DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 525KGNbo083293 Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 525KGNbo083293 Authentication-Results: delorie.com; dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=NiLExe/9 X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 75F5F3858D34 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1741205782; bh=3fTiAl5uMXzLvm/VX/2NgDVDMSv4Eh2e66xg4pmelps=; h=To:CC:Subject:Date:References:In-Reply-To:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=NiLExe/9WbPk8MsX0DdMp9eWTRzFvI+DmPofuoftAHlmKKB0PeVO/OsrieOf9PG41 XAu78FgR/2qfWAiKR+o53806HzZfHu9EP/I9YNuNKJJ5x5VIvUi/CBdjrXv0Ni9ZkI mq4CxO8zqAyLYJH2jfb7vxAy6uEpTM7Frq6M1s7M= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 036523858D26 ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 036523858D26 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1741205715; cv=none; b=kwgeC3G3dLMrdItwMfAexPN6Y718fxHzBRqILFSUA1hqJZZe9T/U+pJoOrnZhBNsXJKC13WjK2q4ld3IlA+EOgNieFYsX736I4DvHzrXDRV8oc+0NiQWLgrxjKsAcPeuYuRhnDYeKIN8UBWy5Z3dzy+hkz4cIFJFXx3fMpOR2D8= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1741205715; c=relaxed/simple; bh=s60nBebpue6+9LV1cnNgn4veJShtI5UwL1wTbK/tt3g=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=rY6Kv+RiB0GateP5Ny1RhyoHFMx9BSP/KDqQJUctULj4pjANFNWapCDdN/gmNWG1+8/zCM+FlHqhG0107anmI+QZlQkHp7jOMq0uS46pWqxnV8l2U4c/OaCz3YgIDHkiMKFXCCzQfbtboTRbQmOGjX9/2B0O/la+ozGeKLegh/8= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 036523858D26 X-MC-Unique: kpdwPvo9N8iyvytHpWJwFg-1 X-Mimecast-MFC-AGG-ID: kpdwPvo9N8iyvytHpWJwFg_1741205710 To: Dimitry Andric CC: "cygwin AT cygwin DOT com" Subject: RE: Cygwin OpenSSH version detection by Tenable Thread-Topic: Cygwin OpenSSH version detection by Tenable Thread-Index: AduOAPHOsHnB3EXRQw6wdpJBkEJJ6AABtR4AAAAciXA= Date: Wed, 5 Mar 2025 20:15:09 +0000 Message-ID: References: <19A5E907-7DDF-4FB8-9004-0C8A6B269C1A AT unified-streaming DOT com> In-Reply-To: <19A5E907-7DDF-4FB8-9004-0C8A6B269C1A@unified-streaming.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-bromium-msgid: 46cc348f-bb91-4a2c-88f5-739e275f31d3 x-ms-publictraffictype: Email x-ms-traffictypediagnostic: PH0PR84MB1836:EE_|SJ0PR84MB1724:EE_ x-ms-office365-filtering-correlation-id: 0f6ec42a-07d5-4d5b-a401-08dd5c226d99 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; ARA:13230040|376014|1800799024|366016|4022899009|8096899003|38070700018|7053199007 x-microsoft-antispam-message-info: =?us-ascii?Q?t8AApIzByi9/9s+UCuXYKTIiuBtDRxsEymNDcQawWjXfQPsb8hEsOggjOhCH?= =?us-ascii?Q?AVfC2l10g4uTcuESp6hwe5AJ67dFxQER3XLlpBqtITxU+UR1CwPMnUifzqsk?= =?us-ascii?Q?tD1/JVuwl8BhbtrS/tlMneNSwrQE2244MNwyuJ5YkDAdCjk/eywvu/6a+ZbI?