X-Recipient: archive-cygwin@delorie.com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:subject:to:references:from:message-id :date:mime-version:in-reply-to:content-type :content-transfer-encoding; q=dns; s=default; b=MyF0j+GZzHsiW6S+ hJEDykPpTGd+r3XbVoT3oLhMzbtvLC/aVUHj7aYLdW7YBTcMo1V6ysksa1eDiGeI ywvHU0HdMCOTfCm9gL5kT+LpkMs1mOUVCOVITScPCFJOMU42B+NIFQUHGMD/S6gD x5BJ/VsFMt7qoa3MYUhSyPAWypE= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:reply-to:subject:to:references:from:message-id :date:mime-version:in-reply-to:content-type :content-transfer-encoding; s=default; bh=S9BeCfjH/Z6zGk2fiBZIwd 4DJSM=; b=kvrUnghFBBE5uqz0MElSrfII5zS5tersle0FRjJW03OG2LfdVrkuoa 6mkzEqhO8r+Qo8+Q5knbD8nEpAsfnJlL44GswOj1rBEB4lx1xQkowrL8TceJ3Dco F1U21Cw4tiLX10z6kYwUs0w8P1OwTjNO8ia/+oXz6pJuqx6jJRRJo= Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 spammy=Stewart, stewart, Portable, servers X-HELO: smtp-out-so.shaw.ca Reply-To: Brian.Inglis@SystematicSw.ab.ca Subject: Re: openSSH Vulnerability To: cygwin@cygwin.com References: <20190320141850.GT3908@calimero.vinschen.de> <08b408f2-0c5e-35f9-4e61-4fe23cb3c03d@halcomp.com> From: Brian Inglis Openpgp: preference=signencrypt Message-ID: Date: Wed, 20 Mar 2019 12:40:35 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes On 2019-03-20 09:06, Bill Stewart wrote: > On Wed, Mar 20, 2019 at 8:53 AM Bruce Halco wrote: >> The problem is I have 8 customers failing PCI network scans because of >> CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to >> help. >> If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise >> I'll have to take some other action. I don't like any of my >> alternatives, though. >> I guess I'll try to convince ControlScan that since the vulnerability >> affects the scp client, server security is not actually compromised. In >> the past I've had a poor success rate trying to explain things like that. > Ah, the old "it shows up on somebody's vulnerability report so it must be > mitigated" problem (regardless of severity, scope, etc.). > In my experience, best results are achieved by demonstrating how the > vulnerability is mitigated using other security controls; e.g.: > * ssh access is restricted only to certain hosts or user accounts > * only trusted limited user accounts are permitted remote access Quote the upstream maintainers comments: "Don't use scp with untrusted servers." adding "...or networks" (for MitM attacks) and send them the link: https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.html showing they are working on the CVEs: at least one of the OpenBSD maintainers is also a Portable OpenSSH maintainer The alternatives seem to be stop using scp, or rebuild from snapshots or git sources to include the unreleased patches. If you install the cygport package, with all its build tool dependencies, and the openssh package source, it is trivial to update the openssh.cygport control file to use updated sources, and download, build, and test the package using cygport. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple