[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-hackers
Subject: Re: Reported version numbers of base openssl and sshd
From: Allan Jude <allanjude () freebsd ! org>
Date: 2016-10-05 14:30:20
Message-ID: 884f33d9-e479-9294-fc9d-2a6f4d228e10 () freebsd ! org
[Download RAW message or body]
On 2016-10-05 09:28, peter@purplecat.net wrote:
> Dag-Erling,
>
> No doubt the scanners themselves are at primary fault, and we push back
> on them vigorously, typically recommending our customers change scanning
> companies for the worst cases, but this of course creates a lot of
> work. In some instances our answer has simply been to firewall off
> their scanning servers, which laughably results in a 'pass' from the pci
> compliance/audit monkeys.
>
> You are of course completely right about RHEL...And FreeBSD is so
> superior in so many ways, it's not even a question--but having proper
> version numbers reported would eliminate a lot of headaches for us (and
> give FreeBSD another plus).
>
> We would very much prefer ~not~ to display version information at all.
> Having that as a variable in a configuration file would be a plus.
> Perhaps one that defaults to actual versions running, with the ability
> to report "non of your business."
In the case of ssh, part of this is already controlled by a variable in
/etc/ssh/sshd_config
VersionAddendum FreeBSD-20140420
If you want to control the rest, you'd need to ask the upstream openssh
project. They use the version number information in the banner message
to enable compatibility tweaks.
>
> Thanks for all you do for FreeBSD and its community.
>
>
> Sincerely,
>
> Peter Brezny
> Purplecat Networks, Inc.
> www.purplecat.net
> 828-250-9446
>
>
> ...
> -----Original Message----- From: Dag-Erling Smørgrav
> Sent: Wednesday, October 5, 2016 8:51 AM
> To: Roger Eddins
> Cc: freebsd-hackers@freebsd.org
> Subject: Re: Reported version numbers of base openssl and sshd
>
> Roger Eddins <support@purplecat.net> writes:
>> [...] Across the board we are finding other processes in commerce
>> tools rejecting transactions due to version number deficiencies and
>> the problem is growing rapidly. My hope would be that the team would
>> reconsider the version number question as it is the biggest deficiency
>> we experience daily using the FreeBSD OS.
>
> Once again: how do they handle RHEL? Because Red Hat, the 800-pound
> gorilla of the Open Source world, does the same thing that we do:
> backport patches without bumping the version number. And in fact, they
> do *less* than we do, because for OpenSSL and OpenSSH, we havea version
> suffixes which should reflect the date of the last patch, so even an
> automated scanner *can* be taught to distinguish a vulnerable machine
> from a patched one - as long as secteam remembers to bump the suffix
> when they patch the software.
>
> DES
--
Allan Jude
_______________________________________________
freebsd-hackers@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic