DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 46HCQ1XL396243
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=T0lcoz5l
X-Recipient: archive-cygwin@delorie.com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 5C12F385841D
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1721219159;
	bh=p5yMbye0BfMtXnJrcaHmXDIzwbQ/qCIjWcyRU6mlC/M=;
	h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:From;
	b=T0lcoz5l8BZ6xlNivOwXN1RZBryboVnf0rVhjiNFvpN+iyJbdgDt4QZYr0LAKXt/+
	 2IO6o1u5MTRRDXCWR5q5cvTkWlA+2Knc0vtIpZ0m4+bRs22t0srWQ3xTiDWDL1nOHd
	 +RSrIMdlr4xUmnKrN53z8Oky2vwNCNmZ0aFdsFoI=
X-Original-To: cygwin@cygwin.com
Delivered-To: cygwin@cygwin.com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 1BBF53858C52
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 1BBF53858C52
ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1721219135; cv=pass;
 b=m1yAZfM5NHiqvYCKuni8aMKJa18dZFAynldzDbYYZhOJtLoBS8G+4XY1XdOAafXovYtCF6BajR84b5cE/GbssIiiRyiZdGSwe5sMenVLlhWzMf5JOzgSFHWzSZUciXEVrMcwu+5kX4muuiQfI3rXNvEEd8827AQlUOMtY2bBD6w=
ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key;
 t=1721219135; c=relaxed/simple;
 bh=GE5iOUy7Ie0uGGtcoFUtzfj7C1V9ri5WpuaKQYzxUDI=;
 h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version;
 b=YzbZfVpruSvVfkghCknrOTS8PAUU37TtAoJcBs21R78n0zUqvy62H4+5HMGOEeAlUBUzetrThcIVqRQx4iMTxsn6yaLRHQ530wQg69EaBWx4O/9z4kZ47DemUCBfhGzG6Yg71Gt3djKNYjw+f8Ea5p4f7Q/ecjtxysyTA2HfIXo=
ARC-Authentication-Results: i=2; server2.sourceware.org
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=GYlTr0aismDxYBbDMYSCJDPgXsXP7pxD3EJJ4/he/GNv63pUjnnW09lgYxQ39BUljMf5Zlme5YH/4qs4WTHShO4Rik18jlYYb+A4eqv2pRBbrHiSgDXVtaX7FenQZz2z1+YuVSpEnEt4Sdb/eJ/sf2hkLbFP/r+B2qDHTjbC7+Wr9EMa8OSS7kFWQB9IgIucDSLyXFo1KB9pt3+8nxiTw5rj5hmAuH8ozEOvVte1cuffpWvaPeHb6aRKyLz4gpcvRsNOS22F7T/MzbzLgMgzbmRh5VRRzhkHFXVmfQLUPrkvoGl+wjQp7UYFDDgrv582YgYs4kYPJx7k7/FaH9BWbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=4uLfgiImTow2IaDuaN+nzPF8sdvL4VyVK39iFS7qJzk=;
 b=roUskQWEMkJiKfqAw0GwGFlu7UMawkkUpi3GlMEjwddhrpdwskaR+ls2pOOgymrCyoW3JjK6giY+ACXma/8TGufuctgHPZobjozgpFy9xC28HEqnnwOl3Ch8WiONqdp3LUqkRTi8TnvUJ0HyEg4CT6+NBUMJsPuxqA2lVanLS+ozGOKA9Jv8BXE+Gnu3ADIDvb1SivcA42djITlUOpbHKCQSKOR1nf1Atn3EwhW4LxPkZaVZ0udqxXARDe8qY6g1AuVjB3GTZeSejAk7zniffDowEKVxtfkPRYHwboLNKsq+rSNBxktu3/CtbdDQ8VpDoH/1bbeEa/dmED3jyNQdgw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=dell.com; dmarc=pass action=none header.from=dell.com;
 dkim=pass header.d=dell.com; arc=none
To: "cygwin@cygwin.com" <cygwin@cygwin.com>
Subject: ssh vulnerability CVE-2024-6387
Thread-Topic: ssh vulnerability CVE-2024-6387
Thread-Index: AdrYQ5BT/pS9gsGXSGGbQqL911CG0Q==
Date: Wed, 17 Jul 2024 12:25:14 +0000
Message-ID: <LV2PR19MB57671F587EAAF01EAB42666DE4A32@LV2PR19MB5767.namprd19.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
msip_labels: MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_ActionId=2c4ed451-b897-4309-b9e1-db1d3f2e88cb;
 MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_ContentBits=0;
 MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Enabled=true;
 MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Method=Standard;
 MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_Name=No
 Protection (Label Only) - Internal Use;
 MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_SetDate=2024-07-17T12:18:50Z;
 MSIP_Label_73dd1fcc-24d7-4f55-9dc2-c1518f171327_SiteId=945c199a-83a2-4e80-9f8c-5a91be5752dd;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV2PR19MB5767:EE_|SN7PR19MB6995:EE_
x-ms-office365-filtering-correlation-id: 927fd30a-17a2-4726-a7a3-08dca65b8278
x-exotenant: 2khUwGVqB6N9v58KS13ncyUmMJd8q4
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0; ARA:13230040|1800799024|366016|376014|38070700018;
x-microsoft-antispam-message-info: =?us-ascii?Q?bQhgzmkRS41FoQF1ktT49tjlS7GI2ivSA5RQwb+PxE3/Jtmp0oh65YWxi/LG?=
 =?us-ascii?Q?xPLl9iqyTK3WthOyMxKVjFGzQOz15kWWB4nOEFUaqI5N+rAT6c6NKehds/Cj?=
 =?us-ascii?Q?ETc/+BP2A22jQJgLxizXGiIPBRlAh12B0P5EWjS9gJnU2pmG+EJJzG01lsb2?=
 =?us-ascii?Q?tUH9+FjyQEgDWpH1U/dCMiyDrkDV50HZwDqSS0pvh408wcBvKihQuKQHQu+C?=
 =?us-ascii?Q?ZacPzkkT9+ZqF3F9aevv5NjquOsIpxlUeilC/WEkxwmxHpo8aJh1HpEOWmA4?=
 =?us-ascii?Q?jf9PRLAvWi3Osxeom0vcbwQZ5ALjUbvL20mGXCBNHfFIr4LJXvTMNWlG1JNA?=
 =?us-ascii?Q?cdGyjYbvSw8TKm2VvuBnzdnJb+Zg2FRu9/BR4HZ+H/RVTTXTcHd+W1cOilQe?=
 =?us-ascii?Q?EoYgPuJwYvOC1TiEd54TugktV67+LhDdj2x7eRG5UEnKQlaifXIUP3EbPRaz?=
 =?us-ascii?Q?GKePUUs9L109Zz4PDcPBffrZbqMErsTx9Bd3KQ5SRgiHERphI+/2Q04CtbLG?=
 =?us-ascii?Q?gPngbqFej0ymo11C5E/vZEsGpV3tROTrWK/TCpJl0UJcQxbHsZytCAdpYBX3?=
 =?us-ascii?Q?iccU6LB/VZqa3Y6aKWg3Pv50rdHRorch8eNKJyjE4KU9BCl8vn/LXdmTw7OT?=
 =?us-ascii?Q?MYaxcYSX5bde6mEHxdXKAgpbmiwGd+/IDx4mEyHSYr/Iy1QuYKKEv6qO3a/p?=
 =?us-ascii?Q?ybLzEmCamS4SJjS8YH7JDV/uH5JRcQ7BFEN96zIsaQV5Dw1jjlJaRaIbQone?=
 =?us-ascii?Q?uB6JhR5XB24Uo4Bc7jW51cA74xuOk+JyF5OlMHikzOe19/x5oe6HbeoiwzQr?=
 =?us-ascii?Q?ZvRuEHzzxR+wMdJ7SuVySMBeP1NApTb1jB60Qrc8bi3Oco2ZWLMQ9fq6UsZm?=
 =?us-ascii?Q?kqW8FXmiKS0Rq5D07omxR1BR8keE0RB9LV7n5+uFznNhVnW7O+tzlmyZgiMS?=
 =?us-ascii?Q?ABcUv+TJfbmDVK9nW7hm1vPC/eJdeyytuN7nCbXZu1oR5Wui9dz6qTqtFImq?=
 =?us-ascii?Q?5wcTJ+zXqpJd8HuXy2RI4fCFwHqU/OFXFE7+OhaA5eagwlxutCVa5ZJ2ZCR4?=
 =?us-ascii?Q?2q0ahGtk/P5iQII0NDdRpDlmz3yg0XTACO+xaS8HkwbK1PBSxahIv2q7P+Wy?=
 =?us-ascii?Q?5RccHqEKQ9AK9QSnrAYxho3tlFdZxFpqm1HpU7nNGwNtyCtaK1Btid8x6Zp/?=
 =?us-ascii?Q?rBeRG1GRByD3u0RFte868z/6o6wCqVcq6sHVf8fvnZ7kJWT4l2SRDmTUjbo4?=
 =?us-ascii?Q?KyzxDKLYkSymx7FogSPr8FM6a+M8Y4c2yiA+hFBV5ABEvljnGnPkSIH6J0sP?=
 =?us-ascii?Q?K1Swa3Q6a2pxeeGH8ACnhOYqkhEOp2GpPkjOEDblNzTBT2meQWjbXRlhclao?=
 =?us-ascii?Q?w2wLgHk=3D?=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:LV2PR19MB5767.namprd19.prod.outlook.com; PTR:; CAT:NONE;
 SFS:(13230040)(1800799024)(366016)(376014)(38070700018); DIR:OUT; SFP:1101; 
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?lUvecvlZFe3oCvj2nAxuk+BLML6x8jbXQ/pLGMmMl+K7ms9Ar6xap20npR+B?=
 =?us-ascii?Q?8mvFt4X5bCh/O+oNH+2e/2m0zQkbo4CJrN9iSKjt8z6iSS/yRzDsqHaGCsTa?=
 =?us-ascii?Q?FTLc2EhdBvKpQZjDvoPYpSKbGhSwYOGlK20aIl7g4SiS0OGT8GBC9T99k/38?=
 =?us-ascii?Q?IZb1FPiFEIm/Ud53fB8a1mfyU1sRlF8jRwj2QvJV/kq19BqkkHSmjmgbuR72?=
 =?us-ascii?Q?X02j+oGQ4rf8WeYQPBCZ+6Dk2kd2GgGqc4347Rm43IWW06ryxp6jl9hslK5S?=
 =?us-ascii?Q?vdYJOrw4UIn8TW3BpL31pksmVk20KU6tL9HEtUd04iPZgoRNu7pAAZzLPsCQ?=
 =?us-ascii?Q?PkGoE9AcGsMbOqRQqQcnNLAQd9ROANBT+EwNxmR/QQo24bq0bhmxKnTMyFnb?=
 =?us-ascii?Q?C27ZtdsTmR6zZjkwkYlsyH80Jmx5VJoKWr7z9P+TCtx2Zco4oCe58P6gL3tv?=
 =?us-ascii?Q?F2vDzReRtYoowfvPEBIaBHjLFoEgRnGKY3AJhOzHCLX37BJWMa925euF0sUN?=
 =?us-ascii?Q?Zj66hQiJwhMnP15Sv03qjbiqKd9qHkQnE1eOUyYEQVGwXjr+e/a0dQmM4E7Y?=
 =?us-ascii?Q?0gcHd/+xnSZ6S84jfka4xpXo6i/B49xHEzRKblJzt41YPmQ53nH7dWOJXHBH?=
 =?us-ascii?Q?JU8IjhD8Y/ea/VtlDO1DpdkjaKvt5g63FbrhpMuA4CshBI7m8tu3X8Ca0nKj?=
 =?us-ascii?Q?qauxXL8jfICs+nEquWh/gTm33AIGdJpcjrm+cWJ6mR/2gixLRIK0Fnw0+Q5h?=
 =?us-ascii?Q?s6xBudzS5HV/vXWq0BYe2Exc1CEUgfoKbWTMqixPCaXYpdbgRitlihFsLCSj?=
 =?us-ascii?Q?ZHM9TYFNxx9/EnpR5d1Ai+BwMZVpWCjV4EDurtbU3bhUIgtlHz/p3eJz2LQX?=
 =?us-ascii?Q?ANpBvkdkZ7DP22l5z0gFUfSkKpN0gjhk5L84YNzHrCo+brTAmZ/tzNvijVHt?=
 =?us-ascii?Q?8EFMJVQSaIOUQHnS0/P6wibUns31s85kpis+AFac2jU550MvD35REZ415Fef?=
 =?us-ascii?Q?QwSoziS4w2iEclmR4mnik0r/0YlZ8JemOgykLxr7MznXzeQGVMVZ5DQN9nIc?=
 =?us-ascii?Q?UbhDa4zXPZn3uPYQ062ikzr0WVUCPr1c2zvLYD3uMX1Bvht8bjs/MBCutCu9?=
 =?us-ascii?Q?LlyPZ7vxAeRDpmp3n7jknfU6/aiCvflpW/zHxBht7L9oxEaNE3ds2AF9LmB4?=
 =?us-ascii?Q?TkNSThzRR+49NnHZ6Q047dGdNwaQS7ifljTOcYHBZl57yE7ZugCiyLkUAX+R?=
 =?us-ascii?Q?yteNAx6QxL7W22VICneNQBs4DsJldrKh4e7yPAaYN9LHZ1wCFu4iIw3iSARc?=
 =?us-ascii?Q?d/DTHFpT6d6NWVCWfGB4bXL2CUkc2ZAMM9QXtrwOsm+r6oSgSiHGUF6e6eaA?=
 =?us-ascii?Q?FpzA497REZo+6dVV2Ne84s+xv5KUFHTkMy4cR7rhX2E9dDig/oF6kupK0Zk2?=
 =?us-ascii?Q?GypchA2MKB3uAptsbprKKiAo6x/Oro49s6vrpsfyTjRgqhn8MwEXoTgjy5MT?=
 =?us-ascii?Q?2f4gxqIqgnPZINZ1zHaRcYtkcf/Y2l33F6ZD6Wehw963uEOJMdBngUfPXZR3?=
 =?us-ascii?Q?lK9bv0GLtg9ySY9/ZWSNWT1bASAgDY/ws8uZfIQu?=
MIME-Version: 1.0
X-OriginatorOrg: Dell.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV2PR19MB5767.namprd19.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 927fd30a-17a2-4726-a7a3-08dca65b8278
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jul 2024 12:25:14.0743 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 945c199a-83a2-4e80-9f8c-5a91be5752dd
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: yNEEcUmwwx0WiOcpFZjLVaqFrn2PVjyrfBVw/gfaCopDrG9uNbRdZoPOMp9zi8gLl9wrJeDioB1Ks1PNWfAT+Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR19MB6995
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16
 definitions=2024-07-17_08,2024-07-17_01,2024-05-17_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 adultscore=0
 priorityscore=1501 impostorscore=0 bulkscore=0 spamscore=0
 lowpriorityscore=0 mlxlogscore=959 mlxscore=0 clxscore=1011 malwarescore=0
 suspectscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx
 scancount=1 engine=8.12.0-2407110000 definitions=main-2407170095
X-Proofpoint-ORIG-GUID: _MnzuYMIAVpDPJxp6G_cbX1_kqDrYtyT
X-Proofpoint-GUID: _MnzuYMIAVpDPJxp6G_cbX1_kqDrYtyT
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=911
 mlxscore=0
 clxscore=1015 malwarescore=0 suspectscore=0 spamscore=0 impostorscore=0
 phishscore=0 bulkscore=0 adultscore=0 lowpriorityscore=0
 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.19.0-2407110000 definitions=main-2407170096
X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, HTML_MESSAGE,
 KAM_NUMSUBJECT, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NONE,
 TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-Content-Filtered-By: Mailman/MimeDel 2.1.30
X-BeenThere: cygwin@cygwin.com
X-Mailman-Version: 2.1.30
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-request@cygwin.com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=subscribe>
From: "Lemons, Terry via Cygwin" <cygwin@cygwin.com>
Reply-To: "Lemons, Terry" <Terry.Lemons@dell.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie.com@cygwin.com>

