Date: Wed, 5 Oct 2016 09:28:24 -0400 From: <peter@purplecat.net> To: =?UTF-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> Cc: <freebsd-hackers@freebsd.org> Subject: Re: Reported version numbers of base openssl and sshd Message-ID: <704AE3714816467C93438DCD1A7E2620@PCNEDIT1> In-Reply-To: <86k2dn9cxr.fsf@desk.des.no> References: <01eb01d21e52$4a7f1640$df7d42c0$@net> <86oa2z9un2.fsf@desk.des.no><0ee9d33e-9be2-4fd7-abc2-2285cc4bd4a2@typeapp.com> <86k2dn9cxr.fsf@desk.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Dag-Erling, No doubt the scanners themselves are at primary fault, and we push back on them vigorously, typically recommending our customers change scanning companies for the worst cases, but this of course creates a lot of work. In some instances our answer has simply been to firewall off their scanning servers, which laughably results in a 'pass' from the pci compliance/audit monkeys. You are of course completely right about RHEL...And FreeBSD is so superior in so many ways, it's not even a question--but having proper version numbers reported would eliminate a lot of headaches for us (and give FreeBSD another plus). We would very much prefer ~not~ to display version information at all. Having that as a variable in a configuration file would be a plus. Perhaps one that defaults to actual versions running, with the ability to report "non of your business." Thanks for all you do for FreeBSD and its community. Sincerely, Peter Brezny Purplecat Networks, Inc. www.purplecat.net 828-250-9446 ... -----Original Message----- From: Dag-Erling Smørgrav Sent: Wednesday, October 5, 2016 8:51 AM To: Roger Eddins Cc: freebsd-hackers@freebsd.org Subject: Re: Reported version numbers of base openssl and sshd Roger Eddins <support@purplecat.net> writes: > [...] Across the board we are finding other processes in commerce > tools rejecting transactions due to version number deficiencies and > the problem is growing rapidly. My hope would be that the team would > reconsider the version number question as it is the biggest deficiency > we experience daily using the FreeBSD OS. Once again: how do they handle RHEL? Because Red Hat, the 800-pound gorilla of the Open Source world, does the same thing that we do: backport patches without bumping the version number. And in fact, they do *less* than we do, because for OpenSSL and OpenSSH, we havea version suffixes which should reflect the date of the last patch, so even an automated scanner *can* be taught to distinguish a vulnerable machine from a patched one - as long as secteam remembers to bump the suffix when they patch the software. DES -- Dag-Erling Smørgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?704AE3714816467C93438DCD1A7E2620>