Mail Archives: cygwin/2024/07/17/09:26:34

Bill Stewart via Cygwin <cygwin AT cygwin DOT com> · Wed, 17 Jul 2024 07:25:04 -0600

On Wed, Jul 17, 2024 at 6:25ā€ÆAM Lemons, Terry via Cygwin wrote:

Vulnerability scanners run at my company have detected the following
> vulnerability in the Cygwin sshd:
>
> CVE-2024-6387    CVSS 3: 8.1
>
> OpenSSH could allow a remote attacker to execute arbitrary code on the
> system, caused by a signal handler race condition. By sending a specially
> crafted request, an attacker could exploit this vulnerability to execute
> arbitrary code with root privileges on glibc-based Linux systems.
>
> OpenSSH Vulnerability: CVE-2024-6387
>
>   *   Published: 07- 1-24 00:00
>   *   Diagnosis:
>
> A signal handler race condition was found in OpenSSH's server (sshd),
> where a client does not authenticate within LoginGraceTime seconds (120 by
> default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is
> called asynchronously. However, this signal handler calls various functions
> that are not async-signal-safe, for example, syslog().
>
>   *   Solution:
>
> Upgrade to the latest version of OpenSSH
>
> Download and apply the upgrade from:
> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH
>
> The latest version of OpenSSH is 9.6.
>
> While you can always build OpenSSH from source, many platforms and
> distributions provide pre-built binary packages for OpenSSH. These
> pre-built packages are usually customized and optimized for a particular
> distribution, therefore we recommend that you use the packages if they are
> available for your operating system.
>
> Running SSH service
> Product OpenSSH exists -- OpenBSD OpenSSH 9.8
> Vulnerable version of product OpenSSH found -- OpenBSD OpenSSH 9.8
> Vulnerable version of OpenSSH detected on Microsoft Windows
>
> My Cygwin installation is using openssh 9.8p1-1 which, at this writing, is
> the latest available version.
>
> What are the plans to address this vulnerability in cygwin's openssh
> component?
>

I'm not sure I understand the concern. When I look at CVE-2024-6387[1], it
says version 9.8 (which you are running) is not affected.

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-6387

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

DKIM-Filter:	OpenDKIM Filter v2.11.0 delorie.com 46HDQXcj414196
Authentication-Results:	delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=tM6XfqLw
X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 1F7E13858294
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1721222792;
	bh=q4idBks8dZC2LZR6MFn5ge3Lftoo0vgdZmUTTyqCV3w=;
	h=References:In-Reply-To:Date:Subject:To:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	From;
	b=tM6XfqLwmEdNCYwPG19Bqjr9nJ46eVqBZBJdWS89yKlyBHDP7fVvkjZC7eHjz/wMi
	4bJPqZHSzmKoraI2pdCDfXOMnCxSxb2b0qDU06JT164eadKq3xozsNDZ4CODJQVhp/
	vjMVR1F5nOilqaZIiJHC2dDh0Ke0dIXYK9si99Q8=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org C30753858D34
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org C30753858D34
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1721222735; cv=none;
	b=UlLlbP8jM7vOEGwSAHTw9qQGkul71Y8sYuXRUrsjfUdZkHzn4x35SW88N5i4+OBHA7Wr+XFIP4kmmQDPjp3EcsMuzqntrPGgSh5/YI6jLfHLt0gNvhing7ueV26Sq/JvoqxumCinB75SL0WZoV1TX7erFWHx7Z0Hkwaq6pTCDik=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1721222735; c=relaxed/simple;
	bh=sUoFE0pmlTXYyw/6FH3diIQ5flCxHZ31FJp3xNGh8nc=;
	h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To;
	b=hN/e3h8+9XI70Wq0BHIkkaLxsSwui6kUEiRvJY5g6uPeB4VcKVpoS/AmqNPZhoi9WL6YBFFfsR2galY9e2ifXGgmovOqUeLOfoPasU0XoqT8QvRtw3ZIIt1kROvClI9FNa3wLME4lVlmQSLBuGoLIEdMmjMQ75hMHaOXZS/8FgE=
ARC-Authentication-Results:	i=1; server2.sourceware.org
X-UI-Sender-Class:	f2cb72be-343f-493d-8ec3-b1efb8d6185a
X-Gm-Message-State:	AOJu0YyAqh+RlhWZf52v6u6juHmSf+KY2N0cJL2b5kVxWsKUBFDx2VAd
	74JjXGx+eeR87PT8QPt9996aW3SrWPoYgD65UxFilBBH7DVNvGw5cvysMxGezTCOcdied7c3ccZ
	oA3VlxOU8R5vtuTfnPQIFkQteXh0=
X-Google-Smtp-Source:	AGHT+IEDvBnWzHlXXMdlzdWnthM61yqHTPtkrtAJV9uzrGfwT//bqTqvdT57F6aeKvsLBWVdq9pvb71Yclhxo2KeN3c=
X-Received:	by 2002:a05:6512:a96:b0:52b:aae0:2d41 with SMTP id
	2adb3069b0e04-52ee4e4f2d9mr595578e87.28.1721222731059; Wed, 17 Jul 2024
	06:25:31 -0700 (PDT)
MIME-Version:	1.0
References:	<LV2PR19MB57671F587EAAF01EAB42666DE4A32 AT LV2PR19MB5767 DOT namprd19 DOT prod DOT outlook DOT com>
In-Reply-To:	<LV2PR19MB57671F587EAAF01EAB42666DE4A32@LV2PR19MB5767.namprd19.prod.outlook.com>
Date:	Wed, 17 Jul 2024 07:25:04 -0600
X-Gmail-Original-Message-ID:	<CANV9t=RcpX8KCc-7krkLCGtxijXgmOFim3pExvz2tBnzTojLWw AT mail DOT gmail DOT com>
Message-ID:	<CANV9t=RcpX8KCc-7krkLCGtxijXgmOFim3pExvz2tBnzTojLWw@mail.gmail.com>
Subject:	Re: ssh vulnerability CVE-2024-6387
To:	cygwin AT cygwin DOT com
X-Provags-ID:	V03:K1:ef4u+67LkhPrnunaqMFTwybDrFFRq8lRFZeZjHaV1LV7I+5nIdQ
	+lAOTo2BchjfV1n3OsnyBuRlOVDb4kGPwPdqLdegvdk8iUeNytbxdROSI1lLvpZkovhLHeC
	okiflcPCeulyDNg44vdjuLG2KLjjkSnIwvQhENjS7p7y5iaZDayS8x+agcS9gLmH5U2oVKz
	flpaz9x9k8NSGRxcE8Djw==
UI-OutboundReport:	notjunk:1;M01:P0:/g3j6TLdudE=;JYe2EOolV9/AR7c6CHvo9Asp562
	h24t03f+mIvJ/OeOSc9Rk5aQzebFa1f/hK/vze88nng+N/Pkvi2UbqETGVQr3iHnB95841x0U
	WDwny5YY8TNKejAS5/CK6Tql+tl0uLPUw2D3FpwXWsoan1/7ORrSZtFfkUcwnd2Jh2qXiyCtl
	rSpHRAPBOw+QIdlq54Gn1xFcmotO9pOFtmQBI0wIcA/zjH1OOnsWkKyHD5/Tv1lECQb6fCRBQ
	KVjvPKbIBxumnMYESgJHE3pt42SW16ElmXD2DePACMQC0GJ3t10Hy6Y8kqlxdl6xbHsRP7kj9
	AKc3a4jxuTQlJLZSrIFwj4rqoZE7LMOOlRefHKfwEbFzzhXQX2W3Koa0U+wysl2txvn73M7YM
	mrk6rQj7rSlBauQpSkH02v3egXBg8k4jMR3TkQ4Klnvhh+mdLh04N2ea4XkJhZlhPvZBPdCJ/
	h8V5WoXW21dvMcy/NZBbJa1p4MU5GbX5ALIIQveneW89nAlbF54gUcI0DuDRd7ql29g3Hr24d
	lmDkKgh3oaeglOjid5kevUrAPEgRHQ90exEYzRajA+JiZ5ypjaT2iIvOl5MYW6KaS9hOPfrIK
	uVjkL4fgMxOHMQV7GYTU+E3WfR/RqjNOPTPWNkeckOMQoxEizqeyd2PbCJSZAxY38jQbAuk6Z
	AmRr8W1O8gzYUiXa9y297dyR0zk5NF0KPR+/Fpp+pPbG2p4ASderzQso/r31rIfnU5eV9TfqM
	TR7sgEuGaB/Gn2i8dKUk4zhOKVHpuuMRRqcryqnBZR4HGhIzZuKca7GyGS5iB7xD1WWvbN9ud
	aemQUVFc/YLFcTPtWlQOysmA==
X-Spam-Status:	No, score=-2.6 required=5.0 tests=BAYES_00, DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, HTML_MESSAGE,
	KAM_NUMSUBJECT, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS,
	TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version:	SpamAssassin 3.4.6 (2021-04-09) on
	server2.sourceware.org
X-Content-Filtered-By:	Mailman/MimeDel 2.1.30
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Bill Stewart via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	Bill Stewart <bstewart AT iname DOT com>
Sender:	"Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 46HDQXcj414196

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019