From owner-freebsd-hackers@freebsd.org Wed Oct 5 13:28:29 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 075C2AF5480 for ; Wed, 5 Oct 2016 13:28:29 +0000 (UTC) (envelope-from peter@purplecat.net) Received: from mx1.purplecat.net (mx1.purplecat.net [205.138.55.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.purplecat.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AF364BF5 for ; Wed, 5 Oct 2016 13:28:28 +0000 (UTC) (envelope-from peter@purplecat.net) Received: (qmail 57249 invoked by uid 89); 5 Oct 2016 13:28:25 -0000 Received: from unknown (HELO PCNEDIT1) (support@purplecat.net@68.115.151.242) by mx1.purplecat.net with ESMTPA; 5 Oct 2016 13:28:25 -0000 Message-ID: <704AE3714816467C93438DCD1A7E2620@PCNEDIT1> From: To: =?UTF-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Cc: References: <01eb01d21e52$4a7f1640$df7d42c0$@net> <86oa2z9un2.fsf@desk.des.no><0ee9d33e-9be2-4fd7-abc2-2285cc4bd4a2@typeapp.com> <86k2dn9cxr.fsf@desk.des.no> In-Reply-To: <86k2dn9cxr.fsf@desk.des.no> Subject: Re: Reported version numbers of base openssl and sshd Date: Wed, 5 Oct 2016 09:28:24 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="UTF-8"; reply-type=original Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 16.4.3528.331 X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331 X-Mailman-Approved-At: Wed, 05 Oct 2016 13:56:04 +0000 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2016 13:28:29 -0000 Dag-Erling, No doubt the scanners themselves are at primary fault, and we push back on them vigorously, typically recommending our customers change scanning companies for the worst cases, but this of course creates a lot of work. In some instances our answer has simply been to firewall off their scanning servers, which laughably results in a 'pass' from the pci compliance/audit monkeys. You are of course completely right about RHEL...And FreeBSD is so superior in so many ways, it's not even a question--but having proper version numbers reported would eliminate a lot of headaches for us (and give FreeBSD another plus). We would very much prefer ~not~ to display version information at all. Having that as a variable in a configuration file would be a plus. Perhaps one that defaults to actual versions running, with the ability to report "non of your business." Thanks for all you do for FreeBSD and its community. Sincerely, Peter Brezny Purplecat Networks, Inc. www.purplecat.net 828-250-9446 ... -----Original Message----- From: Dag-Erling Smørgrav Sent: Wednesday, October 5, 2016 8:51 AM To: Roger Eddins Cc: freebsd-hackers@freebsd.org Subject: Re: Reported version numbers of base openssl and sshd Roger Eddins writes: > [...] Across the board we are finding other processes in commerce > tools rejecting transactions due to version number deficiencies and > the problem is growing rapidly. My hope would be that the team would > reconsider the version number question as it is the biggest deficiency > we experience daily using the FreeBSD OS. Once again: how do they handle RHEL? Because Red Hat, the 800-pound gorilla of the Open Source world, does the same thing that we do: backport patches without bumping the version number. And in fact, they do *less* than we do, because for OpenSSL and OpenSSH, we havea version suffixes which should reflect the date of the last patch, so even an automated scanner *can* be taught to distinguish a vulnerable machine from a patched one - as long as secteam remembers to bump the suffix when they patch the software. DES -- Dag-Erling Smørgrav - des@des.no