delorie.com/archives/browse.cgi | search |
X-Recipient: | archive-cygwin AT delorie DOT com |
DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
:list-unsubscribe:list-subscribe:list-archive:list-post | |
:list-help:sender:subject:to:references:from:message-id:date | |
:mime-version:in-reply-to:content-type | |
:content-transfer-encoding; q=dns; s=default; b=fyIQxE2cck+hiMS/ | |
LZBqL4gceZWIdWCXy/ZHC64ld4uu0vNK94adMt8CkJgkOzrJsVFeM2m9l+vcSyS/ | |
LtoYTGiOmbMW/tdPk/5mdqeTP2PR/aEuar8TPGj64UDfePt/rYLyrkzmzHOigoAU | |
4XFtgKQQ9FEP0+vwPzuISc481lA= | |
DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
:list-unsubscribe:list-subscribe:list-archive:list-post | |
:list-help:sender:subject:to:references:from:message-id:date | |
:mime-version:in-reply-to:content-type | |
:content-transfer-encoding; s=default; bh=I6tZi7aGTNWKNz0jl0JOKS | |
gIP/Y=; b=mJwQ0Wv0hnwWVv8fc0N/xDmqOJrK34HaVESyhzzfFAhtQ0cKTFmIIM | |
26BaqcDetxma2DWVexSru+ZZDorRKgKXnR8BCwLD+x9aKMHB9OYJ8cZzeAWMs6go | |
Yls2SyxaMPwQzkZg+daWrqCrF1H9EXkKliPHhYzwID3cGgoFhGIzQ= | |
Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
List-Id: | <cygwin.cygwin.com> |
List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
List-Archive: | <http://sourceware.org/ml/cygwin/> |
List-Post: | <mailto:cygwin AT cygwin DOT com> |
List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
Sender: | cygwin-owner AT cygwin DOT com |
Mail-Followup-To: | cygwin AT cygwin DOT com |
Delivered-To: | mailing list cygwin AT cygwin DOT com |
Authentication-Results: | sourceware.org; auth=none |
X-Spam-SWARE-Status: | No, score=-1.4 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS autolearn=ham version=3.3.1 spammy=afford, HX-Languages-Length:1371, compromised, customers |
X-HELO: | mout.perfora.net |
Subject: | Re: openSSH Vulnerability |
To: | cygwin AT cygwin DOT com |
References: | <cdd0f8a3-8e3c-5b9c-7633-40af3424f780 AT halcomp DOT com> <20190320141850 DOT GT3908 AT calimero DOT vinschen DOT de> |
From: | Bruce Halco <bruce AT halcomp DOT com> |
Message-ID: | <08b408f2-0c5e-35f9-4e61-4fe23cb3c03d@halcomp.com> |
Date: | Wed, 20 Mar 2019 10:52:46 -0400 |
User-Agent: | Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 |
MIME-Version: | 1.0 |
In-Reply-To: | <20190320141850.GT3908@calimero.vinschen.de> |
The problem is I have 8 customers failing PCI network scans because of CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to help. If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise I'll have to take some other action. I don't like any of my alternatives, though. I guess I'll try to convince ControlScan that since the vulnerability affects the scp client, server security is not actually compromised. In the past I've had a poor success rate trying to explain things like that. Bruce On 3/20/19 10:18 AM, Corinna Vinschen wrote: > On Mar 20 09:13, Bruce Halco wrote: >> openSSH 7.9 is subject to vulnerability CVE-2019-6111. This has been fixed >> in at least some distributions, Debian at least. > Fedora (which is our role model) doesn't and the vulnerability is not > deemed that critical by the upstream maintainers: > > https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.html > > Fedora's 7.9p1 has an additional patch for CVE-2018-20685 only. > > I was planning to wait for OpenSSH 8.0. It was originally slated > for end of January or at least February, but there's no hint from the > upstream maintainers yet in terms of the (obviously changed) release > planning for 8.0. > > I can push a 7.9 with the Fedora patch for CVE-2018-20685 if that > helps. > > > Corinna > -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
webmaster | delorie software privacy |
Copyright © 2019 by DJ Delorie | Updated Jul 2019 |