Mail Archives: cygwin/2025/03/05/15:16:24

"SUMMERS, TED via Cygwin" <cygwin AT cygwin DOT com> · Wed, 5 Mar 2025 20:15:09 +0000

Dimitry-
Thanks for your response.
You have been very helpful.
I agree with your statement relating to the version determination.
I will await if the maintainer has any response before formulating my next action.

If necessary, I can take this information you provided back to Tenable team and try to make the case that Tenable needs to change it's method or get an exception.

Best Regards,
Ted Summers

From: Dimitry Andric <dimitry AT unified-streaming DOT com>
Sent: Wednesday, March 5, 2025 11:50 AM
To: SUMMERS, TED <ted DOT summers1 AT hp DOT com>
Cc: cygwin AT cygwin DOT com
Subject: Re: Cygwin OpenSSH version detection by Tenable

CAUTION: External Email
In my opinion, it is wrong that scanners rely on this information. :-) But putting that discussion aside, the openssh-portable distribution does not announce its "patch level" in its version banner by default.

See e.g. https://github.com/openssh/openssh-portable/blob/master/version.h<https://github.com/openssh/openssh-portable/blob/master/version.h>, where SSH_VERSION is defined as "OpenSSH_9.9", while SSH_PORTABLE is defined as "p2".

In https://github.com/openssh/openssh-portable/blob/master/ssh_api.c#L430<https://github.com/openssh/openssh-portable/blob/master/ssh_api.c#L430> you can see that the _ssh_send_banner() function only advertises the SSH_VERSION value, not the SSH_PORTABLE value.

Now, various Linux distributions apply custom patches on top of the stock openssh-portable package to add additional information, for example Debian (and Ubuntu which sources its packages from there) has:

https://salsa.debian.org/ssh-team/openssh/-/blob/master/debian/patches/package-versioning.patch?ref_type=heads<https://salsa.debian.org/ssh-team/openssh/-/blob/master/debian/patches/package-versioning.patch?ref_type=heads>

I guess something similar could be done in the Cygwin package. This is up to the Cygwin maintainers of course.

-Dimitry

> On 5 Mar 2025, at 20:30, SUMMERS, TED via Cygwin <cygwin AT cygwin DOT com<mailto:cygwin AT cygwin DOT com>> wrote:
>
> Dear list member(s),
>
> I've reviewed the list archives for the last two months since subcomponent release, and googled, but didn't find an answer for my question.
>
> I'm encountering an issue with Tenable detecting a difference in version in our security scans indicating that OpenSSH is still at a vulnerable version.
> Even though I have openssh 9.9p2-1 installed, some query methods show the version only as OpenSSH 9.9.
> IF I login to my Cygwin installation and perform "ssh -V" I receive the expected correct up-to-date values in the response:
> OpenSSH_9.9p2, OpenSSL 3.0.16 11 Feb 2025
>
> However Tenable is performing a non-authenticated query against ssh that returns OpenSSH 9.9 (without the p2 appended to the end).
> Then Tenable flags systems for remediation of what it detects as a vulnerable version.
>
> If I initiate a command "ssh -vv <host ip>" I can see the string where it reports the following:
> debug1: Remote protocol version 2.0, remote software version OpenSSH_9.9
>
> I can also get this information via nmap or netcat (nc)
> Nmap (v7.94) returns:
> 22/tcp open ssh OpenSSH 9.9 (protocol 2.0)
>
> # nc <ip address> 22
> SSH-2.0-OpenSSH_9.9
>
> Is there a file that I can manipulate to resolve this, or can a new openssh package build be made that fixes the version output in response to these other query methods used by security scanners?
>
> I look forward to any response or guidance.
>
> Respectfully,
> Ted Summers
>
>
>
>
>
>
> --
> Problem reports: https://cygwin.com/problems.html<https://cygwin.com/problems.html>
> FAQ: https://cygwin.com/faq/<https://cygwin.com/faq>
> Documentation: https://cygwin.com/docs.html<https://cygwin.com/docs.html>
> Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple<https://cygwin.com/ml/#unsubscribe-simple>

