Reported version numbers of base openssl and sshd

Allan Jude allanjude at freebsd.org
Wed Oct 5 14:30:27 UTC 2016 

On 2016-10-05 09:28, peter at purplecat.net wrote:
> Dag-Erling,
> 
> No doubt the scanners themselves are at primary fault, and we push back
> on them vigorously, typically recommending our customers change scanning
> companies for the worst cases, but this of course creates a lot of
> work.  In some instances our answer has simply been to firewall off
> their scanning servers, which laughably results in a 'pass' from the pci
> compliance/audit monkeys.
> 
> You are of course completely right about RHEL...And FreeBSD is so
> superior in so many ways, it's not even a question--but having proper
> version numbers reported would eliminate a lot of headaches for us (and
> give FreeBSD another plus).
> 
> We would very much prefer ~not~ to display version information at all.
> Having that as a variable in a configuration file would be a plus. 
> Perhaps one that defaults to actual versions running, with the ability
> to report "non of your business."

In the case of ssh, part of this is already controlled by a variable in
/etc/ssh/sshd_config

VersionAddendum FreeBSD-20140420

If you want to control the rest, you'd need to ask the upstream openssh
project. They use the version number information in the banner message
to enable compatibility tweaks.

> 
> Thanks for all you do for FreeBSD and its community.
> 
> 
> Sincerely,
> 
> Peter Brezny
> Purplecat Networks, Inc.
> www.purplecat.net
> 828-250-9446
> 
> 
> ...
> -----Original Message----- From: Dag-Erling Smørgrav
> Sent: Wednesday, October 5, 2016 8:51 AM
> To: Roger Eddins
> Cc: freebsd-hackers at freebsd.org
> Subject: Re: Reported version numbers of base openssl and sshd
> 
> Roger Eddins <support at purplecat.net> writes:
>> [...]  Across the board we are finding other processes in commerce
>> tools rejecting transactions due to version number deficiencies and
>> the problem is growing rapidly.  My hope would be that the team would
>> reconsider the version number question as it is the biggest deficiency
>> we experience daily using the FreeBSD OS.
> 
> Once again: how do they handle RHEL?  Because Red Hat, the 800-pound
> gorilla of the Open Source world, does the same thing that we do:
> backport patches without bumping the version number.  And in fact, they
> do *less* than we do, because for OpenSSL and OpenSSH, we havea version
> suffixes which should reflect the date of the last patch, so even an
> automated scanner *can* be taught to distinguish a vulnerable machine
> from a patched one - as long as secteam remembers to bump the suffix
> when they patch the software.
> 
> DES


-- 
Allan Jude

More information about the freebsd-hackers mailing list