Date: Tue, 4 Oct 2016 11:16:32 -0400 From: "Roger Eddins" <roger@purplecat.net> To: <freebsd-hackers@freebsd.org> Subject: Reported version numbers of base openssl and sshd Message-ID: <01eb01d21e52$4a7f1640$df7d42c0$@net>
next in thread | raw e-mail | index | archive | help
Dear Maintainers, Thank you for your excellent efforts in maintaining the FreeBSD code base. Question: Could version number obfuscation be added to openssl and sshd or have the proper relative patch version number reported from the binaries in the base system? Reasoning: PCI compliance is becoming an extreme problem due to scanning false positives from certain vendors and a big time waster with older FreeBSD releases reporting the original base version number even after patch updates. This is requiring us to compile/run openssl port and openssh-portable creating a highly unnecessary maintenance burden on our admins when the package binaries would be sufficient if the these core base components would report the latest version number. OF course, blocking the scanning engines on certain ports is an easy trick but that doesn't solve the root cause of the problem. We have a snowflake type environment for custom hosting solutions so that hopefully gives a good picture of why using ports for these core components is so time consuming. If the official stance is to use openssl port and openssh-portable just so the FreeBSD OS can report back the latest version number to PCI scanning engines, sobeit but makes little sense at least in the context we exist in and interfacing with PCI compliance vendors. Thank you, Roger Eddins
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01eb01d21e52$4a7f1640$df7d42c0$>