From owner-freebsd-hackers@freebsd.org  Wed Oct  5 12:51:14 2016
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id DA42AAF3810
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Wed,  5 Oct 2016 12:51:14 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id A51EA17A
 for <freebsd-hackers@freebsd.org>; Wed,  5 Oct 2016 12:51:14 +0000 (UTC)
 (envelope-from des@des.no)
Received: from desk.des.no (smtp.des.no [194.63.250.102])
 by smtp.des.no (Postfix) with ESMTP id B02BAE8D9;
 Wed,  5 Oct 2016 12:51:12 +0000 (UTC)
Received: by desk.des.no (Postfix, from userid 1001)
 id 5C78444ABD; Wed,  5 Oct 2016 14:51:12 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Roger Eddins <support@purplecat.net>
Cc: freebsd-hackers@freebsd.org
Subject: Re: Reported version numbers of base openssl and sshd
References: <01eb01d21e52$4a7f1640$df7d42c0$@net> <86oa2z9un2.fsf@desk.des.no>
 <0ee9d33e-9be2-4fd7-abc2-2285cc4bd4a2@typeapp.com>
Date: Wed, 05 Oct 2016 14:51:12 +0200
In-Reply-To: <0ee9d33e-9be2-4fd7-abc2-2285cc4bd4a2@typeapp.com> (Roger
 Eddins's message of "Wed, 05 Oct 2016 08:25:36 -0400")
Message-ID: <86k2dn9cxr.fsf@desk.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Oct 2016 12:51:14 -0000

Roger Eddins <support@purplecat.net> writes:
> [...]  Across the board we are finding other processes in commerce
> tools rejecting transactions due to version number deficiencies and
> the problem is growing rapidly.  My hope would be that the team would
> reconsider the version number question as it is the biggest deficiency
> we experience daily using the FreeBSD OS.

Once again: how do they handle RHEL?  Because Red Hat, the 800-pound
gorilla of the Open Source world, does the same thing that we do:
backport patches without bumping the version number.  And in fact, they
do *less* than we do, because for OpenSSL and OpenSSH, we havea version
suffixes which should reflect the date of the last patch, so even an
automated scanner *can* be taught to distinguish a vulnerable machine
from a patched one - as long as secteam remembers to bump the suffix
when they patch the software.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no