Date: Wed, 5 Oct 2016 10:30:20 -0400 From: Allan Jude <allanjude@freebsd.org> To: freebsd-hackers@freebsd.org Subject: Re: Reported version numbers of base openssl and sshd Message-ID: <884f33d9-e479-9294-fc9d-2a6f4d228e10@freebsd.org> In-Reply-To: <704AE3714816467C93438DCD1A7E2620@PCNEDIT1> References: <01eb01d21e52$4a7f1640$df7d42c0$@net> <86oa2z9un2.fsf@desk.des.no> <0ee9d33e-9be2-4fd7-abc2-2285cc4bd4a2@typeapp.com> <86k2dn9cxr.fsf@desk.des.no> <704AE3714816467C93438DCD1A7E2620@PCNEDIT1>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2016-10-05 09:28, peter@purplecat.net wrote: > Dag-Erling, > > No doubt the scanners themselves are at primary fault, and we push back > on them vigorously, typically recommending our customers change scanning > companies for the worst cases, but this of course creates a lot of > work. In some instances our answer has simply been to firewall off > their scanning servers, which laughably results in a 'pass' from the pci > compliance/audit monkeys. > > You are of course completely right about RHEL...And FreeBSD is so > superior in so many ways, it's not even a question--but having proper > version numbers reported would eliminate a lot of headaches for us (and > give FreeBSD another plus). > > We would very much prefer ~not~ to display version information at all. > Having that as a variable in a configuration file would be a plus. > Perhaps one that defaults to actual versions running, with the ability > to report "non of your business." In the case of ssh, part of this is already controlled by a variable in /etc/ssh/sshd_config VersionAddendum FreeBSD-20140420 If you want to control the rest, you'd need to ask the upstream openssh project. They use the version number information in the banner message to enable compatibility tweaks. > > Thanks for all you do for FreeBSD and its community. > > > Sincerely, > > Peter Brezny > Purplecat Networks, Inc. > www.purplecat.net > 828-250-9446 > > > ... > -----Original Message----- From: Dag-Erling Smørgrav > Sent: Wednesday, October 5, 2016 8:51 AM > To: Roger Eddins > Cc: freebsd-hackers@freebsd.org > Subject: Re: Reported version numbers of base openssl and sshd > > Roger Eddins <support@purplecat.net> writes: >> [...] Across the board we are finding other processes in commerce >> tools rejecting transactions due to version number deficiencies and >> the problem is growing rapidly. My hope would be that the team would >> reconsider the version number question as it is the biggest deficiency >> we experience daily using the FreeBSD OS. > > Once again: how do they handle RHEL? Because Red Hat, the 800-pound > gorilla of the Open Source world, does the same thing that we do: > backport patches without bumping the version number. And in fact, they > do *less* than we do, because for OpenSSL and OpenSSH, we havea version > suffixes which should reflect the date of the last patch, so even an > automated scanner *can* be taught to distinguish a vulnerable machine > from a patched one - as long as secteam remembers to bump the suffix > when they patch the software. > > DES -- Allan Jude
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?884f33d9-e479-9294-fc9d-2a6f4d228e10>