On Wed, Jul 17, 2024 at 6:25 AM Lemons, Terry via Cygwin wrote: Vulnerability scanners run at my company have detected the following > vulnerability in the Cygwin sshd: > > CVE-2024-6387 CVSS 3: 8.1 > > OpenSSH could allow a remote attacker to execute arbitrary code on the > system, caused by a signal handler race condition. By sending a specially > crafted request, an attacker could exploit this vulnerability to execute > arbitrary code with root privileges on glibc-based Linux systems. > > OpenSSH Vulnerability: CVE-2024-6387 > > * Published: 07- 1-24 00:00 > * Diagnosis: > > A signal handler race condition was found in OpenSSH's server (sshd), > where a client does not authenticate within LoginGraceTime seconds (120 by > default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is > called asynchronously. However, this signal handler calls various functions > that are not async-signal-safe, for example, syslog(). > > * Solution: > > Upgrade to the latest version of OpenSSH > > Download and apply the upgrade from: > ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH > > The latest version of OpenSSH is 9.6. > > While you can always build OpenSSH from source, many platforms and > distributions provide pre-built binary packages for OpenSSH. These > pre-built packages are usually customized and optimized for a particular > distribution, therefore we recommend that you use the packages if they are > available for your operating system. > > Running SSH service > Product OpenSSH exists -- OpenBSD OpenSSH 9.8 > Vulnerable version of product OpenSSH found -- OpenBSD OpenSSH 9.8 > Vulnerable version of OpenSSH detected on Microsoft Windows > > My Cygwin installation is using openssh 9.8p1-1 which, at this writing, is > the latest available version. > > What are the plans to address this vulnerability in cygwin's openssh > component? >
I'm not sure I understand the concern. When I look at CVE-2024-6387[1], it says version 9.8 (which you are running) is not affected. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-6387 -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
