X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type; q=dns; s=default; b=E9RtjuC
	vwQnmBI2a/j4CuulqEKtqELXW3QIacubKEtZXxnSQixutW33DxUH+wAu14y72nMq
	KOJ/XsPqrf6Ma1oRG16vGnm7aqKZCMZperfu3rCN2zq/FMwsGsbnd7rgumMYHwQR
	AFktnLjzImxdTCK6K+F/zy1vdxB4qzucNsys=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type; s=default; bh=xiatnZYOnIa6g
	JqzDFOCtl+PRgk=; b=ke65KEx54Z9gOiOWlNbRuzw6MZ57Tpxa71U1ol0Yk30VI
	JI3gPrx/p0ot3WXCuuA9apqvBSlwFtRrgaaf03vwM5xoVx2ZZqvYCwEHLA4j9Oo9
	HNmlasZDtyOdnnocKxfwLyXiyIilfnIzGH1OuL09oLeNnmPbMjsjGfduVf0/B8=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.1 spammy=H*c:alternative, customers, explain
X-HELO: mout.gmx.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mail.com;	s=dbd5af2cbaf7; t=1553094407;	bh=ijVs0F1gnmqMrywkXW1UKNxh+1R4Hn8EUGHpobO20mM=;	h=X-UI-Sender-Class:References:In-Reply-To:From:Date:Subject:To;	b=dggNeMhNbDldfJTjuWKcXb1g9PHrFzyjvgEA4/MSCaDGU4nMDhuFD9by7wBvIj44Q	 LwXGQPeXgbFwn9feqInFfgLZwv0/Vjb6JZwgl0849+SGoXV3y4NIQDXXuERWFzOWch	 fHqCEsyDm+RlOE9NNlbjhtvFmfCovpDHO3VjCK2Q=
X-UI-Sender-Class: 214d933f-fd2f-45c7-a636-f5d79ae31a79
MIME-Version: 1.0
References: <cdd0f8a3-8e3c-5b9c-7633-40af3424f780 AT halcomp DOT com> <20190320141850 DOT GT3908 AT calimero DOT vinschen DOT de> <08b408f2-0c5e-35f9-4e61-4fe23cb3c03d AT halcomp DOT com>
In-Reply-To: <08b408f2-0c5e-35f9-4e61-4fe23cb3c03d@halcomp.com>
From: Bill Stewart <bstewart AT iname DOT com>
Date: Wed, 20 Mar 2019 09:06:17 -0600
Message-ID: <CANV9t=R5bRRqJ=FwpA1NQhg5=nddGYDVdOyEuo=H8fOwHHv0gQ@mail.gmail.com>
Subject: Re: openSSH Vulnerability
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset="UTF-8"
X-IsSubscribed: yes

On Wed, Mar 20, 2019 at 8:53 AM Bruce Halco wrote:

> The problem is I have 8 customers failing PCI network scans because of
> CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to
> help.
>
> If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise
> I'll have to take some other action. I don't like any of my
> alternatives, though.
>
> I guess I'll try to convince ControlScan that since the vulnerability
> affects the scp client, server security is not actually compromised.  In
> the past I've had a poor success rate trying to explain things like that.

Ah, the old "it shows up on somebody's vulnerability report so it must be
mitigated" problem (regardless of severity, scope, etc.).

In my experience, best results are achieved by demonstrating how the
vulnerability is mitigated using other security controls; e.g.:

* ssh access is restricted only to certain hosts or user accounts
* only trusted limited user accounts are permitted remote access

..etc.

Good luck.

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple