Re: Bug#130876: ssh: -5 discloses too much infomation to an attacker, security
Lazarus Long <lazarus@overdue.ddts.net> writes:
> As I have said in the past, this is definitely a security risk.
No, it isn't. The fact that the SSH protocol encourages implementors
to exhibit version numbers has helped us greatly while recovering from
the catastrophic buffer overflow bug.
> Of course it is "useful," Matthew, but that admin can do so, safely
> *logged in to* the machine in question, with the 'dpkg -l ssh' command
> I mentioned above. There is no need to advertise any vulnerabilities
> to those *outside* the machine.
But there is. Your local CERT might want to warn you that you are
running a vulnerable implementation of a network service.
We regularly disconnect Debian/timetravel systems because the version
identification of a service suggests that they are still running a
vulnerable version. That's tough luck for Debian users, but better be
safe than sorry.
--
Florian Weimer Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Reply to: