X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:to:references:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=MyF0j+GZzHsiW6S+
	hJEDykPpTGd+r3XbVoT3oLhMzbtvLC/aVUHj7aYLdW7YBTcMo1V6ysksa1eDiGeI
	ywvHU0HdMCOTfCm9gL5kT+LpkMs1mOUVCOVITScPCFJOMU42B+NIFQUHGMD/S6gD
	x5BJ/VsFMt7qoa3MYUhSyPAWypE=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:to:references:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=S9BeCfjH/Z6zGk2fiBZIwd
	4DJSM=; b=kvrUnghFBBE5uqz0MElSrfII5zS5tersle0FRjJW03OG2LfdVrkuoa
	6mkzEqhO8r+Qo8+Q5knbD8nEpAsfnJlL44GswOj1rBEB4lx1xQkowrL8TceJ3Dco
	F1U21Cw4tiLX10z6kYwUs0w8P1OwTjNO8ia/+oXz6pJuqx6jJRRJo=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 spammy=Stewart, stewart, Portable, servers
X-HELO: smtp-out-so.shaw.ca
Reply-To: Brian DOT Inglis AT SystematicSw DOT ab DOT ca
Subject: Re: openSSH Vulnerability
To: cygwin AT cygwin DOT com
References: <cdd0f8a3-8e3c-5b9c-7633-40af3424f780 AT halcomp DOT com> <20190320141850 DOT GT3908 AT calimero DOT vinschen DOT de> <08b408f2-0c5e-35f9-4e61-4fe23cb3c03d AT halcomp DOT com> <CANV9t=R5bRRqJ=FwpA1NQhg5=nddGYDVdOyEuo=H8fOwHHv0gQ AT mail DOT gmail DOT com>
From: Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca>
Openpgp: preference=signencrypt
Message-ID: <d101fb90-57f3-56f0-c362-2f61c8c897ae@SystematicSw.ab.ca>
Date: Wed, 20 Mar 2019 12:40:35 -0600
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.0
MIME-Version: 1.0
In-Reply-To: <CANV9t=R5bRRqJ=FwpA1NQhg5=nddGYDVdOyEuo=H8fOwHHv0gQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes

On 2019-03-20 09:06, Bill Stewart wrote:
> On Wed, Mar 20, 2019 at 8:53 AM Bruce Halco wrote:
>> The problem is I have 8 customers failing PCI network scans because of
>> CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to
>> help.
>> If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise
>> I'll have to take some other action. I don't like any of my
>> alternatives, though.
>> I guess I'll try to convince ControlScan that since the vulnerability
>> affects the scp client, server security is not actually compromised.  In
>> the past I've had a poor success rate trying to explain things like that.
> Ah, the old "it shows up on somebody's vulnerability report so it must be
> mitigated" problem (regardless of severity, scope, etc.).
> In my experience, best results are achieved by demonstrating how the
> vulnerability is mitigated using other security controls; e.g.:
> * ssh access is restricted only to certain hosts or user accounts
> * only trusted limited user accounts are permitted remote access

Quote the upstream maintainers comments:
	"Don't use scp with untrusted servers."
adding "...or networks" (for MitM attacks) and send them the link:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.html
showing they are working on the CVEs: at least one of the OpenBSD maintainers is
also a Portable OpenSSH maintainer

The alternatives seem to be stop using scp, or rebuild from snapshots or git
sources to include the unreleased patches.
If you install the cygport package, with all its build tool dependencies, and
the openssh package source, it is trivial to update the openssh.cygport control
file to use updated sources, and download, build, and test the package using
cygport.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple