[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#130876: ssh: -5 discloses too much infomation to an attacker, security

Lazarus Long <lazarus@overdue.ddts.net> writes:

> As I have said in the past, this is definitely a security risk.

No, it isn't.  The fact that the SSH protocol encourages implementors
to exhibit version numbers has helped us greatly while recovering from
the catastrophic buffer overflow bug.

> Of course it is "useful," Matthew, but that admin can do so, safely
> *logged in to* the machine in question, with the 'dpkg -l ssh' command
> I mentioned above.  There is no need to advertise any vulnerabilities
> to those *outside* the machine.

But there is.  Your local CERT might want to warn you that you are
running a vulnerable implementation of a network service.

We regularly disconnect Debian/timetravel systems because the version
identification of a service suggests that they are still running a
vulnerable version.  That's tough luck for Debian users, but better be
safe than sorry.

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898
Reply to: