[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#130876: Very definitely a bug, security

On Sat, Jan 26, 2002 at 05:01:14AM +0000, Lazarus Long wrote:
> severity 130876 grave

> This is definitely a security risk.  There is no reason that such
> information should be exposed to attackers.  Just because FreeBSD has

That doesn't mean it's a severity grave bug, though.  There's no actual
vulnerability created by advertising the Debian revision SSH version
(particularly since exploits are quite likely to be against the upstream
version which SSH always advertises and you don't seem to be complaining

> Post your root password and IP address if you think obscurity is
> irrelevant.  (You are twisting a comment about *source* being available

That's not really the same thing.  Knowing the root password you can
gain access to the system.  Knowing the SSH version might give you a
hint to try certain SSH exploits that would have worked anyway.  One is
a fundamental part of how you try to maintain security and the other is
to a certain extent incedental.

"You grabbed my hand and we fell into it, like a daydream - or a fever."

Attachment: pgpNOB8gikgjP.pgp
Description: PGP signature

Reply to: