X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:cc:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=Fc+ZNlV/v7vznZLuhu7HAyqC1VqyRSYyvswRGcltIA4tKw40Kl1FK 8v2JuQWRw8Ihk6G9Su3esuUATRVt1br3G5+bi65lbNIAUmYefhuYVKh0j3oewX0g R+E4o9wh3tteElt846NCVpZYVCI9wly2zc6PoYwJj2AhJTiEEek37I= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:cc:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=odSW2IQTkipu40uASrt7PX8XIRw=; b=BuNEtWmM5G/hR1svFw5u01QIK46O GmlvmAICfdiOFILqG0wFqUfnVgtDWIskYYDftw6iKwR88XFTSipySsKPy+ZTavAG yoFUu5uLygJa7TUMCMcbSTEfQxjGwH+GunDFfDKN7jTbPk3h20as5Ax8jWv9RPZt cKsbEnVYRrSMNmU= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-101.8 required=5.0 tests=AWL,BAYES_00,GOOD_FROM_CORINNA_CYGWIN,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 spammy=Halco, halco, HX-Languages-Length:801, our X-HELO: mout.kundenserver.de Date: Wed, 20 Mar 2019 15:18:50 +0100 From: Corinna Vinschen To: Bruce Halco Cc: cygwin AT cygwin DOT com Subject: Re: openSSH Vulnerability Message-ID: <20190320141850.GT3908@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: Bruce Halco , cygwin AT cygwin DOT com References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="YrlhzR9YrZtruaFS" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.11.3 (2019-02-01) --YrlhzR9YrZtruaFS Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mar 20 09:13, Bruce Halco wrote: > openSSH 7.9 is subject to vulnerability CVE-2019-6111. This has been fixed > in at least some distributions, Debian at least. Fedora (which is our role model) doesn't and the vulnerability is not deemed that critical by the upstream maintainers: https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.ht= ml Fedora's 7.9p1 has an additional patch for CVE-2018-20685 only. I was planning to wait for OpenSSH 8.0. It was originally slated for end of January or at least February, but there's no hint from the upstream maintainers yet in terms of the (obviously changed) release planning for 8.0. I can push a 7.9 with the Fedora patch for CVE-2018-20685 if that helps. Corinna --=20 Corinna Vinschen Cygwin Maintainer --YrlhzR9YrZtruaFS Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlySS8oACgkQ9TYGna5E T6B6Qg//ZfaIGOmGOjZCfXUr2gqgnDfZAyvz/O6G9sISz9Fe0t/Gj9VJBW1SUvY9 sZPoLBuN1Y/S6EQpF9wsSPsil/avqHHfhq2c1uuBMWZ71y0WfansVw6TJAWINyUy nz34oKYtC69KnIEwehksolRer+XU1L5JKfiVPXMI0xfaAxIxQuCm7Y/XmRFXQHyJ Ag8g8nVqtTxb9I8s2a54vdbBDYKJUmOaOs7Yiq+IA7/dC0Mp55Cps9/hWNIkl0w7 5lNd6O6oZQZ8s/OWv+ozeO2wr0a9M49QXcMYYrTJupAyrWibrgRgFXrB7zl9w0CB QsM/rATyqQs6PwieyUFZ1qVb3nTfrE6btlkQOv9wbTvj5+7JHbPQhI+mSr4f9HC2 mcztoJkGWhgvSiThDGYvZSvFd1oaQ4dPvY6AT9pK+LL2QrJCEdBKdsd95UhtqtbB fYs6AeSX2s/yeNPqzVAl7a1slYntnX2/x+8PtlF+fDl/r/jn8mevu4m8sdM4u3vb UP75ROJJgeyjYQjxF7oHoFA7doiWsgBVmeT64jXzr/qgvV3dOeR2XCKxb8101IGt lEBq3J1eW6si43srJg//UKbagPa53ef9Z4emnvKbgX0tvrOuHek4nygQVBmqOtq/ osUKpQkWGISgrajwaE6UiQ/lP3ukkhyeTxtG/UFN/rJf0rhxX/U= =WWw2 -----END PGP SIGNATURE----- --YrlhzR9YrZtruaFS--