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

DMARC-Filter:	OpenDMARC Filter v1.4.2 delorie.com 525KGNbo083293
Authentication-Results:	delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results:	delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter:	OpenDKIM Filter v2.11.0 delorie.com 525KGNbo083293
Authentication-Results:	delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=NiLExe/9
X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 75F5F3858D34
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1741205782;
	bh=3fTiAl5uMXzLvm/VX/2NgDVDMSv4Eh2e66xg4pmelps=;
	h=To:CC:Subject:Date:References:In-Reply-To:List-Id:
	List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	From:Reply-To:From;
	b=NiLExe/9WbPk8MsX0DdMp9eWTRzFvI+DmPofuoftAHlmKKB0PeVO/OsrieOf9PG41
	XAu78FgR/2qfWAiKR+o53806HzZfHu9EP/I9YNuNKJJ5x5VIvUi/CBdjrXv0Ni9ZkI
	mq4CxO8zqAyLYJH2jfb7vxAy6uEpTM7Frq6M1s7M=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org 036523858D26
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org 036523858D26
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1741205715; cv=none;
	b=kwgeC3G3dLMrdItwMfAexPN6Y718fxHzBRqILFSUA1hqJZZe9T/U+pJoOrnZhBNsXJKC13WjK2q4ld3IlA+EOgNieFYsX736I4DvHzrXDRV8oc+0NiQWLgrxjKsAcPeuYuRhnDYeKIN8UBWy5Z3dzy+hkz4cIFJFXx3fMpOR2D8=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1741205715; c=relaxed/simple;
	bh=s60nBebpue6+9LV1cnNgn4veJShtI5UwL1wTbK/tt3g=;
	h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version;
	b=rY6Kv+RiB0GateP5Ny1RhyoHFMx9BSP/KDqQJUctULj4pjANFNWapCDdN/gmNWG1+8/zCM+FlHqhG0107anmI+QZlQkHp7jOMq0uS46pWqxnV8l2U4c/OaCz3YgIDHkiMKFXCCzQfbtboTRbQmOGjX9/2B0O/la+ozGeKLegh/8=
ARC-Authentication-Results:	i=1; server2.sourceware.org
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 036523858D26
X-MC-Unique:	kpdwPvo9N8iyvytHpWJwFg-1
X-Mimecast-MFC-AGG-ID:	kpdwPvo9N8iyvytHpWJwFg_1741205710
To:	Dimitry Andric <dimitry AT unified-streaming DOT com>
CC:	"cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
Subject:	RE: Cygwin OpenSSH version detection by Tenable
Thread-Topic:	Cygwin OpenSSH version detection by Tenable
Thread-Index:	AduOAPHOsHnB3EXRQw6wdpJBkEJJ6AABtR4AAAAciXA=
Date:	Wed, 5 Mar 2025 20:15:09 +0000
Message-ID:	<PH0PR84MB1836F2EBAF6880F07A9D85FCA5CB2@PH0PR84MB1836.NAMPRD84.PROD.OUTLOOK.COM>
References:	<PH0PR84MB18364E960950D1F0C2080315A5CB2 AT PH0PR84MB1836 DOT NAMPRD84 DOT PROD DOT OUTLOOK DOT COM>
	<19A5E907-7DDF-4FB8-9004-0C8A6B269C1A AT unified-streaming DOT com>
In-Reply-To:	<19A5E907-7DDF-4FB8-9004-0C8A6B269C1A@unified-streaming.com>
Accept-Language:	en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-bromium-msgid:	46cc348f-bb91-4a2c-88f5-739e275f31d3
x-ms-publictraffictype:	Email
x-ms-traffictypediagnostic:	PH0PR84MB1836:EE_\|SJ0PR84MB1724:EE_
x-ms-office365-filtering-correlation-id:	0f6ec42a-07d5-4d5b-a401-08dd5c226d99
x-ms-exchange-senderadcheck:	1
x-ms-exchange-antispam-relay:	0
x-microsoft-antispam:	BCL:0;
	ARA:13230040\|376014\|1800799024\|366016\|4022899009\|8096899003\|38070700018\|7053199007
x-microsoft-antispam-message-info:	=?us-ascii?Q?t8AApIzByi9/9s+UCuXYKTIiuBtDRxsEymNDcQawWjXfQPsb8hEsOggjOhCH?=
	=?us-ascii?Q?AVfC2l10g4uTcuESp6hwe5AJ67dFxQER3XLlpBqtITxU+UR1CwPMnUifzqsk?=
	=?us-ascii?Q?tD1/JVuwl8BhbtrS/tlMneNSwrQE2244MNwyuJ5YkDAdCjk/eywvu/6a+ZbI?=
	=?us-ascii?Q?qj4jPqsn+vQdbM8JwfyvsfCW+mMp/ME9zQc6bvEst96qcCyRMUQMYDIDon8I?=
	=?us-ascii?Q?osNSKzLbA4IGOwVIfLnYeUsn+16tguO5wZiLYA3v+7tdJKTpluGFIQ734Jxj?=
	=?us-ascii?Q?D8H8LbfvTjePspByE3dINgPhrwZRcD8bmBF/MA+jYGNPh+4Qel50B3+Lsru9?=
	=?us-ascii?Q?mKVTujMJLkdjZ/+wedtmECOSQhFKit0Y+FxeT3WTgla8CsKrS/UL4f9BVCsh?=
	=?us-ascii?Q?dgAXRMzXTbqhDFQBXqOwGW1eGkX1L7NSFDAzOmMB7czV3TI7/szmMu9zqJEB?=
	=?us-ascii?Q?BOW92sWEscAGDl5zOIIV1u2Ph1iAkOngSB/b0hxSpEkeNFXkFnZf+MmD+sQ4?=
	=?us-ascii?Q?QtNPDday+6QJYhTFYrFOl8ADuMwzT46jrmLtmVrxSkWTiPrQ7ZUHsHse7shX?=
	=?us-ascii?Q?xuyXfvYpqAbg/+0fUUlb9nnC2fduZ8xIQsiCwFUo6Ab1zNVMUSz4KOsef12f?=
	=?us-ascii?Q?kiKi/njyE+M6D6LpNCXtT4sze5iGs8qC+zdvmzQYBL+Qqd2Gui3/yvXSzT5j?=
	=?us-ascii?Q?Tjw7dro42YaF4SbdwTHYIMoyail6XYKC50ng9lTiVla4SIelbFRVjeNIJAqb?=
	=?us-ascii?Q?ryGgFoppIeThcqSeUrA9AQt+ynRN8fLY1EVImktVLHPZGFD9a1ZipmcXmKxC?=
	=?us-ascii?Q?ANYteJ7MMF0HdOpxuBtYp1DpyfyaBe1wqu7nPjkzoFVzz7bF39TR3tiWpsJJ?=