= =?us-ascii?Q?qj4jPqsn+vQdbM8JwfyvsfCW+mMp/ME9zQc6bvEst96qcCyRMUQMYDIDon8I?= =?us-ascii?Q?osNSKzLbA4IGOwVIfLnYeUsn+16tguO5wZiLYA3v+7tdJKTpluGFIQ734Jxj?= =?us-ascii?Q?D8H8LbfvTjePspByE3dINgPhrwZRcD8bmBF/MA+jYGNPh+4Qel50B3+Lsru9?= =?us-ascii?Q?mKVTujMJLkdjZ/+wedtmECOSQhFKit0Y+FxeT3WTgla8CsKrS/UL4f9BVCsh?= =?us-ascii?Q?dgAXRMzXTbqhDFQBXqOwGW1eGkX1L7NSFDAzOmMB7czV3TI7/szmMu9zqJEB?= =?us-ascii?Q?BOW92sWEscAGDl5zOIIV1u2Ph1iAkOngSB/b0hxSpEkeNFXkFnZf+MmD+sQ4?= =?us-ascii?Q?QtNPDday+6QJYhTFYrFOl8ADuMwzT46jrmLtmVrxSkWTiPrQ7ZUHsHse7shX?= =?us-ascii?Q?xuyXfvYpqAbg/+0fUUlb9nnC2fduZ8xIQsiCwFUo6Ab1zNVMUSz4KOsef12f?= =?us-ascii?Q?kiKi/njyE+M6D6LpNCXtT4sze5iGs8qC+zdvmzQYBL+Qqd2Gui3/yvXSzT5j?= =?us-ascii?Q?Tjw7dro42YaF4SbdwTHYIMoyail6XYKC50ng9lTiVla4SIelbFRVjeNIJAqb?= =?us-ascii?Q?ryGgFoppIeThcqSeUrA9AQt+ynRN8fLY1EVImktVLHPZGFD9a1ZipmcXmKxC?= =?us-ascii?Q?ANYteJ7MMF0HdOpxuBtYp1DpyfyaBe1wqu7nPjkzoFVzz7bF39TR3tiWpsJJ?= =?us-ascii?Q?uqw+A7zG1i3Svu4kJXnPDjbwbmC4VMN95Fx89HVvhGrzbOJp7URpw5XFizr4?= =?us-ascii?Q?6kNEZe1uIhRaQED8AMN65w9XqJjr9wQQqEJFYzZW7pkAg0RSdpx7P7CEW5mP?= =?us-ascii?Q?kPEl6PqwRG069HnBaMOBGzaF4ZqWstyYC5mZP3fqnrLKRrMXo5y9z4h+ln7q?= =?us-ascii?Q?XLsO6+8/o96cjO1uVstqYa2BtAwVTD2562IWzVWmjREAXalX+I3E7XPogQGH?= =?us-ascii?Q?RtKEJOKGrrqv6CK8sI6mmpTp8Uv8QjJ12lsKBTA3m5knC35kpBBq0Geh7wmu?= =?us-ascii?Q?fZu/ivkaCj/wGHY1gGU2yVokCX0P+gmIj8mzniBNlBkbDZKztBsd7PF7rOSa?= =?us-ascii?Q?YA+007b9KSsdt1j9c9z1+HEAtk6ilGFNpcllcIERiTlMuauG2RXnhOzwOSL7?= =?us-ascii?Q?8mvYoY8qEaIGHQfYu/NMR3054+gdbOCDpsW338Fqy6z/1kdJvBcK1dCWm0Cl?= =?us-ascii?Q?AfeZBQMhkFIj7OL8G41GBLttjTp06HuuT2s60PwjQx0i/N8pvQ=3D=3D?= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR84MB1836.NAMPRD84.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230040)(376014)(1800799024)(366016)(4022899009)(8096899003)(38070700018)(7053199007); DIR:OUT; SFP:1101 x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?iLMtCSZNfZgPGp3uZAnnFqFlRe2KcDVzErBvz79tgGk9Lk0slogAlkEFfvto?= =?us-ascii?Q?qwOhaBSiS6Hrl+Ft5Zr3iEmJwP+DNJea3vTrBTYKXlodVqCoYIDS982YmPWd?= =?us-ascii?Q?B2w+P91TPOzeQSc6bTlqnw7mPRWWt5jA1VxmNL2TJtpWv8XrOb/+V4LHAghS?= =?us-ascii?Q?c4bDTmoGNrRYchzQRsOgzmH+ZizEQvWy505vGvr3OYuUYj+25Cp5pUACfugo?= =?us-ascii?Q?+eGOI/IQeeSNv4aBwJxl3VPiPdF11/6CIR23hcmTzU0racDeVyyZkF5UIin5?= =?us-ascii?Q?2Y9EbbrQRaQ2YK8wfRtkl7ZKc+E+rDxUDo5Ko7VdpTLGMgT4pZDGlUC52cPX?= =?us-ascii?Q?NMWbFNcaelsv78IRMzSH9GKUq4Fl5DC+vnK9mJHSjRWuC8MWPAVwl5gVRQGh?= =?us-ascii?Q?Y99Nd19s1ta5MlQg/56zGf8BOE6s8pJXEUtpUc74nEVkU+FuFo8t73gWzmCX?= =?us-ascii?Q?UAu1LKInlVXWjtmq9Cqd5SD/fTOIZGsAaG12/+K9Gzl2OjadLYp9C1QwkgXA?= =?us-ascii?Q?iEc4YTjwfQ5yajrf/IyPBsM+XutmbB+9cNEiq+vgXR0m174pVXsU3n7vKdQC?= =?us-ascii?Q?KSY0ldV0NvIlnZYwXrlbZwfEO1m9eq6fdiQqKhpkNm+JSQB4NCReIH41//3+?= =?us-ascii?Q?5L8GlcPgekLkBqsHIJ+MIayu7zwwfWJK2ZFJKciYb2DLlpgFAQeuWNc0RLy+?= =?us-ascii?Q?dvKEEOIqqZt5VXD9dEbLQG/DWbbW44MJlPFBvWp+IPuqgJ0iXp/KsTKCs1t6?= =?us-ascii?Q?KMBblY23fz8pA5WyuOgSBYt3F4g2WIiAl5V2gd23EOeQVlYMK6JYX70enFCL?= =?us-ascii?Q?f0ygiBaw8Rr85o1ii49XYeJFB1pkk0hcO9d+PogaDSGESHllrMjHpggdJFL+?= =?us-ascii?Q?UYbuGyTM1QANm6PMo1D8Fxc7A4YzSPqhnET4h4OVC9mKGs4KW5f1XY6J6KWG?= =?us-ascii?Q?DJoWHC9ouoRm713S8Sna9Q3ZRWa6ITLGtasIhn9ERmTr6tyJ7AjUej1R5zz9?= =?us-ascii?Q?+rXf1RPWcT+RtUt0koUHWmjPAUwEDnbYUjZoZVv06jCWJRqTfS8YTO2/xwE/?= =?us-ascii?Q?aYcwRN5h0+m4SYPG2BidyZZUP+rpm69DbMUszzjFiMjB9qwyRSypMSuYyE5b?= =?us-ascii?Q?2eUQ75bLqjm+Fda/BqKhK0C4DbEtwePsKLiFekTsehsyi7XWsXIbDaU7+s30?= =?us-ascii?Q?AMWS53szhnvLC4+r0md5bUHgmUndbZ4CQph3ST3nhUOyRsnDatGdEwoSP8NG?= =?us-ascii?Q?bzCcIzeuedMrQSd9A1+tVLTV8oTk+neZEnkxghq8aATB8883sqklp39sjdhp?= =?us-ascii?Q?zOhS0hhKGEzi25WuQmfSeR/A6iTUN0ep9uYWn0NNhDp8Fv5xW6h1H9h2Ae5n?= =?us-ascii?Q?RUgmYz/wvRftd2oGMaOiPWhdCJiG7mwLJ4DcjWttaJQIQL3XnktL5bvItlil?= =?us-ascii?Q?ebRqY17nX0OOI6YjhMY980imUUsulNFvFeUL5p1d3SMUbQxxR019ZzOpHOsQ?= =?us-ascii?Q?IjEcblXAFpADUNUpkzkRm7c0XrrQcjRYnJv+Fw6AMqhFc39IzEi6Dlu4Z1BQ?= =?us-ascii?Q?uDNqLrOb8IVW5rJgNow=3D?= MIME-Version: 1.0 X-OriginatorOrg: hp.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR84MB1836.NAMPRD84.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 0f6ec42a-07d5-4d5b-a401-08dd5c226d99 X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2025 20:15:09.3881 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: ca7981a2-785a-463d-b82a-3db87dfc3ce6 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: fAEUgqRvB9AwIbJVYYjyp9SsB1giJKIot+HHHvbkSDDQo5obkGUOYKn/gpt7EkaRnL13GNB9+85+qa85I1fOhg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR84MB1724 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: VUXZcmyu8iCT8sYuwYXnCIbmxlf-hcSlzoMxHn6j4HM_1741205710 X-Mimecast-Originator: hp.com Content-Language: en-US X-Content-Filtered-By: Mailman/MimeDel 2.1.30 X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.30 List-Id: General Cygwin discussions and problem reports List-Archive: List-Post: List-Help: List-Subscribe: , From: "SUMMERS, TED via Cygwin" Reply-To: "SUMMERS, TED" Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Cygwin" Dimitry- Thanks for your response. You have been very helpful. I agree with your statement relating to the version determination. I will await if the maintainer has any response before formulating my next action. If necessary, I can take this information you provided back to Tenable team and try to make the case that Tenable needs to change it's method or get an exception. Best Regards, Ted Summers From: Dimitry Andric Sent: Wednesday, March 5, 2025 11:50 AM To: SUMMERS, TED Cc: cygwin AT cygwin DOT com Subject: Re: Cygwin OpenSSH version detection