Bug#815558: Debian banner of SSH server on Jessie still advertised to be running on Lenny
As far as I see, I think that the misleading is in this line of the
Debian's package code:
debian/rules:47:SSH_EXTRAVERSION := $(DISTRIBUTION)-$(shell
dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p' | sed -e
's/[^-]*-//')
Where *dpkg-parsechangelog* shows:
<pre>
Source: openssh
Version: 1:6.7p1-5+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Yves-Alexis Perez <corsac@debian.org>
Date: Wed, 13 Jan 2016 22:08:52 +0100
Changes:
openssh (1:6.7p1-5+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Disable roaming in openssh client: roaming code is vulnerable to an
information leak (CVE-2016-0777) and heap-based buffer overflow
(CVE-2016-0778).
</pre>
The *sed* command extracts 5+deb8u1 from 1:6.7p1-5+deb8u1 and this
number is the Debian's OpenSSH version number but not the Debian Distro
Release number so, the "SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u1" banner
really means: "Hi this is a OpenSSH_6.7p released by Debian and identify
with 5+deb8u1 version"
Below these lines, the latest 20 released packages:
(1:6.7p1-5+deb8u1)
(1:6.7p1-5)
(1:6.7p1-4)
(1:6.7p1-3)
(1:6.7p1-2)
(1:6.7p1-1)
New
(from
(1:6.6p1-8)
(1:6.6p1-7)
(1:6.6p1-6)
(1:6.6p1-5)
(1:6.6p1-4)
(1:6.6p1-3)
(1:6.6p1-2)
(1:6.6p1-1)
New
(1:6.5p1-6)
(1:6.5p1-5)
(1:6.5p1-4)
On 02/22/2016 01:51 PM, Carlos Alberto Lopez Perez wrote:
> Package: openssh-server
> Version: 1:6.7p1-5+deb8u1
>
>
> Hi,
>
> I have noticed this:
>
> $ nc old-debian-lenny-machine 22
> SSH-2.0-OpenSSH_5.1p1 Debian-5
>
> $ nc just-fresh-installed-debian-jessie-machine 22
> SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u1
>
>
> Why the Debian banner is still advertising Debian 5 on a Debian 8 machine?
>
>
> Maybe the best solution is to just disable this banner by default ?
> https://bugs.debian.org/786987
>
>
> Thanks.
>
--
Pablo Saavedra Rodiño
psaavedra@igalia.com | Mail
www.igalia.com | Web
Reply to: