On Wed, Feb 06, 2002 at 06:53:15AM -0500, Anthony DeRobertis wrote: > On Wednesday, February 6, 2002, at 03:14 AM, Paul Hampson wrote: > >You could submit a bug report if you think it's wrong... > >but it'd be a minor bug, I suspect. Unless you can build > >a really good argument why having sshd give away the Debian-ness > >of your system is a security hole. > Well, honestly, I think it's quite likely that security scanners > will not know of the debian versions and either: > > a) Always tag them as suspect (not fixing the original problem) > b) Never tag them as suspect > > For some reason, I fear the latter behavior. I don't get what you mean by this comment... We're referring to someone scanning their own network, checking for security holes, right? I'd expect the parsers in such security scanners would certainly learn to grok the Debian version. It'll lead to _more accurate_ security scanning. eg OpenSSH upstream version has known flaw, but that's been fixed in the Debian version. _That_ version goes into stable. Without the 'Debian' version, a security scan would see the upstream version #, and flag it as bad, falsely. And vice-versa, if a Debian change to ssh introduces a flaw. Not that that'd ever happen. :-) I can see why having the ssh daemon identify itself with a Debian version # locally is good, since if Debian changes anything, then bugreports are much easier to categorise. (cf. Samba and PHP4) Maybe you would prefer if the server identified itself with the Debian version # when run, but kept the normal (Upstream only) version # over the network? Either way, I don't see how this could be a security hole justifying any bug report higher than 'minor'. This isn't security hole, it just makes it easier to work out if other known security holes are likely to exist. And of course your FTP, smtp and telnet servers, not to mention your web server, will also display the Debian flag unless told not to. Besides, I thought we were ideologically opposed to Security through Obscurity? ;-) -- =========================================================== Paul "TBBle" Hampson, MCSE 4th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) Paul.Hampson@Anu.edu.au Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. This email is licensed to the recipient for non-commercial use, duplication and distribution. ===========================================================
Attachment:
pgpyhF22ibXDV.pgp
Description: PGP signature