Reported version numbers of base openssl and sshd
Allan Jude
allanjude at freebsd.org
Wed Oct 5 14:30:27 UTC 2016
On 2016-10-05 09:28, peter at purplecat.net wrote:
> Dag-Erling,
>
> No doubt the scanners themselves are at primary fault, and we push back
> on them vigorously, typically recommending our customers change scanning
> companies for the worst cases, but this of course creates a lot of
> work. In some instances our answer has simply been to firewall off
> their scanning servers, which laughably results in a 'pass' from the pci
> compliance/audit monkeys.
>
> You are of course completely right about RHEL...And FreeBSD is so
> superior in so many ways, it's not even a question--but having proper
> version numbers reported would eliminate a lot of headaches for us (and
> give FreeBSD another plus).
>
> We would very much prefer ~not~ to display version information at all.
> Having that as a variable in a configuration file would be a plus.
> Perhaps one that defaults to actual versions running, with the ability
> to report "non of your business."
In the case of ssh, part of this is already controlled by a variable in
/etc/ssh/sshd_config
VersionAddendum FreeBSD-20140420
If you want to control the rest, you'd need to ask the upstream openssh
project. They use the version number information in the banner message
to enable compatibility tweaks.
>
> Thanks for all you do for FreeBSD and its community.
>
>
> Sincerely,
>
> Peter Brezny
> Purplecat Networks, Inc.
> www.purplecat.net
> 828-250-9446
>
>
> ...
> -----Original Message----- From: Dag-Erling Smørgrav
> Sent: Wednesday, October 5, 2016 8:51 AM
> To: Roger Eddins
> Cc: freebsd-hackers at freebsd.org
> Subject: Re: Reported version numbers of base openssl and sshd
>
> Roger Eddins <support at purplecat.net> writes:
>> [...] Across the board we are finding other processes in commerce
>> tools rejecting transactions due to version number deficiencies and
>> the problem is growing rapidly. My hope would be that the team would
>> reconsider the version number question as it is the biggest deficiency
>> we experience daily using the FreeBSD OS.
>
> Once again: how do they handle RHEL? Because Red Hat, the 800-pound
> gorilla of the Open Source world, does the same thing that we do:
> backport patches without bumping the version number. And in fact, they
> do *less* than we do, because for OpenSSL and OpenSSH, we havea version
> suffixes which should reflect the date of the last patch, so even an
> automated scanner *can* be taught to distinguish a vulnerable machine
> from a patched one - as long as secteam remembers to bump the suffix
> when they patch the software.
>
> DES
--
Allan Jude
More information about the freebsd-hackers
mailing list