Date: Wed, 5 Oct 2016 07:21:46 +0900 From: Ngie Cooper <yaneurabeya@gmail.com> To: roger@purplecat.net Cc: freebsd-hackers@freebsd.org, des@FreeBSD.org, jkim@FreeBSD.org Subject: Re: Reported version numbers of base openssl and sshd Message-ID: <2530D2B9-F7EA-4A12-A596-1B2BF4B83AAF@gmail.com> In-Reply-To: <01eb01d21e52$4a7f1640$df7d42c0$@net> References: <01eb01d21e52$4a7f1640$df7d42c0$@net>
next in thread | previous in thread | raw e-mail | index | archive | help
(CCing the current maintainers for OpenSSL and ssh) > On Oct 5, 2016, at 00:16, Roger Eddins <roger@purplecat.net> wrote: >=20 > Dear Maintainers, >=20 > Thank you for your excellent efforts in maintaining the FreeBSD code base.= =20 >=20 > Question: Could version number obfuscation be added to openssl and sshd o= r > have the proper relative patch version number reported from the binaries i= n > the base system? >=20 > Reasoning: PCI compliance is becoming an extreme problem due to scanning > false positives from certain vendors and a big time waster with older > FreeBSD releases reporting the original base version number even after pat= ch > updates. This is requiring us to compile/run openssl port and > openssh-portable creating a highly unnecessary maintenance burden on our > admins when the package binaries would be sufficient if the these core bas= e > components would report the latest version number. OF course, blocking th= e > scanning engines on certain ports is an easy trick but that doesn't solve > the root cause of the problem. We have a snowflake type environment for > custom hosting solutions so that hopefully gives a good picture of why usi= ng > ports for these core components is so time consuming. >=20 > If the official stance is to use openssl port and openssh-portable just so= > the FreeBSD OS can report back the latest version number to PCI scanning > engines, sobeit but makes little sense at least in the context we exist in= > and interfacing with PCI compliance vendors. I think this request sounds reasonable. I don't know how difficult it mi= ght be or what exactly you have in mind version number wise.. But I'm guessi= ng you have a straightforward idea that could be described. Thanks! -Ngie=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2530D2B9-F7EA-4A12-A596-1B2BF4B83AAF>