Reported version numbers of base openssl and sshd
Roger Eddins
support at purplecat.net
Wed Oct 5 12:25:43 UTC 2016
Dag-Erling,
I agree with your premise 100% and it's true the tool wielders are taking the easy road out by simply doing a version check but that road may make sense from a bandwidth and CPU standpoint for their systems and it comes down to perception more do than education.
I think from an accuracy standpoint it would make more academic sense to report an updated version number or at least a build number so the scanners can make an intelligent decision.
Across the board we are finding other processes in commerce tools rejecting transactions due to version number deficiencies and the problem is growing rapidly. My hope would be that the team would reconsider the version number question as it is the biggest deficiency we experience daily using the FreeBSD OS.
Standing on a principle is great in concept but practical application sometimes overrides principle from a common sense perspective.
Thank you for your consideration on this important question.
Roger
Roger Eddins
Purplecat Networks Inc.
www.purplecat.net
On Oct 5, 2016, 2:28 AM, at 2:28 AM, "Dag-Erling Smørgrav" <des at des.no> wrote:
>"Roger Eddins" <roger at purplecat.net> writes:
>> Question: Could version number obfuscation be added to openssl and
>sshd or
>> have the proper relative patch version number reported from the
>binaries in
>> the base system?
>>
>> Reasoning: PCI compliance is becoming an extreme problem due to
>scanning
>> false positives from certain vendors and a big time waster with older
>> FreeBSD releases reporting the original base version number even
>after patch
>> updates.
>
>I've been asked this before. My answer was that either the tools or
>the
>people wielding them are deficient, and I haven't changed my mind.
>
>How do they handle RHEL?
>
>DES
>--
>Dag-Erling Smørgrav - des at des.no
More information about the freebsd-hackers
mailing list