-
Notifications
You must be signed in to change notification settings - Fork 767
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please confirm which versions (if any) are vulnerable to CVE-2024-6387 #2249
Comments
Is there any update? why is ssh on windows so behind... |
We have Windows Server 2019 and 2022 and need the information if the OpenSSH-Feature is vulnerable, too. |
https://www.qualys.com/regresshion-cve-2024-6387/
Windows is neither Linux or glibc-based so I assume it's not relevant? |
Does this vulnerability affect macOS or Windows? |
FreeBSD is neither Linux or glibc based, but they patched it. |
Based on my topical analysis and general knowledge of how signal handling is done in this fork, I do not believe this vulnerability is relevant to this fork. |
Is there any update on this ? Please confirm.. |
Any updates? |
Thanks for the different insights everyone! |
Any updates Microsoft? |
@tgauth can you give any insights on this? Is Win32_OpenSSH vulnerable or not? come on, Microsoft, you can do better than that. It's been very frustraing in the last months. |
I sent an email to secure@microsoft.com earlier today, and this is their official statement: PowerShell/Announcements#63 You can all sleep well now! :) |
Apologies for the delay in responding - please see the announcement mentioned above for guidance. PowerShell/Announcements#63 |
Request for information
CVE-2024-6387 (stylized as regreSSHion) is a Remote Unauthenticated Code Execution vulnerability in
sshd
in glibc-based Linux systems, discovered by Qualys.What I want to know: Is OpenSSH for Windows vulnerable?
I don't see any changes that line up with Qualys's disclosure timeline, and the version number that I get when I do a fresh install via
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
is8.6.0.1
(which falls within the vulnerable range, according to what I'm seeing).The text was updated successfully, but these errors were encountered: