X-Recipient: archive-cygwin@delorie.com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:cc:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=Fc+ZNlV/v7vznZLuhu7HAyqC1VqyRSYyvswRGcltIA4tKw40Kl1FK
	8v2JuQWRw8Ihk6G9Su3esuUATRVt1br3G5+bi65lbNIAUmYefhuYVKh0j3oewX0g
	R+E4o9wh3tteElt846NCVpZYVCI9wly2zc6PoYwJj2AhJTiEEek37I=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:cc:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	 bh=odSW2IQTkipu40uASrt7PX8XIRw=; b=BuNEtWmM5G/hR1svFw5u01QIK46O
	GmlvmAICfdiOFILqG0wFqUfnVgtDWIskYYDftw6iKwR88XFTSipySsKPy+ZTavAG
	yoFUu5uLygJa7TUMCMcbSTEfQxjGwH+GunDFfDKN7jTbPk3h20as5Ax8jWv9RPZt
	cKsbEnVYRrSMNmU=
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Delivered-To: mailing list cygwin@cygwin.com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-101.8 required=5.0 tests=AWL,BAYES_00,GOOD_FROM_CORINNA_CYGWIN,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 spammy=Halco, halco, HX-Languages-Length:801, our
X-HELO: mout.kundenserver.de
Date: Wed, 20 Mar 2019 15:18:50 +0100
From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: Bruce Halco <bruce@halcomp.com>
Cc: cygwin@cygwin.com
Subject: Re: openSSH Vulnerability
Message-ID: <20190320141850.GT3908@calimero.vinschen.de>
Reply-To: cygwin@cygwin.com
Mail-Followup-To: Bruce Halco <bruce@halcomp.com>, cygwin@cygwin.com
References: <cdd0f8a3-8e3c-5b9c-7633-40af3424f780@halcomp.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;	protocol="application/pgp-signature"; boundary="YrlhzR9YrZtruaFS"
Content-Disposition: inline
In-Reply-To: <cdd0f8a3-8e3c-5b9c-7633-40af3424f780@halcomp.com>
User-Agent: Mutt/1.11.3 (2019-02-01)

--YrlhzR9YrZtruaFS
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mar 20 09:13, Bruce Halco wrote:
> openSSH 7.9 is subject to vulnerability CVE-2019-6111. This has been fixed
> in at least some distributions, Debian at least.

Fedora (which is our role model) doesn't and the vulnerability is not
deemed that critical by the upstream maintainers:

https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.ht=
ml

Fedora's 7.9p1 has an additional patch for CVE-2018-20685 only.

I was planning to wait for OpenSSH 8.0.  It was originally slated
for end of January or at least February, but there's no hint from the
upstream maintainers yet in terms of the (obviously changed) release
planning for 8.0.

I can push a 7.9 with the Fedora patch for CVE-2018-20685 if that
helps.


Corinna

--=20
Corinna Vinschen
Cygwin Maintainer

--YrlhzR9YrZtruaFS
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlySS8oACgkQ9TYGna5E
T6B6Qg//ZfaIGOmGOjZCfXUr2gqgnDfZAyvz/O6G9sISz9Fe0t/Gj9VJBW1SUvY9
sZPoLBuN1Y/S6EQpF9wsSPsil/avqHHfhq2c1uuBMWZ71y0WfansVw6TJAWINyUy
nz34oKYtC69KnIEwehksolRer+XU1L5JKfiVPXMI0xfaAxIxQuCm7Y/XmRFXQHyJ
Ag8g8nVqtTxb9I8s2a54vdbBDYKJUmOaOs7Yiq+IA7/dC0Mp55Cps9/hWNIkl0w7
5lNd6O6oZQZ8s/OWv+ozeO2wr0a9M49QXcMYYrTJupAyrWibrgRgFXrB7zl9w0CB
QsM/rATyqQs6PwieyUFZ1qVb3nTfrE6btlkQOv9wbTvj5+7JHbPQhI+mSr4f9HC2
mcztoJkGWhgvSiThDGYvZSvFd1oaQ4dPvY6AT9pK+LL2QrJCEdBKdsd95UhtqtbB
fYs6AeSX2s/yeNPqzVAl7a1slYntnX2/x+8PtlF+fDl/r/jn8mevu4m8sdM4u3vb
UP75ROJJgeyjYQjxF7oHoFA7doiWsgBVmeT64jXzr/qgvV3dOeR2XCKxb8101IGt
lEBq3J1eW6si43srJg//UKbagPa53ef9Z4emnvKbgX0tvrOuHek4nygQVBmqOtq/
osUKpQkWGISgrajwaE6UiQ/lP3ukkhyeTxtG/UFN/rJf0rhxX/U=
=WWw2
-----END PGP SIGNATURE-----

--YrlhzR9YrZtruaFS--