Web lists-archives.com

Re: openSSH Vulnerability




On Wed, Mar 20, 2019 at 8:53 AM Bruce Halco wrote:

> The problem is I have 8 customers failing PCI network scans because of
> CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to
> help.
>
> If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise
> I'll have to take some other action. I don't like any of my
> alternatives, though.
>
> I guess I'll try to convince ControlScan that since the vulnerability
> affects the scp client, server security is not actually compromised.  In
> the past I've had a poor success rate trying to explain things like that.

Ah, the old "it shows up on somebody's vulnerability report so it must be
mitigated" problem (regardless of severity, scope, etc.).

In my experience, best results are achieved by demonstrating how the
vulnerability is mitigated using other security controls; e.g.:

* ssh access is restricted only to certain hosts or user accounts
* only trusted limited user accounts are permitted remote access

..etc.

Good luck.

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple