X-Recipient: archive-cygwin@delorie.com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type; q=dns; s=default; b=E9RtjuC
	vwQnmBI2a/j4CuulqEKtqELXW3QIacubKEtZXxnSQixutW33DxUH+wAu14y72nMq
	KOJ/XsPqrf6Ma1oRG16vGnm7aqKZCMZperfu3rCN2zq/FMwsGsbnd7rgumMYHwQR
	AFktnLjzImxdTCK6K+F/zy1vdxB4qzucNsys=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type; s=default; bh=xiatnZYOnIa6g
	JqzDFOCtl+PRgk=; b=ke65KEx54Z9gOiOWlNbRuzw6MZ57Tpxa71U1ol0Yk30VI
	JI3gPrx/p0ot3WXCuuA9apqvBSlwFtRrgaaf03vwM5xoVx2ZZqvYCwEHLA4j9Oo9
	HNmlasZDtyOdnnocKxfwLyXiyIilfnIzGH1OuL09oLeNnmPbMjsjGfduVf0/B8=
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Delivered-To: mailing list cygwin@cygwin.com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.1 spammy=H*c:alternative, customers, explain
X-HELO: mout.gmx.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mail.com;	s=dbd5af2cbaf7; t=1553094407;	bh=ijVs0F1gnmqMrywkXW1UKNxh+1R4Hn8EUGHpobO20mM=;	h=X-UI-Sender-Class:References:In-Reply-To:From:Date:Subject:To;	b=dggNeMhNbDldfJTjuWKcXb1g9PHrFzyjvgEA4/MSCaDGU4nMDhuFD9by7wBvIj44Q	 LwXGQPeXgbFwn9feqInFfgLZwv0/Vjb6JZwgl0849+SGoXV3y4NIQDXXuERWFzOWch	 fHqCEsyDm+RlOE9NNlbjhtvFmfCovpDHO3VjCK2Q=
X-UI-Sender-Class: 214d933f-fd2f-45c7-a636-f5d79ae31a79
MIME-Version: 1.0
References: <cdd0f8a3-8e3c-5b9c-7633-40af3424f780@halcomp.com> <20190320141850.GT3908@calimero.vinschen.de> <08b408f2-0c5e-35f9-4e61-4fe23cb3c03d@halcomp.com>
In-Reply-To: <08b408f2-0c5e-35f9-4e61-4fe23cb3c03d@halcomp.com>
From: Bill Stewart <bstewart@iname.com>
Date: Wed, 20 Mar 2019 09:06:17 -0600
Message-ID: <CANV9t=R5bRRqJ=FwpA1NQhg5=nddGYDVdOyEuo=H8fOwHHv0gQ@mail.gmail.com>
Subject: Re: openSSH Vulnerability
To: cygwin@cygwin.com
Content-Type: text/plain; charset="UTF-8"
X-IsSubscribed: yes

On Wed, Mar 20, 2019 at 8:53 AM Bruce Halco wrote:

> The problem is I have 8 customers failing PCI network scans because of
> CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to
> help.
>
> If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise
> I'll have to take some other action. I don't like any of my
> alternatives, though.
>
> I guess I'll try to convince ControlScan that since the vulnerability
> affects the scp client, server security is not actually compromised.  In
> the past I've had a poor success rate trying to explain things like that.

Ah, the old "it shows up on somebody's vulnerability report so it must be
mitigated" problem (regardless of severity, scope, etc.).

In my experience, best results are achieved by demonstrating how the
vulnerability is mitigated using other security controls; e.g.:

* ssh access is restricted only to certain hosts or user accounts
* only trusted limited user accounts are permitted remote access

..etc.

Good luck.

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple