Date: Wed, 5 Oct 2016 13:07:55 +0000 From: Vladimir Terziev <Vladimir.Terziev@bwinparty.com> To: =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no>, Roger Eddins <support@purplecat.net> Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: Reported version numbers of base openssl and sshd Message-ID: <61AE4EE6-3A98-4A32-AFC3-A117A9F7E3C4@bwinparty.com> In-Reply-To: <86k2dn9cxr.fsf@desk.des.no> References: <01eb01d21e52$4a7f1640$df7d42c0$@net> <86oa2z9un2.fsf@desk.des.no> <0ee9d33e-9be2-4fd7-abc2-2285cc4bd4a2@typeapp.com> <86k2dn9cxr.fsf@desk.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
In fact with RedHat the same issue exists. Every time we have an audit (not PCI only), we have to explain the auditors= the back-porting politics of RedHat and show them the change-log of the pa= ckages. Roger, you can follow similar way. Your FreeBSD systems are at certain secu= rity patch-level (uname -r). You can show that to the auditors along to a l= og of the changes this patch-level incorporates in it. Vladimir On Oct 5, 2016, at 3:51 PM, Dag-Erling Sm=F8rgrav <des@des.no> wrote: > Roger Eddins <support@purplecat.net> writes: >> [...] Across the board we are finding other processes in commerce >> tools rejecting transactions due to version number deficiencies and >> the problem is growing rapidly. My hope would be that the team would >> reconsider the version number question as it is the biggest deficiency >> we experience daily using the FreeBSD OS. >=20 > Once again: how do they handle RHEL? Because Red Hat, the 800-pound > gorilla of the Open Source world, does the same thing that we do: > backport patches without bumping the version number. And in fact, they > do *less* than we do, because for OpenSSL and OpenSSH, we havea version > suffixes which should reflect the date of the last patch, so even an > automated scanner *can* be taught to distinguish a vulnerable machine > from a patched one - as long as secteam remembers to bump the suffix > when they patch the software. >=20 > DES > --=20 > Dag-Erling Sm=F8rgrav - des@des.no > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org= "
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?61AE4EE6-3A98-4A32-AFC3-A117A9F7E3C4>