	=?us-ascii?Q?uqw+A7zG1i3Svu4kJXnPDjbwbmC4VMN95Fx89HVvhGrzbOJp7URpw5XFizr4?=
	=?us-ascii?Q?6kNEZe1uIhRaQED8AMN65w9XqJjr9wQQqEJFYzZW7pkAg0RSdpx7P7CEW5mP?=
	=?us-ascii?Q?kPEl6PqwRG069HnBaMOBGzaF4ZqWstyYC5mZP3fqnrLKRrMXo5y9z4h+ln7q?=
	=?us-ascii?Q?XLsO6+8/o96cjO1uVstqYa2BtAwVTD2562IWzVWmjREAXalX+I3E7XPogQGH?=
	=?us-ascii?Q?RtKEJOKGrrqv6CK8sI6mmpTp8Uv8QjJ12lsKBTA3m5knC35kpBBq0Geh7wmu?=
	=?us-ascii?Q?fZu/ivkaCj/wGHY1gGU2yVokCX0P+gmIj8mzniBNlBkbDZKztBsd7PF7rOSa?=
	=?us-ascii?Q?YA+007b9KSsdt1j9c9z1+HEAtk6ilGFNpcllcIERiTlMuauG2RXnhOzwOSL7?=
	=?us-ascii?Q?8mvYoY8qEaIGHQfYu/NMR3054+gdbOCDpsW338Fqy6z/1kdJvBcK1dCWm0Cl?=
	=?us-ascii?Q?AfeZBQMhkFIj7OL8G41GBLttjTp06HuuT2s60PwjQx0i/N8pvQ=3D=3D?=
x-forefront-antispam-report:	CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
	IPV:NLI; SFV:NSPM; H:PH0PR84MB1836.NAMPRD84.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
	SFS:(13230040)(376014)(1800799024)(366016)(4022899009)(8096899003)(38070700018)(7053199007);
	DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount:	1
x-ms-exchange-antispam-messagedata-0:	=?us-ascii?Q?iLMtCSZNfZgPGp3uZAnnFqFlRe2KcDVzErBvz79tgGk9Lk0slogAlkEFfvto?=
	=?us-ascii?Q?qwOhaBSiS6Hrl+Ft5Zr3iEmJwP+DNJea3vTrBTYKXlodVqCoYIDS982YmPWd?=
	=?us-ascii?Q?B2w+P91TPOzeQSc6bTlqnw7mPRWWt5jA1VxmNL2TJtpWv8XrOb/+V4LHAghS?=
	=?us-ascii?Q?c4bDTmoGNrRYchzQRsOgzmH+ZizEQvWy505vGvr3OYuUYj+25Cp5pUACfugo?=
	=?us-ascii?Q?+eGOI/IQeeSNv4aBwJxl3VPiPdF11/6CIR23hcmTzU0racDeVyyZkF5UIin5?=
	=?us-ascii?Q?2Y9EbbrQRaQ2YK8wfRtkl7ZKc+E+rDxUDo5Ko7VdpTLGMgT4pZDGlUC52cPX?=
	=?us-ascii?Q?NMWbFNcaelsv78IRMzSH9GKUq4Fl5DC+vnK9mJHSjRWuC8MWPAVwl5gVRQGh?=
	=?us-ascii?Q?Y99Nd19s1ta5MlQg/56zGf8BOE6s8pJXEUtpUc74nEVkU+FuFo8t73gWzmCX?=
	=?us-ascii?Q?UAu1LKInlVXWjtmq9Cqd5SD/fTOIZGsAaG12/+K9Gzl2OjadLYp9C1QwkgXA?=
	=?us-ascii?Q?iEc4YTjwfQ5yajrf/IyPBsM+XutmbB+9cNEiq+vgXR0m174pVXsU3n7vKdQC?=
	=?us-ascii?Q?KSY0ldV0NvIlnZYwXrlbZwfEO1m9eq6fdiQqKhpkNm+JSQB4NCReIH41//3+?=
	=?us-ascii?Q?5L8GlcPgekLkBqsHIJ+MIayu7zwwfWJK2ZFJKciYb2DLlpgFAQeuWNc0RLy+?=
	=?us-ascii?Q?dvKEEOIqqZt5VXD9dEbLQG/DWbbW44MJlPFBvWp+IPuqgJ0iXp/KsTKCs1t6?=
	=?us-ascii?Q?KMBblY23fz8pA5WyuOgSBYt3F4g2WIiAl5V2gd23EOeQVlYMK6JYX70enFCL?=
