Bug 106466 - OpenSSH version identification should change on errata
OpenSSH version identification should change on errata
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: openssh (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-10-07 09:31 EDT by Jan Iven
Modified: 2007-04-18 12:58 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-07 09:23:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Iven 2003-10-07 09:31:40 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1) Gecko/20031003

Description of problem:
Please consider changing the ssh version identification string on updates (e.g.
by including the package release number). We use network scans to identify
unpatched machines, and with Red Hat we cannot tell from the outside whether a
machine is ok or not (either we annoy security-aware users, or we miss unpatched
systems).

I would not consider this a new security hole: ssh explicitly advertises its
version string in the initial exchange; attackers will most likely try any
exploit anyway if the version matches.
FYI, Apple recently released a version that identifies itself as 
 "OpenSSH_3.4p1+CAN-2003-0693", Debian uses "OpenSSH_3.4p1 Debian
1:3.4p1-1.woody.3" -- both are easy to identify as 'secure' against the recent
buffer management problems.
Comment 1 Tomas Mraz 2005-02-07 09:23:44 EST
There is now added ShowPatchLevel option which adds release identifier to the
version string.

Note You need to log in before you can comment on or make changes to this bug.