Web lists-archives.com

Re: openSSH Vulnerability

On 2019-03-20 09:06, Bill Stewart wrote:
> On Wed, Mar 20, 2019 at 8:53 AM Bruce Halco wrote:
>> The problem is I have 8 customers failing PCI network scans because of
>> CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to
>> help.
>> If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise
>> I'll have to take some other action. I don't like any of my
>> alternatives, though.
>> I guess I'll try to convince ControlScan that since the vulnerability
>> affects the scp client, server security is not actually compromised.  In
>> the past I've had a poor success rate trying to explain things like that.
> Ah, the old "it shows up on somebody's vulnerability report so it must be
> mitigated" problem (regardless of severity, scope, etc.).
> In my experience, best results are achieved by demonstrating how the
> vulnerability is mitigated using other security controls; e.g.:
> * ssh access is restricted only to certain hosts or user accounts
> * only trusted limited user accounts are permitted remote access

Quote the upstream maintainers comments:
	"Don't use scp with untrusted servers."
adding "...or networks" (for MitM attacks) and send them the link:
showing they are working on the CVEs: at least one of the OpenBSD maintainers is
also a Portable OpenSSH maintainer

The alternatives seem to be stop using scp, or rebuild from snapshots or git
sources to include the unreleased patches.
If you install the cygport package, with all its build tool dependencies, and
the openssh package source, it is trivial to update the openssh.cygport control
file to use updated sources, and download, build, and test the package using

Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple