* openSSH Vulnerability
@ 2019-03-20 13:13 Bruce Halco
2019-03-20 14:18 ` Corinna Vinschen
0 siblings, 1 reply; 5+ messages in thread
From: Bruce Halco @ 2019-03-20 13:13 UTC (permalink / raw)
To: cygwin
openSSH 7.9 is subject to vulnerability CVE-2019-6111. This has been
fixed in at least some distributions, Debian at least.
As the cygwin openSSH files are all dated October, 2018, it seems clear
that the fix has not yet been applied to cygwin.
Are there plans to address this?
Thanks.
Bruce
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: openSSH Vulnerability
2019-03-20 13:13 openSSH Vulnerability Bruce Halco
@ 2019-03-20 14:18 ` Corinna Vinschen
2019-03-20 14:52 ` Bruce Halco
0 siblings, 1 reply; 5+ messages in thread
From: Corinna Vinschen @ 2019-03-20 14:18 UTC (permalink / raw)
To: Bruce Halco; +Cc: cygwin
[-- Attachment #1: Type: text/plain, Size: 802 bytes --]
On Mar 20 09:13, Bruce Halco wrote:
> openSSH 7.9 is subject to vulnerability CVE-2019-6111. This has been fixed
> in at least some distributions, Debian at least.
Fedora (which is our role model) doesn't and the vulnerability is not
deemed that critical by the upstream maintainers:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.html
Fedora's 7.9p1 has an additional patch for CVE-2018-20685 only.
I was planning to wait for OpenSSH 8.0. It was originally slated
for end of January or at least February, but there's no hint from the
upstream maintainers yet in terms of the (obviously changed) release
planning for 8.0.
I can push a 7.9 with the Fedora patch for CVE-2018-20685 if that
helps.
Corinna
--
Corinna Vinschen
Cygwin Maintainer
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: openSSH Vulnerability
2019-03-20 14:18 ` Corinna Vinschen
@ 2019-03-20 14:52 ` Bruce Halco
2019-03-20 15:06 ` Bill Stewart
0 siblings, 1 reply; 5+ messages in thread
From: Bruce Halco @ 2019-03-20 14:52 UTC (permalink / raw)
To: cygwin
The problem is I have 8 customers failing PCI network scans because of
CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to
help.
If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise
I'll have to take some other action. I don't like any of my
alternatives, though.
I guess I'll try to convince ControlScan that since the vulnerability
affects the scp client, server security is not actually compromised. In
the past I've had a poor success rate trying to explain things like that.
Bruce
On 3/20/19 10:18 AM, Corinna Vinschen wrote:
> On Mar 20 09:13, Bruce Halco wrote:
>> openSSH 7.9 is subject to vulnerability CVE-2019-6111. This has been fixed
>> in at least some distributions, Debian at least.
> Fedora (which is our role model) doesn't and the vulnerability is not
> deemed that critical by the upstream maintainers:
>
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.html
>
> Fedora's 7.9p1 has an additional patch for CVE-2018-20685 only.
>
> I was planning to wait for OpenSSH 8.0. It was originally slated
> for end of January or at least February, but there's no hint from the
> upstream maintainers yet in terms of the (obviously changed) release
> planning for 8.0.
>
> I can push a 7.9 with the Fedora patch for CVE-2018-20685 if that
> helps.
>
>
> Corinna
>
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: openSSH Vulnerability
2019-03-20 14:52 ` Bruce Halco
@ 2019-03-20 15:06 ` Bill Stewart
2019-03-20 18:40 ` Brian Inglis
0 siblings, 1 reply; 5+ messages in thread
From: Bill Stewart @ 2019-03-20 15:06 UTC (permalink / raw)
To: cygwin
On Wed, Mar 20, 2019 at 8:53 AM Bruce Halco wrote:
> The problem is I have 8 customers failing PCI network scans because of
> CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to
> help.
>
> If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise
> I'll have to take some other action. I don't like any of my
> alternatives, though.
>
> I guess I'll try to convince ControlScan that since the vulnerability
> affects the scp client, server security is not actually compromised. In
> the past I've had a poor success rate trying to explain things like that.
Ah, the old "it shows up on somebody's vulnerability report so it must be
mitigated" problem (regardless of severity, scope, etc.).
In my experience, best results are achieved by demonstrating how the
vulnerability is mitigated using other security controls; e.g.:
* ssh access is restricted only to certain hosts or user accounts
* only trusted limited user accounts are permitted remote access
..etc.
Good luck.
Bill
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: openSSH Vulnerability
2019-03-20 15:06 ` Bill Stewart
@ 2019-03-20 18:40 ` Brian Inglis
0 siblings, 0 replies; 5+ messages in thread
From: Brian Inglis @ 2019-03-20 18:40 UTC (permalink / raw)
To: cygwin
On 2019-03-20 09:06, Bill Stewart wrote:
> On Wed, Mar 20, 2019 at 8:53 AM Bruce Halco wrote:
>> The problem is I have 8 customers failing PCI network scans because of
>> CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to
>> help.
>> If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise
>> I'll have to take some other action. I don't like any of my
>> alternatives, though.
>> I guess I'll try to convince ControlScan that since the vulnerability
>> affects the scp client, server security is not actually compromised. In
>> the past I've had a poor success rate trying to explain things like that.
> Ah, the old "it shows up on somebody's vulnerability report so it must be
> mitigated" problem (regardless of severity, scope, etc.).
> In my experience, best results are achieved by demonstrating how the
> vulnerability is mitigated using other security controls; e.g.:
> * ssh access is restricted only to certain hosts or user accounts
> * only trusted limited user accounts are permitted remote access
Quote the upstream maintainers comments:
"Don't use scp with untrusted servers."
adding "...or networks" (for MitM attacks) and send them the link:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.html
showing they are working on the CVEs: at least one of the OpenBSD maintainers is
also a Portable OpenSSH maintainer
The alternatives seem to be stop using scp, or rebuild from snapshots or git
sources to include the unreleased patches.
If you install the cygport package, with all its build tool dependencies, and
the openssh package source, it is trivial to update the openssh.cygport control
file to use updated sources, and download, build, and test the package using
cygport.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-03-20 18:40 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-20 13:13 openSSH Vulnerability Bruce Halco
2019-03-20 14:18 ` Corinna Vinschen
2019-03-20 14:52 ` Bruce Halco
2019-03-20 15:06 ` Bill Stewart
2019-03-20 18:40 ` Brian Inglis
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).