The problem is I have 8 customers failing PCI network scans because of
CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to
help.
If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise
I'll have to take some other action. I don't like any of my
alternatives, though.
I guess I'll try to convince ControlScan that since the vulnerability
affects the scp client, server security is not actually compromised. In
the past I've had a poor success rate trying to explain things like that.
Bruce
On 3/20/19 10:18 AM, Corinna Vinschen wrote:
On Mar 20 09:13, Bruce Halco wrote:
openSSH 7.9 is subject to vulnerability CVE-2019-6111. This has been fixed
in at least some distributions, Debian at least.
Fedora (which is our role model) doesn't and the vulnerability is not
deemed that critical by the upstream maintainers:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.html
Fedora's 7.9p1 has an additional patch for CVE-2018-20685 only.
I was planning to wait for OpenSSH 8.0. It was originally slated
for end of January or at least February, but there's no hint from the
upstream maintainers yet in terms of the (obviously changed) release
planning for 8.0.
I can push a 7.9 with the Fedora patch for CVE-2018-20685 if that
helps.
Corinna
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
