On 2024-07-10 19:10, Junio C Hamano wrote:
Johannes Schindelin <Johannes.Schindelin@xxxxxx> writes:
The crucial part is the `sshd` part. Git for Windows does distribute
the
`sshd.exe` binary, but it is in no way used by default, nor is there
support how to set it up to run an SSH server.
Git for Windows is therefore not affected by this vulnerability, and
therefore it is not crucial to get a new version out as quickly as
possible. See also my assessment at
https://github.com/git-for-windows/git/issues/5031#issuecomment-2199722969
I think I've seen in the past another inquiry about vulnerability
in OpenSSH, which turned out to be irrelevant in the context of Git
for Windows for this exact reason (i.e. "sshd" is problematic but
"ssh" is OK).
Would it make future confusion like this less likely if you stopped
shipping the sshd and ship only the ssh client?
Not shipping sshd.exe would make sense regardless of the associated
security
issues, because it would prevent accidental enabling of SSH access.
Also, if
someone wants to make SSHing into their Windows machine possible, I'm
pretty
sure they won't do that by installing Git for Windows and using the
shipped
sshd.exe, but by some other means.
In other words, not shipping sshd.exe would not only reduce the likeness
of
hitting some security issues, but would also prevent accidental enabling
of
SSH access on a Windows machine.
