openSSH Vulnerability

Bruce Halco bruce@halcomp.com
Wed Mar 20 14:52:00 GMT 2019

• Previous message (by thread): openSSH Vulnerability
• Next message (by thread): openSSH Vulnerability
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

The problem is I have 8 customers failing PCI network scans because of 
CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to 
help.
If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise 
I'll have to take some other action. I don't like any of my 
alternatives, though.
I guess I'll try to convince ControlScan that since the vulnerability 
affects the scp client, server security is not actually compromised.  In 
the past I've had a poor success rate trying to explain things like that.
Bruce
On 3/20/19 10:18 AM, Corinna Vinschen wrote:
> On Mar 20 09:13, Bruce Halco wrote:
>> openSSH 7.9 is subject to vulnerability CVE-2019-6111. This has been fixed
>> in at least some distributions, Debian at least.
> Fedora (which is our role model) doesn't and the vulnerability is not
> deemed that critical by the upstream maintainers:
>> https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.html
>> Fedora's 7.9p1 has an additional patch for CVE-2018-20685 only.
>> I was planning to wait for OpenSSH 8.0. It was originally slated
> for end of January or at least February, but there's no hint from the
> upstream maintainers yet in terms of the (obviously changed) release
> planning for 8.0.
>> I can push a 7.9 with the Fedora patch for CVE-2018-20685 if that
> helps.
>>> Corinna
>
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple

---

• Previous message (by thread): openSSH Vulnerability
• Next message (by thread): openSSH Vulnerability
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Cygwin mailing list