DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 464FW8OW2336876 Authentication-Results: delorie.com; dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=XXQlMx0G X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 462FC384A468 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1720107126; bh=jTvVOcjQxlWyJbSVRMQqaWaVVnxmt3Ehm96Y8Ks9IsQ=; h=Date:Subject:To:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=XXQlMx0GnAR5DT0XkIIup1bCKYSAgqcd58blaluoYytE1drmvPPvawvXk0sGq9B05 DT1xvihPKD8rxO0HByRKwfckkekqUebPFPk7HM/WP29YbHFXvmwwAwPMloel0tmWOY 4i+woLslPhKVXVdhAuvtFg6BKKO6O8cw4icYTcQ0= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 1D0AB3861029 ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 1D0AB3861029 ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1720107098; cv=pass; b=VJ4Mgw4ZljYlIqA5yGCkKUu99PHdQ3OUztC4cU/RJSZYOm8MaRY/OLJQ2saOntrtwu1eP/ekO/3hS7CBiKv7vYCOiuzBtoWLjxepk7wkjNV7YPReqL5HIyiisumtx94nLCpieNybLPM4tKOjuOPpBoRk7mf6nqPMVnhfnEBL31s= ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1720107098; c=relaxed/simple; bh=Nm2Cus9wUNIo0/uCV4jHtN0/ixUWqV0OufeRi6EHNQE=; h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=tzyH5SWbX87xGE9T59f7tgSsZtXagG6UfgQvgdPjDJ1BxXR0qC4S+MBpYCEy0qYVvcvZrZe86lBPUYK19hmX4ohPfrqmXuUXv5/IMnVIMg/9bUpNklLWeVr6a24G4Swzo/ffbWII/Z+0eyWYB8pwjb7EjJw1V97ZdP6t16nt+vE= ARC-Authentication-Results: i=2; server2.sourceware.org X-Sender-Id: dreamhost|x-authsender|tomkent AT teeks99 DOT com ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1720107094; a=rsa-sha256; cv=none; b=CtcL9xSWtDyOXaIjjzs+wX0kp/Dpx6TDLIo2yX1+SICulrgP06oNaDsPZC8zHL2wgS+RS8 yS3RN4FbdSfkYjwE3u5XBrtoLOg7oVbQvK19sg6bUfmwjFaEQNmF/Z/2uVBV9xj4IGbPK1 2srf8YzqOudF9wagJKAO4e5S4wkkQ52DfOpcyfc7j4ukCeTCUyvFDDbB4bFweUJeenABCq JYiSQWNE24bQgWfFmYyUJeN9E/334UW8+Zty5rKtSSMIDVecYl1SJ4kF5CuOL0InLYSXwW 4xjiINfr/dMfg3omB7RXd+lNm2CDfBJ1C4MkC4UuyOS0jo49BNjvjeXBe+pRwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1720107094; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: dkim-signature; bh=Nm2Cus9wUNIo0/uCV4jHtN0/ixUWqV0OufeRi6EHNQE=; b=wUcTE6opjl4Cd1u9R6Y8jFqB7I4i2p92DLdiAEniFOSPaUDaVpRfipNK1zj3209dechnVy b9RtPadMFuRk3O+Tjk85ziczfoC0JWvDofrr/VclIXcKzYTKL9XdnHPQiy20bOhJRho8mg rIe0uFD6A4hUVQ5EM2sXOmqPUxamBpLF9FAcb07tEqBRelD0UFXwNJP+TioiSkxeQnG5Ph 3P8qYBDnwXZf8Zyxx7dsg6Fkx6HfUfCy9QNTm5LyhIonTYgr0QyA0FM4+2WzKoidW1rrCO deqxa5xHi+qf08fSB1SyGdA52kCDb+9vGGFxzcPB5nuEULYYecuBhh+s8CYG1A== ARC-Authentication-Results: i=1; rspamd-79677bdb95-bv4t2; auth=pass smtp.auth=dreamhost smtp.mailfrom=tom AT teeks99 DOT com X-Sender-Id: dreamhost|x-authsender|tomkent AT teeks99 DOT com X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|tomkent AT teeks99 DOT com X-MailChannels-Auth-Id: dreamhost X-Thoughtful-Whimsical: 1f2c600a3b333c74_1720107094911_1283596138 X-MC-Loop-Signature: 1720107094911:2680903265 X-MC-Ingress-Time: 1720107094911 X-Gm-Message-State: AOJu0YxcAcJMBxZITmCVFmSUod2dv2KfcFOLNkFyvKu/S9qfk0K+RPeI edYFfrPbWBAkgz2BVu23VuVj8Zu4QWdP+tqkpUHcOIczXwE6nFznMMoCQ2KAN9UGXM2Kw0Gl+RV CAdy/LozSPIBYuFG4r8K9/FGgcxY= X-Google-Smtp-Source: AGHT+IFf4tETJXXL/h3r4hPDDQ8euWTnZ8Q7rL0Y9Ov4GuykH5MtqQgGY/E15P9VqAUBltH4eyRfrajNQyIgf/B8lhk= X-Received: by 2002:a05:6870:b023:b0:24f:f7e4:9f0a with SMTP id 586e51a60fabf-25e2bda3af4mr1978818fac.34.1720107093889; Thu, 04 Jul 2024 08:31:33 -0700 (PDT) MIME-Version: 1.0 Date: Thu, 4 Jul 2024 10:31:23 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: ssh server vulnerable to regreSSHion? To: cygwin AT cygwin DOT com X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, HTML_MESSAGE, KAM_SHORT, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-Content-Filtered-By: Mailman/MimeDel 2.1.30 X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.30 List-Id: General Cygwin discussions and problem reports List-Archive: List-Post: List-Help: List-Subscribe: , From: Tom Kent via Cygwin Reply-To: Tom Kent Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Cygwin" For anyone not aware, a major, remotely exploitable, vulnerability has been found in OpenSSH servers. It has been assigned CVE-2024-6387 [1] and titled "regreSSHion" [2] because it is actually a regression of a pair of early 2000s bugs: CVE-2006-5051 and CVE-2008-4109. The vulnerability is a race condition related to its interaction with glibc. Because of the way cygwin is built, it isn't clear to me if this is something that could possibly be impacting or not, thus I wanted to see if smarter heads could identify if this is a potential (or actual) issue. Either way, it might be nice to get a determination posted somewhere for people to find, as I expect there will be more out there wondering about this in the next days/weeks. Thanks, Tom Kent [1] https://www.cve.org/CVERecord?id=CVE-2024-6387 [2] https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple