From owner-freebsd-hackers@freebsd.org  Wed Oct  5 06:28:51 2016
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C9D69AF6552
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Wed,  5 Oct 2016 06:28:51 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id 8AEAED7D
 for <freebsd-hackers@freebsd.org>; Wed,  5 Oct 2016 06:28:51 +0000 (UTC)
 (envelope-from des@des.no)
Received: from desk.des.no (smtp.des.no [194.63.250.102])
 by smtp.des.no (Postfix) with ESMTP id E9ED0E12B;
 Wed,  5 Oct 2016 06:28:49 +0000 (UTC)
Received: by desk.des.no (Postfix, from userid 1001)
 id 90AD944A8B; Wed,  5 Oct 2016 08:28:49 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: "Roger Eddins" <roger@purplecat.net>
Cc: <freebsd-hackers@freebsd.org>
Subject: Re: Reported version numbers of base openssl and sshd
References: <01eb01d21e52$4a7f1640$df7d42c0$@net>
Date: Wed, 05 Oct 2016 08:28:49 +0200
In-Reply-To: <01eb01d21e52$4a7f1640$df7d42c0$@net> (Roger Eddins's message of
 "Tue, 4 Oct 2016 11:16:32 -0400")
Message-ID: <86oa2z9un2.fsf@desk.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Oct 2016 06:28:51 -0000

"Roger Eddins" <roger@purplecat.net> writes:
> Question:  Could version number obfuscation be added to openssl and sshd =
or
> have the proper relative patch version number reported from the binaries =
in
> the base system?
>
> Reasoning:  PCI compliance is becoming an extreme problem due to scanning
> false positives from certain vendors and a big time waster with older
> FreeBSD releases reporting the original base version number even after pa=
tch
> updates.

I've been asked this before.  My answer was that either the tools or the
people wielding them are deficient, and I haven't changed my mind.

How do they handle RHEL?

DES
--
Dag-Erling Sm=C3=B8rgrav - des@des.no