
>> I guess I'll try to convince ControlScan that since the vulnerability
>> affects the scp client, server security is not actually compromised. In
>> the past I've had a poor success rate trying to explain things like that.
> Ah, the old "it shows up on somebody's vulnerability report so it must be
> mitigated" problem (regardless of severity, scope, etc.).
> In my experience, best results are achieved by demonstrating how the
> vulnerability is mitigated using other security controls; e.g.:
> * ssh access is restricted only to certain hosts or user accounts
> * only trusted limited user accounts are permitted remote access
Quote the upstream maintainers comments:
"Don't use scp with untrusted servers."
adding "...or networks" (for MitM attacks) and send them the link:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.html
showing they are working on the CVEs: at least one of the OpenBSD maintainers is
also a Portable OpenSSH maintainer
The alternatives seem to be stop using scp, or rebuild from snapshots or git
sources to include the unreleased patches.
If you install the cygport package, with all its build tool dependencies, and
the openssh package source, it is trivial to update the openssh.cygport control
file to use updated sources, and download, build, and test the package using
cygport.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
prev parent reply other threads:[~2019-03-20 18:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-20 13:13 Bruce Halco
2019-03-20 14:18 ` Corinna Vinschen
2019-03-20 14:52 ` Bruce Halco
2019-03-20 15:06 ` Bill Stewart
2019-03-20 18:40 ` Brian Inglis [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d101fb90-57f3-56f0-c362-2f61c8c897ae@SystematicSw.ab.ca \
--to=brian.inglis@systematicsw.ab.ca \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).