Hi

Vulnerability scanners run at my company have detected the following vulnerability in the Cygwin sshd:

<https://dellinclabs.kennasecurity.com/vulnerabilities/341847636>
CVE-2024-6387    CVSS 3: 8.1<https://dellinclabs.kennasecurity.com/vulnerabilities/341847636>

OpenSSH could allow a remote attacker to execute arbitrary code on the system, caused by a signal handler race condition. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code with root privileges on glibc-based Linux systems.

OpenSSH Vulnerability: CVE-2024-6387

  *   Published: 07- 1-24 00:00
  *   Diagnosis:

A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog().

  *   Solution:

Upgrade to the latest version of OpenSSH

Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH

The latest version of OpenSSH is 9.6.

While you can always build OpenSSH from source<http://www.openssh.com/portable.html>, many platforms and distributions provide pre-built binary packages for OpenSSH. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.

Running SSH service
Product OpenSSH exists -- OpenBSD OpenSSH 9.8
Vulnerable version of product OpenSSH found -- OpenBSD OpenSSH 9.8
Vulnerable version of OpenSSH detected on Microsoft Windows

My Cygwin installation is using openssh 9.8p1-1 which, at this writing, is the latest available version.

What are the plans to address this vulnerability in cygwin's openssh component?

Thanks
tl



Terry Lemons
Senior Principal Software Engineer, Dell EMC
Dell Technologies | Data Management
Terry.Lemons@dell.com<mailto:Terry.Lemons@dell.com>



Internal Use - Confidential

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple