Hi Michel, On Fri, 5 Jul 2024, 'Schoonderwaldt, Michel' via Git Security wrote: > I am writing to bring to your attention a critical issue regarding the > version of OpenSSH included in the Git for Windows package. Recently, a > severe vulnerability (CVE-2024-6387) was disclosed, affecting versions > of OpenSSH from 8.5p1 up to and including 9.7p1. This vulnerability is a > regression of the earlier CVE-2006-5051, which was initially resolved in > OpenSSH version 4.4p1 but reintroduced in 8.5p1. This description, while correct, is incomplete. https://nvd.nist.gov/vuln/detail/CVE-2024-6387 has this to say: A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. The crucial part is the `sshd` part. Git for Windows does distribute the `sshd.exe` binary, but it is in no way used by default, nor is there support how to set it up to run an SSH server. Git for Windows is therefore not affected by this vulnerability, and therefore it is not crucial to get a new version out as quickly as possible. See also my assessment at https://github.com/git-for-windows/git/issues/5031#issuecomment-2199722969 I take security very seriously. In some cases that dictates that I do _not_ rush out security bug-fix releases: Too many updates cause update fatigue, with the counterintuitive consequence that too many security bug-fix releases _decrease_ security. Therefore I assess carefully whether or not any given CVE in any given component that is distributed with Git for Windows merits an out-of-band release. The regreSSHion CVE in question does not. Having said that, the next official version is scheduled for July 29th (or soon thereafter): https://gh.io/gitCal. This will contain the OpenSSH version 9.8 that addressed that CVE. If this is not soon enough for you, feel warmly welcome to install the most recent snapshot from https://wingit.blob.core.windows.net/files/index.html; Git for Windows is kept in an always-releasable state, therefore I consider those snapshots to be equivalent to official releases with the only exception that they do not have an official-looking version number (and aren't announced as prominently, either). Ciao, Johannes > Given the popularity and widespread use of Git, it is crucial to ensure > that all included components are secure and up to date. Systems using > the affected versions of OpenSSH are at risk of exploitation, which > could lead to unauthorized access and other serious security issues. > > I would like to kindly request that the OpenSSH version included in the > Git for Windows package be updated to version 9.8/9.8p1 or higher, which > addresses these vulnerabilities. This update will help ensure the > security of all users who rely on Git for their development and > operational needs. > > Thank you for your attention to this matter. Please let me know if there > is any additional information you require. > > Met vriendelijke groet, > > Michel Schoonderwaldt > Senior ICT-specialist technische applicatie- en integratiebeheer | Team Informatiemanagement en ICT | Unit ICT > 046 477 71 96 > > Werkdagen: maandag tot en met vrijdag, 08:30 - 17:00 uur > > Gemeente Sittard-Geleen | www.sittard-geleen.nl<http://www.sittard-geleen.nl/> > Adressen en openingstijden<https://www.sittard-geleen.nl/adressen> > > [cid:image001.png@01DACEEF.84479400]<http://www.facebook.com/sittardgeleen> [cid:image002.png@01DACEEF.84479400] <https://www.instagram.com/gemeentesittardgeleen/> [cid:image003.png@01DACEEF.84479400] <http://twitter.com/sittardgeleen> [cid:image004.png@01DACEEF.84479400] <https://www.linkedin.com/company/sittard-geleen/> [cid:image005.png@01DACEEF.84479400] <http://www.youtube.com/user/sittardgeleenonline> > > [cid:image006.jpg@01DACEEF.84479400]<https://www.sittard-geleen.nl/> > > > -- > You received this message because you are subscribed to the Google Groups "Git Security" group. > To unsubscribe from this group and stop receiving emails from it, send an email to git-security+unsubscribe@xxxxxxxxxxxxxxxx. > To view this discussion on the web visit https://groups.google.com/d/msgid/git-security/AM9PR07MB71854BD4C1CE7E517203FFB6B1DF2%40AM9PR07MB7185.eurprd07.prod.outlook.com. >
