Date: Wed, 05 Oct 2016 08:25:36 -0400 From: Roger Eddins <support@purplecat.net> To: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no> Cc: freebsd-hackers@freebsd.org Subject: Re: Reported version numbers of base openssl and sshd Message-ID: <0ee9d33e-9be2-4fd7-abc2-2285cc4bd4a2@typeapp.com> In-Reply-To: <86oa2z9un2.fsf@desk.des.no> References: <01eb01d21e52$4a7f1640$df7d42c0$@net> <86oa2z9un2.fsf@desk.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Dag-Erling, I agree with your premise 100% and it's true the tool wielders are taking the easy road out by simply doing a version check but that road may make sense from a bandwidth and CPU standpoint for their systems and it comes down to perception more do than education. I think from an accuracy standpoint it would make more academic sense to report an updated version number or at least a build number so the scanners can make an intelligent decision. Across the board we are finding other processes in commerce tools rejecting transactions due to version number deficiencies and the problem is growing rapidly. My hope would be that the team would reconsider the version number question as it is the biggest deficiency we experience daily using the FreeBSD OS. Standing on a principle is great in concept but practical application sometimes overrides principle from a common sense perspective. Thank you for your consideration on this important question. Roger Roger Eddins Purplecat Networks Inc. www.purplecat.net On Oct 5, 2016, 2:28 AM, at 2:28 AM, "Dag-Erling Smørgrav" <des@des.no> wrote: >"Roger Eddins" <roger@purplecat.net> writes: >> Question: Could version number obfuscation be added to openssl and >sshd or >> have the proper relative patch version number reported from the >binaries in >> the base system? >> >> Reasoning: PCI compliance is becoming an extreme problem due to >scanning >> false positives from certain vendors and a big time waster with older >> FreeBSD releases reporting the original base version number even >after patch >> updates. > >I've been asked this before. My answer was that either the tools or >the >people wielding them are deficient, and I haven't changed my mind. > >How do they handle RHEL? > >DES >-- >Dag-Erling Smørgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0ee9d33e-9be2-4fd7-abc2-2285cc4bd4a2>