X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=fyIQxE2cck+hiMS/
	LZBqL4gceZWIdWCXy/ZHC64ld4uu0vNK94adMt8CkJgkOzrJsVFeM2m9l+vcSyS/
	LtoYTGiOmbMW/tdPk/5mdqeTP2PR/aEuar8TPGj64UDfePt/rYLyrkzmzHOigoAU
	4XFtgKQQ9FEP0+vwPzuISc481lA=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=I6tZi7aGTNWKNz0jl0JOKS
	gIP/Y=; b=mJwQ0Wv0hnwWVv8fc0N/xDmqOJrK34HaVESyhzzfFAhtQ0cKTFmIIM
	26BaqcDetxma2DWVexSru+ZZDorRKgKXnR8BCwLD+x9aKMHB9OYJ8cZzeAWMs6go
	Yls2SyxaMPwQzkZg+daWrqCrF1H9EXkKliPHhYzwID3cGgoFhGIzQ=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-1.4 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS autolearn=ham version=3.3.1 spammy=afford, HX-Languages-Length:1371, compromised, customers
X-HELO: mout.perfora.net
Subject: Re: openSSH Vulnerability
To: cygwin AT cygwin DOT com
References: <cdd0f8a3-8e3c-5b9c-7633-40af3424f780 AT halcomp DOT com> <20190320141850 DOT GT3908 AT calimero DOT vinschen DOT de>
From: Bruce Halco <bruce AT halcomp DOT com>
Message-ID: <08b408f2-0c5e-35f9-4e61-4fe23cb3c03d@halcomp.com>
Date: Wed, 20 Mar 2019 10:52:46 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <20190320141850.GT3908@calimero.vinschen.de>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

The problem is I have 8 customers failing PCI network scans because of 
CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to 
help.

If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise 
I'll have to take some other action. I don't like any of my 
alternatives, though.

I guess I'll try to convince ControlScan that since the vulnerability 
affects the scp client, server security is not actually compromised.  In 
the past I've had a poor success rate trying to explain things like that.

Bruce


On 3/20/19 10:18 AM, Corinna Vinschen wrote:
> On Mar 20 09:13, Bruce Halco wrote:
>> openSSH 7.9 is subject to vulnerability CVE-2019-6111. This has been fixed
>> in at least some distributions, Debian at least.
> Fedora (which is our role model) doesn't and the vulnerability is not
> deemed that critical by the upstream maintainers:
>
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.html
>
> Fedora's 7.9p1 has an additional patch for CVE-2018-20685 only.
>
> I was planning to wait for OpenSSH 8.0.  It was originally slated
> for end of January or at least February, but there's no hint from the
> upstream maintainers yet in terms of the (obviously changed) release
> planning for 8.0.
>
> I can push a 7.9 with the Fedora patch for CVE-2018-20685 if that
> helps.
>
>
> Corinna
>


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple