Date: Wed, 5 Oct 2016 07:21:46 +0900 From: Ngie Cooper <yaneurabeya@gmail.com> To: roger@purplecat.net Cc: freebsd-hackers@freebsd.org, des@FreeBSD.org, jkim@FreeBSD.org Subject: Re: Reported version numbers of base openssl and sshd Message-ID: <2530D2B9-F7EA-4A12-A596-1B2BF4B83AAF@gmail.com> In-Reply-To: <01eb01d21e52$4a7f1640$df7d42c0$@net> References: <01eb01d21e52$4a7f1640$df7d42c0$@net>
next in thread | previous in thread | raw e-mail | index | archive | help
(CCing the current maintainers for OpenSSL and ssh)
> On Oct 5, 2016, at 00:16, Roger Eddins <roger@purplecat.net> wrote:
>
> Dear Maintainers,
>
> Thank you for your excellent efforts in maintaining the FreeBSD code base.
>
> Question: Could version number obfuscation be added to openssl and sshd or
> have the proper relative patch version number reported from the binaries in
> the base system?
>
> Reasoning: PCI compliance is becoming an extreme problem due to scanning
> false positives from certain vendors and a big time waster with older
> FreeBSD releases reporting the original base version number even after patch
> updates. This is requiring us to compile/run openssl port and
> openssh-portable creating a highly unnecessary maintenance burden on our
> admins when the package binaries would be sufficient if the these core base
> components would report the latest version number. OF course, blocking the
> scanning engines on certain ports is an easy trick but that doesn't solve
> the root cause of the problem. We have a snowflake type environment for
> custom hosting solutions so that hopefully gives a good picture of why using
> ports for these core components is so time consuming.
>
> If the official stance is to use openssl port and openssh-portable just so
> the FreeBSD OS can report back the latest version number to PCI scanning
> engines, sobeit but makes little sense at least in the context we exist in
> and interfacing with PCI compliance vendors.
I think this request sounds reasonable. I don't know how difficult it might be or what exactly you have in mind version number wise.. But I'm guessing you have a straightforward idea that could be described.
Thanks!
-Ngie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2530D2B9-F7EA-4A12-A596-1B2BF4B83AAF>