DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 525Jp5mc073267
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 525Jp5mc073267
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=eKxLiOxc
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 0B8693858D26
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1741204263;
	bh=znkxW+GCeH2A9wdzC+kF+jWl6rBWjdy/pvDMQApjqQk=;
	h=Subject:In-Reply-To:Date:Cc:References:To:List-Id:
	 List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	 From:Reply-To:From;
	b=eKxLiOxczFjgy69Z6T7cmLbWtWZmh03v5wJR7WlLzdXorZSZjV5O9NLZbmSsBWLlb
	 Dl23rDNms59//nLAPybz1nPMGqYRq2PX3o4Qo59UD2tndvuDsvDg3nZr9b8NbhRGF1
	 N9SRpvOZYk9/vOE+fTFGj7hVmYbVmmxWq5biHkio=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 672303858D26
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 672303858D26
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1741204201; cv=none;
 b=pH19NGy7tdfPQUG1GJ/NdXXMpEFOTGHhPg5SDMNXX6CF91fEwWV15IQZhT5gL9daPJ9Doj0J/GDiHEo52FTJyanDXWMgAmWCswcRaqU5EzKoIR8o8QEyDzZDwbE15w5g+9GWi9J19oeEpyJ7y+tebZ+iLvlxgRxRyFRALfT828c=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1741204201; c=relaxed/simple;
 bh=hXyuRzsoPiiToDSUIPYNCOI3WOE1Z9XmVNj5Esk3fqY=;
 h=DKIM-Signature:Mime-Version:Subject:From:Date:Message-Id:To;
 b=sqMdxgGmH0bUu9/bZ2H8Df0puhrgW7i2ps/KgmVQ2XENPfJP4wgvS5+h3o0Yu3hCJ49WTdZ98FRDU14Rwo+XaLNTe7SMEq+dX1kpblWOWXNv92CiXP3GZtuqW17QdiB2ci1Zz0yNurWaa/Wsn0SI/1ST3dmawFQVc1ZHc4Jvj1k=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 672303858D26
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1741204199; x=1741808999;
 h=to:references:message-id:content-transfer-encoding:cc:date
 :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=7uEjrKnnwSock4egNtoC4TdOqQE5xlf9H/lohdOL+7o=;
 b=JASCGvV2p7tM0ntu/TuNCcf3dyWhkhbVJJ3TMaUp7giQtxbQDHeOnMIlEA4ChnDY1K
 JtgHylYik4kVEv11KIpx5kMD5w3sFAF5/pCpIWlM3rLitf/W183BptuLMivsJVYZwbd6
 WNPMwyC6Y8nwCTP53F4LblgY+dvPZLmV98ee1hp5CQILkeJUuNTl6IMtslZiKxCY2Gnv
 zB7uBkYx/s7KAiM2KKKPydKCelI5cWHVEWIvXVf2t1c7TREHlEWStcJFyM/RE67khukh
 pc1HyCm+EH6ke73Q81UJfYbPAqvM+htIspvoDux9ED8j0uxeB6MnmG64YdTikduisJmm
 ZBxA==
X-Gm-Message-State: AOJu0YwH6c84TAXaALM3/XatkbPAMNm4ruOWkhmXmjEEvWEu3iy/Yvss
 wPMGrshsmPjET9MPaXuiTDP4Yj6s1rpSE6AEKuFc8a52OqfCiGYjn/3MuoD8s4Q/mzGSim4iWtX
 8
X-Gm-Gg: ASbGncvf/FfRvrBIoySgmYtxqR/z/JvgioEn5CZWt5iKvzVy6ZR+9T8nhMeYImFdHNA
 EzkqmGp8lY5cvqviOhYYFQnQJQ3Z8W5P5nIUm6L+5QMWJSon23rsIt3T0m6o15w/4wLn6Cox3N8
 5Js/PLuOup1Twdbk1w2dj+OIMVPg5Tx8Z1H0XiQ6nhNekgq3V4OPJV07z+8kIOJH1YCeYlC5Bd/
 rxtIN5VMox/ElwmDKS63FEi4Qv+577il05pxZ7tL3kYwAHMpz3UTiH/mBvS5cFnSLwjX0+rzCLh
 YFEc9wnIupHWoQLvL8r0Gjef99Cspz08Lyc1rN/F/2liKaRUW2IH1Vus0cy267o2CtZicGjFbK9
 jOmnPrlr9EmO1
X-Google-Smtp-Source: AGHT+IG20aKPhrDWJHAmABBOUP0COOT5gfz+nlzU2nxPGsLPymL04MJWNzs8+JqJNjumWu/LlAoSdA==
X-Received: by 2002:a17:907:3f90:b0:abf:6842:d46 with SMTP id
 a640c23a62f3a-ac20da60a9amr429809266b.32.1741204198700; 
 Wed, 05 Mar 2025 11:49:58 -0800 (PST)
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.9\))
Subject: Re: Cygwin OpenSSH version detection by Tenable
In-Reply-To: <PH0PR84MB18364E960950D1F0C2080315A5CB2@PH0PR84MB1836.NAMPRD84.PROD.OUTLOOK.COM>
Date: Wed, 5 Mar 2025 20:49:58 +0100
Cc: "cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
Message-Id: <19A5E907-7DDF-4FB8-9004-0C8A6B269C1A@unified-streaming.com>
References: <PH0PR84MB18364E960950D1F0C2080315A5CB2 AT PH0PR84MB1836 DOT NAMPRD84 DOT PROD DOT OUTLOOK DOT COM>
To: "SUMMERS, TED" <ted DOT summers1 AT hp DOT com>
X-Mailer: Apple Mail (2.3731.700.6.1.9)
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Dimitry Andric via Cygwin <cygwin AT cygwin DOT com>
Reply-To: Dimitry Andric <dimitry AT unified-streaming DOT com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>

In my opinion, it is wrong that scanners rely on this information. :-) But putting that discussion aside, the openssh-portable distribution does not announce its "patch level" in its version banner by default.

See e.g. https://github.com/openssh/openssh-portable/blob/master/version.h, where SSH_VERSION is defined as "OpenSSH_9.9", while SSH_PORTABLE is defined as "p2".

In https://github.com/openssh/openssh-portable/blob/master/ssh_api.c#L430 you can see that the _ssh_send_banner() function only advertises the SSH_VERSION value, not the SSH_PORTABLE value.

Now, various Linux distributions apply custom patches on top of the stock openssh-portable package to add additional information, for example Debian (and Ubuntu which sources its packages from there) has:

https://salsa.debian.org/ssh-team/openssh/-/blob/master/debian/patches/package-versioning.patch?ref_type=heads

I guess something similar could be done in the Cygwin package. This is up to the Cygwin maintainers of course.

-Dimitry

> On 5 Mar 2025, at 20:30, SUMMERS, TED via Cygwin <cygwin AT cygwin DOT com> wrote:
> 
> Dear list member(s),
> 
> I've reviewed the list archives for the last two months since subcomponent release, and googled, but didn't find an answer for my question.
> 
> I'm encountering an issue with Tenable detecting a difference in version in our security scans indicating that OpenSSH is still at a vulnerable version.
> Even though I have openssh 9.9p2-1 installed, some query methods show the version only as OpenSSH 9.9.
> IF I login to my Cygwin installation and perform "ssh -V" I receive the expected correct up-to-date values in the response:
> OpenSSH_9.9p2, OpenSSL 3.0.16 11 Feb 2025
> 
> However Tenable is performing a non-authenticated query against ssh that returns OpenSSH 9.9  (without the p2 appended to the end).
> Then Tenable flags systems for remediation of what it detects as a vulnerable version.
> 
> If I initiate a command "ssh -vv <host ip>"  I can see the string where it reports the following:
> debug1: Remote protocol version 2.0, remote software version OpenSSH_9.9
> 
> I can also get this information via nmap or netcat (nc)
> Nmap (v7.94) returns:
> 22/tcp open  ssh        OpenSSH 9.9 (protocol 2.0)
> 
> # nc <ip address> 22
> SSH-2.0-OpenSSH_9.9
> 
> Is there a file that I can manipulate to resolve this, or can a new openssh package build be made that fixes the version output in response to these other query methods used by security scanners?
> 
> I look forward to any response or guidance.
> 
> Respectfully,
> Ted Summers
> 
> 
> 
> 
> 
> 
> -- 
> Problem reports:      https://cygwin.com/problems.html
> FAQ:                  https://cygwin.com/faq/
> Documentation:        https://cygwin.com/docs.html
> Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple


-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple