DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 46HDQXcj414196
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=tM6XfqLw
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 1F7E13858294
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1721222792;
	bh=q4idBks8dZC2LZR6MFn5ge3Lftoo0vgdZmUTTyqCV3w=;
	h=References:In-Reply-To:Date:Subject:To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	 From;
	b=tM6XfqLwmEdNCYwPG19Bqjr9nJ46eVqBZBJdWS89yKlyBHDP7fVvkjZC7eHjz/wMi
	 4bJPqZHSzmKoraI2pdCDfXOMnCxSxb2b0qDU06JT164eadKq3xozsNDZ4CODJQVhp/
	 vjMVR1F5nOilqaZIiJHC2dDh0Ke0dIXYK9si99Q8=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C30753858D34
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org C30753858D34
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1721222735; cv=none;
 b=UlLlbP8jM7vOEGwSAHTw9qQGkul71Y8sYuXRUrsjfUdZkHzn4x35SW88N5i4+OBHA7Wr+XFIP4kmmQDPjp3EcsMuzqntrPGgSh5/YI6jLfHLt0gNvhing7ueV26Sq/JvoqxumCinB75SL0WZoV1TX7erFWHx7Z0Hkwaq6pTCDik=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1721222735; c=relaxed/simple;
 bh=sUoFE0pmlTXYyw/6FH3diIQ5flCxHZ31FJp3xNGh8nc=;
 h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To;
 b=hN/e3h8+9XI70Wq0BHIkkaLxsSwui6kUEiRvJY5g6uPeB4VcKVpoS/AmqNPZhoi9WL6YBFFfsR2galY9e2ifXGgmovOqUeLOfoPasU0XoqT8QvRtw3ZIIt1kROvClI9FNa3wLME4lVlmQSLBuGoLIEdMmjMQ75hMHaOXZS/8FgE=
ARC-Authentication-Results: i=1; server2.sourceware.org
X-UI-Sender-Class: f2cb72be-343f-493d-8ec3-b1efb8d6185a
X-Gm-Message-State: AOJu0YyAqh+RlhWZf52v6u6juHmSf+KY2N0cJL2b5kVxWsKUBFDx2VAd
 74JjXGx+eeR87PT8QPt9996aW3SrWPoYgD65UxFilBBH7DVNvGw5cvysMxGezTCOcdied7c3ccZ
 oA3VlxOU8R5vtuTfnPQIFkQteXh0=
X-Google-Smtp-Source: AGHT+IEDvBnWzHlXXMdlzdWnthM61yqHTPtkrtAJV9uzrGfwT//bqTqvdT57F6aeKvsLBWVdq9pvb71Yclhxo2KeN3c=
X-Received: by 2002:a05:6512:a96:b0:52b:aae0:2d41 with SMTP id
 2adb3069b0e04-52ee4e4f2d9mr595578e87.28.1721222731059; Wed, 17 Jul 2024
 06:25:31 -0700 (PDT)
MIME-Version: 1.0
References: <LV2PR19MB57671F587EAAF01EAB42666DE4A32 AT LV2PR19MB5767 DOT namprd19 DOT prod DOT outlook DOT com>
In-Reply-To: <LV2PR19MB57671F587EAAF01EAB42666DE4A32@LV2PR19MB5767.namprd19.prod.outlook.com>
Date: Wed, 17 Jul 2024 07:25:04 -0600
X-Gmail-Original-Message-ID: <CANV9t=RcpX8KCc-7krkLCGtxijXgmOFim3pExvz2tBnzTojLWw AT mail DOT gmail DOT com>
Message-ID: <CANV9t=RcpX8KCc-7krkLCGtxijXgmOFim3pExvz2tBnzTojLWw@mail.gmail.com>
Subject: Re: ssh vulnerability CVE-2024-6387
To: cygwin AT cygwin DOT com
X-Provags-ID: V03:K1:ef4u+67LkhPrnunaqMFTwybDrFFRq8lRFZeZjHaV1LV7I+5nIdQ
 +lAOTo2BchjfV1n3OsnyBuRlOVDb4kGPwPdqLdegvdk8iUeNytbxdROSI1lLvpZkovhLHeC
 okiflcPCeulyDNg44vdjuLG2KLjjkSnIwvQhENjS7p7y5iaZDayS8x+agcS9gLmH5U2oVKz
 flpaz9x9k8NSGRxcE8Djw==
UI-OutboundReport: notjunk:1;M01:P0:/g3j6TLdudE=;JYe2EOolV9/AR7c6CHvo9Asp562
 h24t03f+mIvJ/OeOSc9Rk5aQzebFa1f/hK/vze88nng+N/Pkvi2UbqETGVQr3iHnB95841x0U
 WDwny5YY8TNKejAS5/CK6Tql+tl0uLPUw2D3FpwXWsoan1/7ORrSZtFfkUcwnd2Jh2qXiyCtl
 rSpHRAPBOw+QIdlq54Gn1xFcmotO9pOFtmQBI0wIcA/zjH1OOnsWkKyHD5/Tv1lECQb6fCRBQ
 KVjvPKbIBxumnMYESgJHE3pt42SW16ElmXD2DePACMQC0GJ3t10Hy6Y8kqlxdl6xbHsRP7kj9
 AKc3a4jxuTQlJLZSrIFwj4rqoZE7LMOOlRefHKfwEbFzzhXQX2W3Koa0U+wysl2txvn73M7YM
 mrk6rQj7rSlBauQpSkH02v3egXBg8k4jMR3TkQ4Klnvhh+mdLh04N2ea4XkJhZlhPvZBPdCJ/
 h8V5WoXW21dvMcy/NZBbJa1p4MU5GbX5ALIIQveneW89nAlbF54gUcI0DuDRd7ql29g3Hr24d
 lmDkKgh3oaeglOjid5kevUrAPEgRHQ90exEYzRajA+JiZ5ypjaT2iIvOl5MYW6KaS9hOPfrIK
 uVjkL4fgMxOHMQV7GYTU+E3WfR/RqjNOPTPWNkeckOMQoxEizqeyd2PbCJSZAxY38jQbAuk6Z
 AmRr8W1O8gzYUiXa9y297dyR0zk5NF0KPR+/Fpp+pPbG2p4ASderzQso/r31rIfnU5eV9TfqM
 TR7sgEuGaB/Gn2i8dKUk4zhOKVHpuuMRRqcryqnBZR4HGhIzZuKca7GyGS5iB7xD1WWvbN9ud
 aemQUVFc/YLFcTPtWlQOysmA==
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, HTML_MESSAGE,
 KAM_NUMSUBJECT, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-Content-Filtered-By: Mailman/MimeDel 2.1.30
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Bill Stewart via Cygwin <cygwin AT cygwin DOT com>
Reply-To: Bill Stewart <bstewart AT iname DOT com>
Content-Type: text/plain; charset="utf-8"
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 46HDQXcj414196

On Wed, Jul 17, 2024 at 6:25 AM Lemons, Terry via Cygwin wrote:

Vulnerability scanners run at my company have detected the following
> vulnerability in the Cygwin sshd:
>
> CVE-2024-6387    CVSS 3: 8.1
>
> OpenSSH could allow a remote attacker to execute arbitrary code on the
> system, caused by a signal handler race condition. By sending a specially
> crafted request, an attacker could exploit this vulnerability to execute
> arbitrary code with root privileges on glibc-based Linux systems.
>
> OpenSSH Vulnerability: CVE-2024-6387
>
>   *   Published: 07- 1-24 00:00
>   *   Diagnosis:
>
> A signal handler race condition was found in OpenSSH's server (sshd),
> where a client does not authenticate within LoginGraceTime seconds (120 by
> default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is
> called asynchronously. However, this signal handler calls various functions
> that are not async-signal-safe, for example, syslog().
>
>   *   Solution:
>
> Upgrade to the latest version of OpenSSH
>
> Download and apply the upgrade from:
> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH
>
> The latest version of OpenSSH is 9.6.
>
> While you can always build OpenSSH from source, many platforms and
> distributions provide pre-built binary packages for OpenSSH. These
> pre-built packages are usually customized and optimized for a particular
> distribution, therefore we recommend that you use the packages if they are
> available for your operating system.
>
> Running SSH service
> Product OpenSSH exists -- OpenBSD OpenSSH 9.8
> Vulnerable version of product OpenSSH found -- OpenBSD OpenSSH 9.8
> Vulnerable version of OpenSSH detected on Microsoft Windows
>
> My Cygwin installation is using openssh 9.8p1-1 which, at this writing, is
> the latest available version.
>
> What are the plans to address this vulnerability in cygwin's openssh
> component?
>

I'm not sure I understand the concern. When I look at CVE-2024-6387[1], it
says version 9.8 (which you are running) is not affected.

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-6387

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple