Hi Dragan, On Wed, 10 Jul 2024, 'Dragan Simic' via Git Security wrote: > On 2024-07-10 19:10, Junio C Hamano wrote: > > Johannes Schindelin <Johannes.Schindelin@xxxxxx> writes: > > > > > The crucial part is the `sshd` part. Git for Windows does distribute the > > > `sshd.exe` binary, but it is in no way used by default, nor is there > > > support how to set it up to run an SSH server. > > > > > > Git for Windows is therefore not affected by this vulnerability, and > > > therefore it is not crucial to get a new version out as quickly as > > > possible. See also my assessment at > > > https://github.com/git-for-windows/git/issues/5031#issuecomment-2199722969 > > > > I think I've seen in the past another inquiry about vulnerability > > in OpenSSH, which turned out to be irrelevant in the context of Git > > for Windows for this exact reason (i.e. "sshd" is problematic but > > "ssh" is OK). > > > > Would it make future confusion like this less likely if you stopped > > shipping the sshd and ship only the ssh client? > > Not shipping sshd.exe would make sense regardless of the associated security > issues, because it would prevent accidental enabling of SSH access. There is little accidental about starting `sshd` after generating a valid host key. Having said that, `sshd` is not required to run Git, therefore it should not be distributed with Git for Windows. This PR addresses that: https://github.com/git-for-windows/build-extra/pull/571 Thank you, Johannes
