Re: openssh version info bug or feature ?

To: Paul Hampson <Paul.Hampson@anu.edu.au>
Cc: Dominik.Thinay@unix-ag.org, debian-devel@lists.debian.org
Subject: Re: openssh version info bug or feature ?
From: Anthony DeRobertis <asd@suespammers.org>
Date: Wed, 6 Feb 2002 08:11:44 -0500
Message-id: <[🔎] 115BCE84-1B03-11D6-9452-00039355CFA6@suespammers.org>
In-reply-to: <[🔎] 20020206121445.GA19733@keitarou.bubblesworth.net>

I don't get what you mean by this comment... We're referring
to someone scanning their own network, checking for security
holes, right?


Yes.


I'd expect the parsers in such security scanners would
certainly learn to grok the Debian version. It'll lead to
_more accurate_ security scanning.

It would. I'm just not sure that the security scanners will grokthe version. Especially if they happen to be distributed bysomeone besides debian.

Either way, I don't see how this could be a security hole
justifying any bug report higher than 'minor'.

It would justify more than minor, but in the securityscanner --- not in ssh.

I'd just worry that existing network audits will be thrown offby changing the version. I _do_ think we should change theversion when we release a security fix, though. Or when we makemajor changes (not sure if we do for ssh).

Reply to:

Follow-Ups:
- Re: openssh version info bug or feature ?
  - From: Paul Hampson <Paul.Hampson@anu.edu.au>

References:
- Re: openssh version info bug or feature ?
  - From: Paul Hampson <Paul.Hampson@anu.edu.au>

Prev by Date: ITP: muse package-name conflict...
Next by Date: Re: openssh version info bug or feature ?
Previous by thread: Re: openssh version info bug or feature ?
Next by thread: Re: openssh version info bug or feature ?
Index(es):
- Date
- Thread