openSSH Vulnerability

Bruce Halco
Wed Mar 20 14:52:00 GMT 2019

The problem is I have 8 customers failing PCI network scans because of 
CVE-2019-6111, so I don't think the patch for CVE-2018-20685 is going to 

If 8.0 is close (maybe weeks?) I can afford to wait a while. Otherwise 
I'll have to take some other action. I don't like any of my 
alternatives, though.

I guess I'll try to convince ControlScan that since the vulnerability 
affects the scp client, server security is not actually compromised.  In 
the past I've had a poor success rate trying to explain things like that.


On 3/20/19 10:18 AM, Corinna Vinschen wrote:
> On Mar 20 09:13, Bruce Halco wrote:
>> openSSH 7.9 is subject to vulnerability CVE-2019-6111. This has been fixed
>> in at least some distributions, Debian at least.
> Fedora (which is our role model) doesn't and the vulnerability is not
> deemed that critical by the upstream maintainers:
> Fedora's 7.9p1 has an additional patch for CVE-2018-20685 only.
> I was planning to wait for OpenSSH 8.0.  It was originally slated
> for end of January or at least February, but there's no hint from the
> upstream maintainers yet in terms of the (obviously changed) release
> planning for 8.0.
> I can push a 7.9 with the Fedora patch for CVE-2018-20685 if that
> helps.
> Corinna

Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list