Dear list member(s), I've reviewed the list archives for the last two months since subcomponent release, and googled, but didn't find an answer for my question.
I'm encountering an issue with Tenable detecting a difference in version in our security scans indicating that OpenSSH is still at a vulnerable version. Even though I have openssh 9.9p2-1 installed, some query methods show the version only as OpenSSH 9.9. IF I login to my Cygwin installation and perform "ssh -V" I receive the expected correct up-to-date values in the response: OpenSSH_9.9p2, OpenSSL 3.0.16 11 Feb 2025 However Tenable is performing a non-authenticated query against ssh that returns OpenSSH 9.9 (without the p2 appended to the end). Then Tenable flags systems for remediation of what it detects as a vulnerable version. If I initiate a command "ssh -vv <host ip>" I can see the string where it reports the following: debug1: Remote protocol version 2.0, remote software version OpenSSH_9.9 I can also get this information via nmap or netcat (nc) Nmap (v7.94) returns: 22/tcp open ssh OpenSSH 9.9 (protocol 2.0) # nc <ip address> 22 SSH-2.0-OpenSSH_9.9 Is there a file that I can manipulate to resolve this, or can a new openssh package build be made that fixes the version output in response to these other query methods used by security scanners? I look forward to any response or guidance. Respectfully, Ted Summers -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
