Bug#925238: openssh-server: OpenSSH server displays the distro name in its strings through netcat
Package: openssh-server
Version: 1:7.9p1-9
Severity: normal
Hi,
I've remarked a security issue with openssh-server. The problem manifests if
you run netcat.
Example :
netcat localhost 22
In that case the string displayed is :
SSH-2.0-OpenSSH_7.9p1 Debian-9
At least the Debian string should not be displayed, because otherwise it leaks
information about the installed system, with possible consequences a more
severe attack somewhere else.
Could you please remove the string refering to Debian ?
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-2-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8),
LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssh-server depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.71
ii dpkg 1.19.5
ii libaudit1 1:2.8.4-2
ii libc6 2.28-8
ii libcom-err2 1.44.5-1
ii libgssapi-krb5-2 1.17-2
ii libkrb5-3 1.17-2
ii libpam-modules 1.3.1-5
ii libpam-runtime 1.3.1-5
ii libpam0g 1.3.1-5
ii libselinux1 2.8-1+b1
ii libssl1.1 1.1.1b-1
ii libsystemd0 241-1
ii libwrap0 7.6.q-28
ii lsb-base 10.2019031300
ii openssh-client 1:7.9p1-9
ii openssh-sftp-server 1:7.9p1-9
ii procps 2:3.3.15-2
ii ucf 3.0038+nmu1
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages openssh-server recommends:
ii libpam-systemd 241-1
ii ncurses-term 6.1+20181013-2
ii xauth 1:1.0.10-1
Versions of packages openssh-server suggests:
ii ksshaskpass [ssh-askpass] 4:5.14.5-1
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ufw <none>
-- debconf information excluded
Reply to: