For anyone not aware, a major, remotely exploitable, vulnerability has been found in OpenSSH servers.
It has been assigned CVE-2024-6387 [1] and titled "regreSSHion" [2] because it is actually a regression of a pair of early 2000s bugs: CVE-2006-5051 and CVE-2008-4109. The vulnerability is a race condition related to its interaction with glibc. Because of the way cygwin is built, it isn't clear to me if this is something that could possibly be impacting or not, thus I wanted to see if smarter heads could identify if this is a potential (or actual) issue. Either way, it might be nice to get a determination posted somewhere for people to find, as I expect there will be more out there wondering about this in the next days/weeks. Thanks, Tom Kent [1] https://www.cve.org/CVERecord?id=CVE-2024-6387 [2] https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
