Re: Request to Update OpenSSH Version in Git due to Security Vulnerabilities (CVE-2006-5051, CVE-2024-6387

Re: Request to Update OpenSSH Version in Git due to Security Vulnerabilities (CVE-2006-5051, CVE-2024-6387

[Johannes Schindelin]

Hi Michel,

On Fri, 5 Jul 2024, 'Schoonderwaldt, Michel' via Git Security wrote:

> I am writing to bring to your attention a critical issue regarding the
> version of OpenSSH included in the Git for Windows package. Recently, a
> severe vulnerability (CVE-2024-6387) was disclosed, affecting versions
> of OpenSSH from 8.5p1 up to and including 9.7p1. This vulnerability is a
> regression of the earlier CVE-2006-5051, which was initially resolved in
> OpenSSH version 4.4p1 but reintroduced in 8.5p1.

This description, while correct, is incomplete.
https://nvd.nist.gov/vuln/detail/CVE-2024-6387 has this to say:

	A security regression (CVE-2006-5051) was discovered in OpenSSH's
	server (sshd). There is a race condition which can lead to sshd to
	handle some signals in an unsafe manner. An unauthenticated,
	remote attacker may be able to trigger it by failing to
	authenticate within a set time period.

The crucial part is the `sshd` part. Git for Windows does distribute the
`sshd.exe` binary, but it is in no way used by default, nor is there
support how to set it up to run an SSH server.

Git for Windows is therefore not affected by this vulnerability, and
therefore it is not crucial to get a new version out as quickly as
possible. See also my assessment at
https://github.com/git-for-windows/git/issues/5031#issuecomment-2199722969

I take security very seriously. In some cases that dictates that I do
_not_ rush out security bug-fix releases: Too many updates cause update
fatigue, with the counterintuitive consequence that too many security
bug-fix releases _decrease_ security. Therefore I assess carefully whether
or not any given CVE in any given component that is distributed with Git
for Windows merits an out-of-band release. The regreSSHion CVE in question
does not.

Having said that, the next official version is scheduled for July 29th (or
soon thereafter): https://gh.io/gitCal. This will contain the OpenSSH
version 9.8 that addressed that CVE.

If this is not soon enough for you, feel warmly welcome to install the
most recent snapshot from
https://wingit.blob.core.windows.net/files/index.html; Git for Windows is
kept in an always-releasable state, therefore I consider those snapshots
to be equivalent to official releases with the only exception that they do
not have an official-looking version number (and aren't announced as
prominently, either).

Ciao,
Johannes

> Given the popularity and widespread use of Git, it is crucial to ensure
> that all included components are secure and up to date. Systems using
> the affected versions of OpenSSH are at risk of exploitation, which
> could lead to unauthorized access and other serious security issues.
>
> I would like to kindly request that the OpenSSH version included in the
> Git for Windows package be updated to version 9.8/9.8p1 or higher, which
> addresses these vulnerabilities. This update will help ensure the
> security of all users who rely on Git for their development and
> operational needs.
>
> Thank you for your attention to this matter. Please let me know if there
> is any additional information you require.
>
> Met vriendelijke groet,
>
> Michel Schoonderwaldt
> Senior ICT-specialist technische applicatie- en integratiebeheer  |  Team Informatiemanagement en ICT  |  Unit ICT
> 046 477 71 96
>
> Werkdagen: maandag tot en met vrijdag, 08:30 - 17:00 uur
>
> Gemeente Sittard-Geleen  |  www.sittard-geleen.nl<http://www.sittard-geleen.nl/>
> Adressen en openingstijden<https://www.sittard-geleen.nl/adressen>
>
> [cid:image001.png@01DACEEF.84479400]<http://www.facebook.com/sittardgeleen>     [cid:image002.png@01DACEEF.84479400] <https://www.instagram.com/gemeentesittardgeleen/>      [cid:image003.png@01DACEEF.84479400] <http://twitter.com/sittardgeleen>      [cid:image004.png@01DACEEF.84479400] <https://www.linkedin.com/company/sittard-geleen/>      [cid:image005.png@01DACEEF.84479400] <http://www.youtube.com/user/sittardgeleenonline>
>
> [cid:image006.jpg@01DACEEF.84479400]<https://www.sittard-geleen.nl/>
>
>
> --
> You received this message because you are subscribed to the Google Groups "Git Security" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to git-security+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/git-security/AM9PR07MB71854BD4C1CE7E517203FFB6B1DF2%40AM9PR07MB7185.eurprd07.prod.outlook.com.
>

Re: Request to Update OpenSSH Version in Git due to Security Vulnerabilities (CVE-2006-5051, CVE-2024-6387

[Junio C Hamano]

Johannes Schindelin <Johannes.Schindelin@gmx.de> writes:

> The crucial part is the `sshd` part. Git for Windows does distribute the
> `sshd.exe` binary, but it is in no way used by default, nor is there
> support how to set it up to run an SSH server.
>
> Git for Windows is therefore not affected by this vulnerability, and
> therefore it is not crucial to get a new version out as quickly as
> possible. See also my assessment at
> https://github.com/git-for-windows/git/issues/5031#issuecomment-2199722969

I think I've seen in the past another inquiry about vulnerability
in OpenSSH, which turned out to be irrelevant in the context of Git
for Windows for this exact reason (i.e. "sshd" is problematic but
"ssh" is OK).

Would it make future confusion like this less likely if you stopped
shipping the sshd and ship only the ssh client?

Thanks.

Re: Request to Update OpenSSH Version in Git due to Security Vulnerabilities (CVE-2006-5051, CVE-2024-6387

[Dragan Simic]

On 2024-07-10 19:10, Junio C Hamano wrote:
> Johannes Schindelin <Johannes.Schindelin@gmx.de> writes:
> 
>> The crucial part is the `sshd` part. Git for Windows does distribute 
>> the
>> `sshd.exe` binary, but it is in no way used by default, nor is there
>> support how to set it up to run an SSH server.
>> 
>> Git for Windows is therefore not affected by this vulnerability, and
>> therefore it is not crucial to get a new version out as quickly as
>> possible. See also my assessment at
>> https://github.com/git-for-windows/git/issues/5031#issuecomment-2199722969
> 
> I think I've seen in the past another inquiry about vulnerability
> in OpenSSH, which turned out to be irrelevant in the context of Git
> for Windows for this exact reason (i.e. "sshd" is problematic but
> "ssh" is OK).
> 
> Would it make future confusion like this less likely if you stopped
> shipping the sshd and ship only the ssh client?

Not shipping sshd.exe would make sense regardless of the associated 
security
issues, because it would prevent accidental enabling of SSH access.  
Also, if
someone wants to make SSHing into their Windows machine possible, I'm 
pretty
sure they won't do that by installing Git for Windows and using the 
shipped
sshd.exe, but by some other means.

In other words, not shipping sshd.exe would not only reduce the likeness 
of
hitting some security issues, but would also prevent accidental enabling 
of
SSH access on a Windows machine.

Re: Request to Update OpenSSH Version in Git due to Security Vulnerabilities (CVE-2006-5051, CVE-2024-6387

[Johannes Schindelin]

Hi Dragan,

On Wed, 10 Jul 2024, 'Dragan Simic' via Git Security wrote:

> On 2024-07-10 19:10, Junio C Hamano wrote:
> > Johannes Schindelin <Johannes.Schindelin@gmx.de> writes:
> >
> > > The crucial part is the `sshd` part. Git for Windows does distribute the
> > > `sshd.exe` binary, but it is in no way used by default, nor is there
> > > support how to set it up to run an SSH server.
> > >
> > > Git for Windows is therefore not affected by this vulnerability, and
> > > therefore it is not crucial to get a new version out as quickly as
> > > possible. See also my assessment at
> > > https://github.com/git-for-windows/git/issues/5031#issuecomment-2199722969
> >
> > I think I've seen in the past another inquiry about vulnerability
> > in OpenSSH, which turned out to be irrelevant in the context of Git
> > for Windows for this exact reason (i.e. "sshd" is problematic but
> > "ssh" is OK).
> >
> > Would it make future confusion like this less likely if you stopped
> > shipping the sshd and ship only the ssh client?
>
> Not shipping sshd.exe would make sense regardless of the associated security
> issues, because it would prevent accidental enabling of SSH access.

There is little accidental about starting `sshd` after generating a valid
host key.

Having said that, `sshd` is not required to run Git, therefore it should
not be distributed with Git for Windows. This PR addresses that:
https://github.com/git-for-windows/build-extra/pull/571

Thank you,
Johannes

Re: Request to Update OpenSSH Version in Git due to Security Vulnerabilities (CVE-2006-5051, CVE-2024-6387

[Dragan Simic]

Hello Johannes,

On 2024-07-22 11:38, Johannes Schindelin wrote:
> On Wed, 10 Jul 2024, 'Dragan Simic' via Git Security wrote:
> 
>> On 2024-07-10 19:10, Junio C Hamano wrote:
>> > Johannes Schindelin <Johannes.Schindelin@gmx.de> writes:
>> >
>> > > The crucial part is the `sshd` part. Git for Windows does distribute the
>> > > `sshd.exe` binary, but it is in no way used by default, nor is there
>> > > support how to set it up to run an SSH server.
>> > >
>> > > Git for Windows is therefore not affected by this vulnerability, and
>> > > therefore it is not crucial to get a new version out as quickly as
>> > > possible. See also my assessment at
>> > > https://github.com/git-for-windows/git/issues/5031#issuecomment-2199722969
>> >
>> > I think I've seen in the past another inquiry about vulnerability
>> > in OpenSSH, which turned out to be irrelevant in the context of Git
>> > for Windows for this exact reason (i.e. "sshd" is problematic but
>> > "ssh" is OK).
>> >
>> > Would it make future confusion like this less likely if you stopped
>> > shipping the sshd and ship only the ssh client?
>> 
>> Not shipping sshd.exe would make sense regardless of the associated 
>> security
>> issues, because it would prevent accidental enabling of SSH access.
> 
> There is little accidental about starting `sshd` after generating a 
> valid
> host key.

Well, I don't know what and how Git for Windows does regarding the host
key generation, so the possibility of accidental starting the shipped
sshd.exe may actually be quite low.

> Having said that, `sshd` is not required to run Git, therefore it 
> should
> not be distributed with Git for Windows. This PR addresses that:
> https://github.com/git-for-windows/build-extra/pull/571

Interestingly, that pull request shows that some people actually use(d)
the shipped sshd.exe, which just shows that nearly every change will
inevitably break somebody's workflow.