From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1) Gecko/20031003 Description of problem: Please consider changing the ssh version identification string on updates (e.g. by including the package release number). We use network scans to identify unpatched machines, and with Red Hat we cannot tell from the outside whether a machine is ok or not (either we annoy security-aware users, or we miss unpatched systems). I would not consider this a new security hole: ssh explicitly advertises its version string in the initial exchange; attackers will most likely try any exploit anyway if the version matches. FYI, Apple recently released a version that identifies itself as "OpenSSH_3.4p1+CAN-2003-0693", Debian uses "OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3" -- both are easy to identify as 'secure' against the recent buffer management problems.
There is now added ShowPatchLevel option which adds release identifier to the version string.