Re: Bug#130876: Very definitely a bug, security

To: debian-security@lists.debian.org
Cc: 130876@bugs.debian.org
Subject: Re: Bug#130876: Very definitely a bug, security
From: David B Harris <eelf@sympatico.ca>
Date: Sat, 26 Jan 2002 00:30:03 -0500
Message-id: <[🔎] 20020126003003.0a4cad73.eelf@sympatico.ca>
In-reply-to: <[🔎] 20020126050114.GA21951@overdue.ddts.net>
References: <Pine.LNX.4.21.0201260238080.14930-100000@chiark.greenend.org.uk> <[🔎] 20020126050114.GA21951@overdue.ddts.net>

On Sat, 26 Jan 2002 05:01:14 +0000
Lazarus Long <lazarus@overdue.ddts.net> wrote:
> This is definitely a security risk.  There is no reason that such
> information should be exposed to attackers.  Just because FreeBSD has
> some lame security practices doesn't mean Debian has to emulate them.
> (If I ran it, I'd file a bug there as well.)

I agree that this is exposing information that can be used by an
attacker to aid them in their exploits. On the other hand, the purpose
of the change was a good one; it's hard to tell if you're running a
vulnerable SSH in Stable, since the version string is the same as the
stock upstream source, while the Debian diffs will have many added
patches.

Is there any way this can be run-time configurable?

-- 
 .--=====-=-=====-=========----------=====-----------=-=-----=.
/    David Barclay Harris            Aut agere, aut mori.      \
\        Clan Barclay              Either action, or death.    /
 `-------======-------------=-=-----=-===-=====-------=--=----'

Reply to:

References:
- Re: Bug#130876: Very definitely a bug, security
  - From: Lazarus Long <lazarus@overdue.ddts.net>

Prev by Date: Re: Bug#130876: Very definitely a bug, security
Next by Date: Re: Bug#130876: Very definitely a bug, security
Previous by thread: Re: Bug#130876: Very definitely a bug, security
Next by thread: Re: Bug#130876: Very definitely a bug, security
Index(es):
- Date
- Thread