openSSH Vulnerability
Bruce Halco
bruce@halcomp.com
Wed Mar 20 14:52:00 GMT 2019
The problem is I have 8 customers failing PCI network scans because of
CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to
help.
If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise
I'll have to take some other action. I don't like any of my
alternatives, though.
I guess I'll try to convince ControlScan that since the vulnerability
affects the scp client, server security is not actually compromised. In
the past I've had a poor success rate trying to explain things like that.
Bruce
On 3/20/19 10:18 AM, Corinna Vinschen wrote:
> On Mar 20 09:13, Bruce Halco wrote:
>> openSSH 7.9 is subject to vulnerability CVE-2019-6111. This has been fixed
>> in at least some distributions, Debian at least.
> Fedora (which is our role model) doesn't and the vulnerability is not
> deemed that critical by the upstream maintainers:
>
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.html
>
> Fedora's 7.9p1 has an additional patch for CVE-2018-20685 only.
>
> I was planning to wait for OpenSSH 8.0. It was originally slated
> for end of January or at least February, but there's no hint from the
> upstream maintainers yet in terms of the (obviously changed) release
> planning for 8.0.
>
> I can push a 7.9 with the Fedora patch for CVE-2018-20685 if that
> helps.
>
>
> Corinna
>
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
More information about the Cygwin
mailing list