	=?us-ascii?Q?f0ygiBaw8Rr85o1ii49XYeJFB1pkk0hcO9d+PogaDSGESHllrMjHpggdJFL+?=
	=?us-ascii?Q?UYbuGyTM1QANm6PMo1D8Fxc7A4YzSPqhnET4h4OVC9mKGs4KW5f1XY6J6KWG?=
	=?us-ascii?Q?DJoWHC9ouoRm713S8Sna9Q3ZRWa6ITLGtasIhn9ERmTr6tyJ7AjUej1R5zz9?=
	=?us-ascii?Q?+rXf1RPWcT+RtUt0koUHWmjPAUwEDnbYUjZoZVv06jCWJRqTfS8YTO2/xwE/?=
	=?us-ascii?Q?aYcwRN5h0+m4SYPG2BidyZZUP+rpm69DbMUszzjFiMjB9qwyRSypMSuYyE5b?=
	=?us-ascii?Q?2eUQ75bLqjm+Fda/BqKhK0C4DbEtwePsKLiFekTsehsyi7XWsXIbDaU7+s30?=
	=?us-ascii?Q?AMWS53szhnvLC4+r0md5bUHgmUndbZ4CQph3ST3nhUOyRsnDatGdEwoSP8NG?=
	=?us-ascii?Q?bzCcIzeuedMrQSd9A1+tVLTV8oTk+neZEnkxghq8aATB8883sqklp39sjdhp?=
	=?us-ascii?Q?zOhS0hhKGEzi25WuQmfSeR/A6iTUN0ep9uYWn0NNhDp8Fv5xW6h1H9h2Ae5n?=
	=?us-ascii?Q?RUgmYz/wvRftd2oGMaOiPWhdCJiG7mwLJ4DcjWttaJQIQL3XnktL5bvItlil?=
	=?us-ascii?Q?ebRqY17nX0OOI6YjhMY980imUUsulNFvFeUL5p1d3SMUbQxxR019ZzOpHOsQ?=
	=?us-ascii?Q?IjEcblXAFpADUNUpkzkRm7c0XrrQcjRYnJv+Fw6AMqhFc39IzEi6Dlu4Z1BQ?=
	=?us-ascii?Q?uDNqLrOb8IVW5rJgNow=3D?=
MIME-Version:	1.0
X-OriginatorOrg:	hp.com
X-MS-Exchange-CrossTenant-AuthAs:	Internal
X-MS-Exchange-CrossTenant-AuthSource:	PH0PR84MB1836.NAMPRD84.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id:	0f6ec42a-07d5-4d5b-a401-08dd5c226d99
X-MS-Exchange-CrossTenant-originalarrivaltime:	05 Mar 2025 20:15:09.3881 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader:	Hosted
X-MS-Exchange-CrossTenant-id:	ca7981a2-785a-463d-b82a-3db87dfc3ce6
X-MS-Exchange-CrossTenant-mailboxtype:	HOSTED
X-MS-Exchange-CrossTenant-userprincipalname:	fAEUgqRvB9AwIbJVYYjyp9SsB1giJKIot+HHHvbkSDDQo5obkGUOYKn/gpt7EkaRnL13GNB9+85+qa85I1fOhg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped:	SJ0PR84MB1724
X-Mimecast-Spam-Score:	0
X-Mimecast-MFC-PROC-ID:	VUXZcmyu8iCT8sYuwYXnCIbmxlf-hcSlzoMxHn6j4HM_1741205710
X-Mimecast-Originator:	hp.com
X-Content-Filtered-By:	Mailman/MimeDel 2.1.30
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	"SUMMERS, TED via Cygwin" <cygwin AT cygwin DOT com>
Reply-To:	"SUMMERS, TED" <ted DOT summers1 AT hp DOT com>
Sender:	"Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>

webmaster	delorie software privacy
Copyright � 2019 by DJ Delorie	Updated Jul 2019