Reported version numbers of base openssl and sshd
Roger Eddins
roger at purplecat.net
Tue Oct 4 15:15:34 UTC 2016
Dear Maintainers,
Thank you for your excellent efforts in maintaining the FreeBSD code base.
Question: Could version number obfuscation be added to openssl and sshd or
have the proper relative patch version number reported from the binaries in
the base system?
Reasoning: PCI compliance is becoming an extreme problem due to scanning
false positives from certain vendors and a big time waster with older
FreeBSD releases reporting the original base version number even after patch
updates. This is requiring us to compile/run openssl port and
openssh-portable creating a highly unnecessary maintenance burden on our
admins when the package binaries would be sufficient if the these core base
components would report the latest version number. OF course, blocking the
scanning engines on certain ports is an easy trick but that doesn't solve
the root cause of the problem. We have a snowflake type environment for
custom hosting solutions so that hopefully gives a good picture of why using
ports for these core components is so time consuming.
If the official stance is to use openssl port and openssh-portable just so
the FreeBSD OS can report back the latest version number to PCI scanning
engines, sobeit but makes little sense at least in the context we exist in
and interfacing with PCI compliance vendors.
Thank you,
Roger Eddins
More information about the freebsd-hackers
mailing list