by Tenable CAUTION: External Email In my opinion, it is wrong that scanners rely on this information. :-) But putting that discussion aside, the openssh-portable distribution does not announce its "patch level" in its version banner by default. See e.g. https://github.com/openssh/openssh-portable/blob/master/version.h, where SSH_VERSION is defined as "OpenSSH_9.9", while SSH_PORTABLE is defined as "p2". In https://github.com/openssh/openssh-portable/blob/master/ssh_api.c#L430 you can see that the _ssh_send_banner() function only advertises the SSH_VERSION value, not the SSH_PORTABLE value. Now, various Linux distributions apply custom patches on top of the stock openssh-portable package to add additional information, for example Debian (and Ubuntu which sources its packages from there) has: https://salsa.debian.org/ssh-team/openssh/-/blob/master/debian/patches/package-versioning.patch?ref_type=heads I guess something similar could be done in the Cygwin package. This is up to the Cygwin maintainers of course. -Dimitry > On 5 Mar 2025, at 20:30, SUMMERS, TED via Cygwin > wrote: > > Dear list member(s), > > I've reviewed the list archives for the last two months since subcomponent release, and googled, but didn't find an answer for my question. > > I'm encountering an issue with Tenable detecting a difference in version in our security scans indicating that OpenSSH is still at a vulnerable version. > Even though I have openssh 9.9p2-1 installed, some query methods show the version only as OpenSSH 9.9. > IF I login to my Cygwin installation and perform "ssh -V" I receive the expected correct up-to-date values in the response: > OpenSSH_9.9p2, OpenSSL 3.0.16 11 Feb 2025 > > However Tenable is performing a non-authenticated query against ssh that returns OpenSSH 9.9 (without the p2 appended to the end). > Then Tenable flags systems for remediation of what it detects as a vulnerable version. > > If I initiate a command "ssh -vv " I can see the string where it reports the following: > debug1: Remote protocol version 2.0, remote software version OpenSSH_9.9 > > I can also get this information via nmap or netcat (nc) > Nmap (v7.94) returns: > 22/tcp open ssh OpenSSH 9.9 (protocol 2.0) > > # nc 22 > SSH-2.0-OpenSSH_9.9 > > Is there a file that I can manipulate to resolve this, or can a new openssh package build be made that fixes the version output in response to these other query methods used by security scanners? > > I look forward to any response or guidance. > > Respectfully, > Ted Summers > > > > > > > -- > Problem reports: https://cygwin.com/problems.html > FAQ: https://cygwin.com/faq/ > Documentation: https://cygwin.com/docs.html > Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple