From: Dragan Simic <dsimic@manjaro.org>
To: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Cc: Junio C Hamano <gitster@pobox.com>,
"Schoonderwaldt,
Michel" <michel.schoonderwaldt@sittard-geleen.nl>,
git@vger.kernel.org, git-security@googlegroups.com
Subject: Re: Request to Update OpenSSH Version in Git due to Security Vulnerabilities (CVE-2006-5051, CVE-2024-6387
Date: Tue, 23 Jul 2024 18:36:23 +0200 [thread overview]
Message-ID: <9b075f5b19bc6e31a0f4a829dbc623e8@manjaro.org> (raw)
In-Reply-To: <a658fd0a-59bd-c162-874c-cc5b9926acd5@gmx.de>
Hello Johannes,
On 2024-07-22 11:38, Johannes Schindelin wrote:
> On Wed, 10 Jul 2024, 'Dragan Simic' via Git Security wrote:
>
>> On 2024-07-10 19:10, Junio C Hamano wrote:
>> > Johannes Schindelin <Johannes.Schindelin@gmx.de> writes:
>> >
>> > > The crucial part is the `sshd` part. Git for Windows does distribute the
>> > > `sshd.exe` binary, but it is in no way used by default, nor is there
>> > > support how to set it up to run an SSH server.
>> > >
>> > > Git for Windows is therefore not affected by this vulnerability, and
>> > > therefore it is not crucial to get a new version out as quickly as
>> > > possible. See also my assessment at
>> > > https://github.com/git-for-windows/git/issues/5031#issuecomment-2199722969
>> >
>> > I think I've seen in the past another inquiry about vulnerability
>> > in OpenSSH, which turned out to be irrelevant in the context of Git
>> > for Windows for this exact reason (i.e. "sshd" is problematic but
>> > "ssh" is OK).
>> >
>> > Would it make future confusion like this less likely if you stopped
>> > shipping the sshd and ship only the ssh client?
>>
>> Not shipping sshd.exe would make sense regardless of the associated
>> security
>> issues, because it would prevent accidental enabling of SSH access.
>
> There is little accidental about starting `sshd` after generating a
> valid
> host key.
Well, I don't know what and how Git for Windows does regarding the host
key generation, so the possibility of accidental starting the shipped
sshd.exe may actually be quite low.
> Having said that, `sshd` is not required to run Git, therefore it
> should
> not be distributed with Git for Windows. This PR addresses that:
> https://github.com/git-for-windows/build-extra/pull/571
Interestingly, that pull request shows that some people actually use(d)
the shipped sshd.exe, which just shows that nearly every change will
inevitably break somebody's workflow.
prev parent reply other threads:[~2024-07-23 16:36 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <AM9PR07MB71854BD4C1CE7E517203FFB6B1DF2@AM9PR07MB7185.eurprd07.prod.outlook.com>
2024-07-10 11:26 ` Request to Update OpenSSH Version in Git due to Security Vulnerabilities (CVE-2006-5051, CVE-2024-6387 Johannes Schindelin
2024-07-10 17:10 ` Junio C Hamano
2024-07-10 17:23 ` Dragan Simic
2024-07-22 9:38 ` Johannes Schindelin
2024-07-23 16:36 ` Dragan Simic [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9b075f5b19bc6e31a0f4a829dbc623e8@manjaro.org \
--to=dsimic@manjaro.org \
--cc=Johannes.Schindelin@gmx.de \
--cc=git-security@googlegroups.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=michel.schoonderwaldt@sittard-geleen.nl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).