Bug 106466

Summary: OpenSSH version identification should change on errata
Product: [Retired] Red Hat Linux Reporter: Jan Iven <jan.iven>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: tao
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-02-07 14:23:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Iven 2003-10-07 13:31:40 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1) Gecko/20031003

Description of problem:
Please consider changing the ssh version identification string on updates (e.g.
by including the package release number). We use network scans to identify
unpatched machines, and with Red Hat we cannot tell from the outside whether a
machine is ok or not (either we annoy security-aware users, or we miss unpatched
systems).

I would not consider this a new security hole: ssh explicitly advertises its
version string in the initial exchange; attackers will most likely try any
exploit anyway if the version matches.
FYI, Apple recently released a version that identifies itself as 
 "OpenSSH_3.4p1+CAN-2003-0693", Debian uses "OpenSSH_3.4p1 Debian
1:3.4p1-1.woody.3" -- both are easy to identify as 'secure' against the recent
buffer management problems.

Comment 1 Tomas Mraz 2005-02-07 14:23:44 UTC
There is now added ShowPatchLevel option which adds release identifier to the
version string.