Cygwin OpenSSH version detection by Tenable
Corinna Vinschen
corinna-cygwin@cygwin.com
Thu Mar 6 08:59:21 GMT 2025
On Mar 5 20:49, Dimitry Andric via Cygwin wrote:
> In my opinion, it is wrong that scanners rely on this information. :-)
Exactly.
> I guess something similar could be done in the Cygwin package. This is
> up to the Cygwin maintainers of course.
And that doesn't change if some distros tweak their identification
string but others don't. Fedora, for instance doesn't do that either.
So a security scanner relying on that, is simply wrong.
Cygwin's OpenSSH package is from the stock sources without local change
for ages, since Cygwin is one of the supported upstream platforms. Any
necessary change will go upstream, so that the Cygwin version can be
built from stock upstream again.
Corinna
More information about the Cygwin
mailing list