Reported version numbers of base openssl and sshd

peter at purplecat.net peter at purplecat.net
Wed Oct 5 13:28:29 UTC 2016 

Dag-Erling,

No doubt the scanners themselves are at primary fault, and we push back on 
them vigorously, typically recommending our customers change scanning 
companies for the worst cases, but this of course creates a lot of work.  In 
some instances our answer has simply been to firewall off their scanning 
servers, which laughably results in a 'pass' from the pci compliance/audit 
monkeys.

You are of course completely right about RHEL...And FreeBSD is so superior 
in so many ways, it's not even a question--but having proper version numbers 
reported would eliminate a lot of headaches for us (and give FreeBSD another 
plus).

We would very much prefer ~not~ to display version information at all. 
Having that as a variable in a configuration file would be a plus.  Perhaps 
one that defaults to actual versions running, with the ability to report 
"non of your business."

Thanks for all you do for FreeBSD and its community.


Sincerely,

Peter Brezny
Purplecat Networks, Inc.
www.purplecat.net
828-250-9446


...
-----Original Message----- 
From: Dag-Erling Smørgrav
Sent: Wednesday, October 5, 2016 8:51 AM
To: Roger Eddins
Cc: freebsd-hackers at freebsd.org
Subject: Re: Reported version numbers of base openssl and sshd

Roger Eddins <support at purplecat.net> writes:
> [...]  Across the board we are finding other processes in commerce
> tools rejecting transactions due to version number deficiencies and
> the problem is growing rapidly.  My hope would be that the team would
> reconsider the version number question as it is the biggest deficiency
> we experience daily using the FreeBSD OS.

Once again: how do they handle RHEL?  Because Red Hat, the 800-pound
gorilla of the Open Source world, does the same thing that we do:
backport patches without bumping the version number.  And in fact, they
do *less* than we do, because for OpenSSL and OpenSSH, we havea version
suffixes which should reflect the date of the last patch, so even an
automated scanner *can* be taught to distinguish a vulnerable machine
from a patched one - as long as secteam remembers to bump the suffix
when they patch the software.

DES
-- 
Dag-Erling Smørgrav - des at des.no

More information about the freebsd-hackers mailing list