Bug 106466 - OpenSSH version identification should change on errata
Summary: OpenSSH version identification should change on errata
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: openssh
Version: 9
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-10-07 13:31 UTC by Jan Iven
Modified: 2007-04-18 16:58 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-02-07 14:23:44 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Iven 2003-10-07 13:31:40 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1) Gecko/20031003

Description of problem:
Please consider changing the ssh version identification string on updates (e.g.
by including the package release number). We use network scans to identify
unpatched machines, and with Red Hat we cannot tell from the outside whether a
machine is ok or not (either we annoy security-aware users, or we miss unpatched
systems).

I would not consider this a new security hole: ssh explicitly advertises its
version string in the initial exchange; attackers will most likely try any
exploit anyway if the version matches.
FYI, Apple recently released a version that identifies itself as 
 "OpenSSH_3.4p1+CAN-2003-0693", Debian uses "OpenSSH_3.4p1 Debian
1:3.4p1-1.woody.3" -- both are easy to identify as 'secure' against the recent
buffer management problems.
Comment 1 Tomas Mraz 2005-02-07 14:23:44 UTC 
There is now added ShowPatchLevel option which adds release identifier to the
version string.
Note You need to log in before you can comment on or make changes to this bug.