In my opinion, it is wrong that scanners rely on this information. :-) But putting that discussion aside, the openssh-portable distribution does not announce its "patch level" in its version banner by default.
See e.g. https://github.com/openssh/openssh-portable/blob/master/version.h, where SSH_VERSION is defined as "OpenSSH_9.9", while SSH_PORTABLE is defined as "p2". In https://github.com/openssh/openssh-portable/blob/master/ssh_api.c#L430 you can see that the _ssh_send_banner() function only advertises the SSH_VERSION value, not the SSH_PORTABLE value. Now, various Linux distributions apply custom patches on top of the stock openssh-portable package to add additional information, for example Debian (and Ubuntu which sources its packages from there) has: https://salsa.debian.org/ssh-team/openssh/-/blob/master/debian/patches/package-versioning.patch?ref_type=heads I guess something similar could be done in the Cygwin package. This is up to the Cygwin maintainers of course. -Dimitry > On 5 Mar 2025, at 20:30, SUMMERS, TED via Cygwin <cygwin@cygwin.com> wrote: > > Dear list member(s), > > I've reviewed the list archives for the last two months since subcomponent > release, and googled, but didn't find an answer for my question. > > I'm encountering an issue with Tenable detecting a difference in version in > our security scans indicating that OpenSSH is still at a vulnerable version. > Even though I have openssh 9.9p2-1 installed, some query methods show the > version only as OpenSSH 9.9. > IF I login to my Cygwin installation and perform "ssh -V" I receive the > expected correct up-to-date values in the response: > OpenSSH_9.9p2, OpenSSL 3.0.16 11 Feb 2025 > > However Tenable is performing a non-authenticated query against ssh that > returns OpenSSH 9.9 (without the p2 appended to the end). > Then Tenable flags systems for remediation of what it detects as a vulnerable > version. > > If I initiate a command "ssh -vv <host ip>" I can see the string where it > reports the following: > debug1: Remote protocol version 2.0, remote software version OpenSSH_9.9 > > I can also get this information via nmap or netcat (nc) > Nmap (v7.94) returns: > 22/tcp open ssh OpenSSH 9.9 (protocol 2.0) > > # nc <ip address> 22 > SSH-2.0-OpenSSH_9.9 > > Is there a file that I can manipulate to resolve this, or can a new openssh > package build be made that fixes the version output in response to these > other query methods used by security scanners? > > I look forward to any response or guidance. > > Respectfully, > Ted Summers > > > > > > > -- > Problem reports: https://cygwin.com/problems.html > FAQ: https://cygwin.com/faq/ > Documentation: https://cygwin.com/docs.html > Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
