Red Hat Bugzilla – Bug 106466
OpenSSH version identification should change on errata
Last modified: 2007-04-18 12:58:11 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1) Gecko/20031003
Description of problem:
Please consider changing the ssh version identification string on updates (e.g.
by including the package release number). We use network scans to identify
unpatched machines, and with Red Hat we cannot tell from the outside whether a
machine is ok or not (either we annoy security-aware users, or we miss unpatched
I would not consider this a new security hole: ssh explicitly advertises its
version string in the initial exchange; attackers will most likely try any
exploit anyway if the version matches.
FYI, Apple recently released a version that identifies itself as
"OpenSSH_3.4p1+CAN-2003-0693", Debian uses "OpenSSH_3.4p1 Debian
1:3.4p1-1.woody.3" -- both are easy to identify as 'secure' against the recent
buffer management problems.
There is now added ShowPatchLevel option which adds release identifier to the