-
Notifications
You must be signed in to change notification settings - Fork 779
Windows Server 2019 OpenSSH.Server Update Timelines #1783
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
I claim no deep insight into Microsoft's Windows Server release process, but I suspect the "2019" in the product name "Windows Server 2019" (released October 2018, LTSC) might be a hint regarding the age of the software that you should expect in it, especially considering that OpenSSH_for_Windows_7.7p1 was the latest version available throughout the first half of 2019. Isn't the whole point of a “Long Term Servicing Channel” (LTSC) that the vendor promises to not force any component updates onto you for ten years, such that you can continue to use your old software uninterrupted without having to worry about lots of subtle changes that could come in newer versions? Shouldn't your question be when a newer OpenSSH version arrives on the Semi-Annual Channel (SAC), e.g. for Windows Server, version 20H2? That is the release intended for people who want to receive newer versions twice a year. Looking for KB5001391 in Microsoft Update Catalog, I see it available for “Windows Server, version 1903 and later” as of 28 April 2021. That should have OpenSSH_for_Windows_8.1p1 in it. I suspect you need to discuss within your organization, whether your particular machines are perhaps on the wrong release channel, and move them onto SAC. If they insist on LTSC, then I'd expect that you'll have to wait for the next LTSC release, which I understand may be called “Windows Server 2022”. I have here an Ubuntu 16.04 LTS server, which exists for long-term stable applications where more frequent OS upgrades would be undesirable (as they require a lot of re-testing). And that still runs OpenSSH_7.2p2. Microsoft LTSC and Ubuntu Linux LTS versions seem to work very similar in this respect. Neither would update a component such as SSH to a newer upstream release. Instead they both merely backport the most urgent security patches, in case there are any applicable. |
KB5001391 does not apply to LTSC versions of Windows Server. For background, here are some OpenSSH releases including security fixes that do not appear to be scheduled for LTSC delivery:
|
We don't ship the latest version of openssh into existing windows releases. That's not how it's done in other OS distros and same is true with any other product that is shipped into windows. LTSC editions are stable versions which gets only security patches. Please note, new version mean new code. New code can introduce new security issues. Updating to V8.1 shouldn't be treated as security update as V7.7 doesn't have any security issues. None of the security issues mentioned above are applicable for windows inbox OpenSSH V7.7. CVE-2019-6111 - This is from V7.9 so it doesn't applies to OpenSSH windows inbox version v7.7. |
@bagajjal Agreed, I completely misread those security issues. |
I'm closing this issue. I just want to reiterate, Microsoft treats security issues very seriously and patches them ASAP. Thank you for being part of the OpenSSH community. |
I have spent the past two weeks attempting to get the officially-supported OpenSSH.Server running and properly secured to appropriate IT standards on a Windows Server 2019. Despite testing in both WSUS and raw WU environments, my instance is still running OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5 while the Server itself is on OSBuild 17763.1911 and showing no available updates from WU.
I am glad that Windows 10 users are seeing a new version of OpenSSH Server & Client, but I cannot run this within my organization without some validation that Windows will actually support the server-based products actually running a server-type application. Security constraints require that I run officially-supported platforms, with automated security patches wherever possible.
I can understand it not being on the FOD (for those of us that operate in Internet-isolated environments), but when I test with a system with live WU access and get a "supported" application loaded with a configuration that is YEARS old, I must admit that it boggles the mind - leaving me with the impression that Microsoft has no intention of supporting a "server" application in the "server" realm, despite multiple threads herein with MSFT-tagged users stating that it will be consistently updated through the WU/WSUS architectures. Does Microsoft truly expect enterprise organizations to stand up "supported" OpenSSH.Servers exclusively on workstation-level devices as a viable long-term strategy?
Referencing comments from @maertendMSFT in #1693 (comment)
The text was updated successfully, but these errors were encountered: