Publish Github Win32-OpenSSHV8.6

[bagajjal]

I'm working on Win32-OpenSSH v8.5.
This will be available in April 2021.

[atiq-cs]

Thanks @bagajjal for working on this.

Shouldn't this be prioritized due to security reasons?

[bagajjal]

What security reasons?
There are no security bugs in existing releases..

[atiq-cs]

Security

• ssh-agent(1): fixed a double-free memory corruption that was
  introduced in OpenSSH 8.2 . We treat all such memory faults as
  potentially exploitable. This bug could be reached by an attacker
  with access to the agent socket.

  On modern operating systems where the OS can provide information
  about the user identity connected to a socket, OpenSSH ssh-agent
  and sshd limit agent socket access only to the originating user
  and root. Additional mitigation may be afforded by the system's
  malloc(3)/free(3) implementation, if it detects double-free
  conditions.

  The most likely scenario for exploitation is a user forwarding an
  agent either to an account shared with a malicious user or to a
  host with an attacker holding root access.

• Portable sshd(8): Prevent excessively long username going to PAM.
  This is a mitigation for a buffer overflow in Solaris' PAM username
  handling (CVE-2020-14871), and is only enabled for Sun-derived PAM
  implementations. This is not a problem in sshd itself, it only
  prevents sshd from being used as a vector to attack Solaris' PAM.
  It does not prevent the bug in PAM from being exploited via some
  other PAM application. GHPR212

ref, https://www.openssh.com/releasenotes.html

[bagajjal]

@atiq-cs -

1. ssh-agent bug is in OpenSSH v8.2. It's not applicable as our win32-openssh latest version is V8.1.
2. Win32-openssh doesn't support PAM.

Please note, we take security bugs very seriously. We fix them asap and ship them through windows updates to update inbuild OpenSSH binaries installed through optional features. Currently there are no security bugs in the windows inbuild OpenSSH.

As I mentioned, I'm actively working on upgrading to V8.5.

[atiq-cs]

I understand what you mean. I really appreciate your contributions here.

There are no security bugs in existing releases
there are no security bugs in the windows inbuild OpenSSH

However, I find your opinion/wording too strong, makes me doubt if you are officially from MSFT!

Anyway, thanks again!

[bagajjal]

@atiq-cs - I'm from MSFT :)
I just want to reiterate and make a clear statement about the security bugs.

[needs-coffee]

@bagajjal any update on this? i see a milestone for 8.6.0 but no release for 8.5.0?

[bagajjal]

Yes, the next win32 openssh release is V8.6. Aiming for first half of next week.

[GitMensch]

Just a short update: Win32-OpenSSH 8.6 is now tagged, so we can hope for a binary release here soon.

To prevent issues like "will this be available via a cumulative update and when" it would be nice to have a note about the rough update plan.

[bagajjal]

V8.6 is now available on Github.

V8.6 will be available as windows optional feature during 22H1.