Debian Bug report logs - #139505
ssh announces 'Debian' and package version in its banner.

version graph

Package: ssh; Maintainer for ssh is Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>; Source for ssh is src:openssh.

Reported by: Vincent Renardias <vincent@strongholdnet.com>

Date: Fri, 22 Mar 2002 18:03:01 UTC

Severity: wishlist

Tags: patch

Merged with 130876, 149877, 155669, 183848, 492557

Found in versions 1:3.0.2p1-5, 1:3.0.2p1-9, 1:3.4p1-2, 3.0.2p1-8, 3.5p1-4.1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org:
Bug#139505; Package ssh. Full text and rfc822 format available.

Acknowledgement sent to Vincent Renardias <vincent@strongholdnet.com>:
New Bug report received and forwarded. Copy sent to Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Vincent Renardias <vincent@strongholdnet.com>
To: submit@bugs.debian.org
Subject: ssh announces 'Debian' and package version in its banner.
Date: Fri, 22 Mar 2002 18:52:04 +0100 (CET)
Package: ssh
Version: 3.0.2p1-8
Severity: grave

ssh now announces 'Debian' in its banner, as well as the package exact
version number. This is a severe security problem to know outsiders know
exactly which distribution and packages I use, even more since ssh
suffered from several critical security problems recently.

Please leave the original version number untouched.

$ scanssh 172.16.6.0/24 | grep SSH
172.16.6.71 SSH-1.99-OpenSSH_3.0.2p1 Debian 1:3.0.2p1-8
172.16.6.72 SSH-2.0-OpenSSH_3.0.2p1 Debian 1:3.0.2p1-6
$

	Cordialement,

--
Vincent RENARDIAS
Directeur Technique
StrongHoldNET / http://www.strongholdnet.com




Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org:
Bug#139505; Package ssh. Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org. Full text and rfc822 format available.

Message #10 received at 139505@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Vincent Renardias <vincent@strongholdnet.com>, 139505@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its banner.
Date: Fri, 22 Mar 2002 22:17:41 +0000
severity 139505 wishlist
merge 130876 139505
thanks

Vincent Renardias wrote:
>Package: ssh
>Version: 3.0.2p1-8
>Severity: grave
>
>ssh now announces 'Debian' in its banner, as well as the package exact
>version number. This is a severe security problem to know outsiders know
>exactly which distribution and packages I use, even more since ssh
>suffered from several critical security problems recently.
>
>Please leave the original version number untouched.

This has already been discussed at some length in bug #130876. See
especially
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=130876&msg=54, where
the ssh maintainer notes that he'd accept an offer to create and
maintain a patch creating a configuration option to allow this to be
changed.

Some people do find this behaviour useful as a means of letting network
administrators know that their machine is *not* vulnerable, since a
given Debian version has usually had more security patches applied to it
than the bare OpenSSH version advertised in the standard ssh banner.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]



Severity set to `wishlist'. Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 130876 139505. Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org:
Bug#139505; Package ssh. Full text and rfc822 format available.

Acknowledgement sent to Vincent Renardias <vincent@strongholdnet.com>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org. Full text and rfc822 format available.

Message #19 received at 139505@bugs.debian.org (full text, mbox):

From: Vincent Renardias <vincent@strongholdnet.com>
To: Colin Watson <cjwatson@debian.org>
Cc: 139505@bugs.debian.org, BTS Control <control@bugs.debian.org>
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its banner.
Date: Mon, 25 Mar 2002 15:12:47 +0100 (CET)
severity 139505 grave
thanks

1/ A bug that lets anyone on Internet know precisely which ssh package
version I'm running can hardly be considered as 'wishlist'.

2/ How comes this modification was introduced in the 1st place?! Doesn't
the Debian policy tell not to make unnecessary modification in the
upstream code? (And it seems to have been introduced recently)

3/ Network administrators who want to see if their network is vulnerable
or not should use 'dpkg -l ssh' (the "real" way to get an installed
package version).

4/ As rightfully said in bug report 130876, upstream is certainly unlikely
to accept such a dangerous (security-wise) patch. Therefore, just use the
upstream code as is.


On Fri, 22 Mar 2002, Colin Watson wrote:

> severity 139505 wishlist
> merge 130876 139505
> thanks
> 
> Vincent Renardias wrote:
> >Package: ssh
> >Version: 3.0.2p1-8
> >Severity: grave
> >
> >ssh now announces 'Debian' in its banner, as well as the package exact
> >version number. This is a severe security problem to know outsiders know
> >exactly which distribution and packages I use, even more since ssh
> >suffered from several critical security problems recently.
> >
> >Please leave the original version number untouched.
> 
> This has already been discussed at some length in bug #130876. See
> especially
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=130876&msg=54, where
> the ssh maintainer notes that he'd accept an offer to create and
> maintain a patch creating a configuration option to allow this to be
> changed.
> 
> Some people do find this behaviour useful as a means of letting network
> administrators know that their machine is *not* vulnerable, since a
> given Debian version has usually had more security patches applied to it
> than the bare OpenSSH version advertised in the standard ssh banner.
> 
> -- 
> Colin Watson                                  [cjwatson@flatline.org.uk]
> 

--
Vincent RENARDIAS
Directeur Technique
StrongHoldNET / http://www.strongholdnet.com




Severity set to `grave'. Request was from Vincent Renardias <vincent@strongholdnet.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org:
Bug#139505; Package ssh. Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org. Full text and rfc822 format available.

Message #26 received at 139505@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Vincent Renardias <vincent@strongholdnet.com>
Cc: 139505@bugs.debian.org
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its banner.
Date: Mon, 25 Mar 2002 14:24:22 +0000
On Mon, Mar 25, 2002 at 03:12:47PM +0100, Vincent Renardias wrote:
> 1/ A bug that lets anyone on Internet know precisely which ssh package
> version I'm running can hardly be considered as 'wishlist'.

The Internet can already tell precisely what upstream version of ssh
you're running. Given that successive Debian versions introduce more
security patches as a general rule, how is this a problem?

Evidently you consider the upstream version in OpenSSH's standard banner
(from upstream) to be a security problem.

> 3/ Network administrators who want to see if their network is vulnerable
> or not should use 'dpkg -l ssh' (the "real" way to get an installed
> package version).

Network administrators do not necessarily have access to the machine
itself. The case in point was Debian users repeatedly being told by the
administrators of their network that they had an insecure ssh (and so
filing bugs or pestering security@d.o) when they actually didn't.

> 4/ As rightfully said in bug report 130876, upstream is certainly unlikely
> to accept such a dangerous (security-wise) patch.

That wasn't the context of the remark in #130876.

-- 
Colin Watson (not the openssh maintainer)     [cjwatson@flatline.org.uk]



Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org:
Bug#139505; Package ssh. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org. Full text and rfc822 format available.

Message #31 received at 139505@bugs.debian.org (full text, mbox):

From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
To: Vincent Renardias <vincent@strongholdnet.com>
Cc: 139505@bugs.debian.org
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its banner.
Date: Mon, 25 Mar 2002 15:26:54 +0100
Vincent Renardias <vincent@strongholdnet.com> writes:

> 1/ A bug that lets anyone on Internet know precisely which ssh package
> version I'm running can hardly be considered as 'wishlist'.

Why not? Do you fear that your clients will notice if you do not patch
vulnerable OpenSSH servers?

> 2/ How comes this modification was introduced in the 1st place?! Doesn't
> the Debian policy tell not to make unnecessary modification in the
> upstream code? (And it seems to have been introduced recently)

The modification is a welcome improvement.

> 3/ Network administrators who want to see if their network is vulnerable
> or not should use 'dpkg -l ssh' (the "real" way to get an installed
> package version).

You know what the "network" in "network administrator" means, do you?

> 4/ As rightfully said in bug report 130876, upstream is certainly unlikely
> to accept such a dangerous (security-wise) patch. Therefore, just use the
> upstream code as is.

Why do you think this patch is dangerous?

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898



Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org:
Bug#139505; Package ssh. Full text and rfc822 format available.

Acknowledgement sent to Mark Brown <broonie@sirena.org.uk>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org. Full text and rfc822 format available.

Message #36 received at 139505@bugs.debian.org (full text, mbox):

From: Mark Brown <broonie@sirena.org.uk>
To: Vincent Renardias <vincent@strongholdnet.com>, 139505@bugs.debian.org
Cc: Colin Watson <cjwatson@debian.org>
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its banner.
Date: Mon, 25 Mar 2002 14:48:47 +0000
On Mon, Mar 25, 2002 at 03:12:47PM +0100, Vincent Renardias wrote:

> 1/ A bug that lets anyone on Internet know precisely which ssh package
> version I'm running can hardly be considered as 'wishlist'.

It also can't really be considered grave, unless changing the version
string has introduced an exploit in itself.  One might equally well
suggest that not including the Debian revision is a serious problem
since it creates the false impression that people are running a
vulnerable version of SSH.

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."



Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org:
Bug#139505; Package ssh. Full text and rfc822 format available.

Acknowledgement sent to Vincent Renardias <vincent@strongholdnet.com>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org. Full text and rfc822 format available.

Message #41 received at 139505@bugs.debian.org (full text, mbox):

From: Vincent Renardias <vincent@strongholdnet.com>
To: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Cc: 139505@bugs.debian.org
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its banner.
Date: Mon, 25 Mar 2002 16:00:32 +0100 (CET)
On Mon, 25 Mar 2002, Florian Weimer wrote:

> Vincent Renardias <vincent@strongholdnet.com> writes:
> 
> > 1/ A bug that lets anyone on Internet know precisely which ssh package
> > version I'm running can hardly be considered as 'wishlist'.
> 
> Why not? Do you fear that your clients will notice if you do not patch
> vulnerable OpenSSH servers?

For one thing, this patch allows anybody to know that the target is
running Debian.
On many of my servers, that's the only way to know that I'm running an up
to date Debian (all the default service headers are changed, and TCP/IP
fingerprinting is defeated by appropriate firewalling), so this
"feature" is ruining my efforts to keep the server "anonymous".


> > 2/ How comes this modification was introduced in the 1st place?! Doesn't
> > the Debian policy tell not to make unnecessary modification in the
> > upstream code? (And it seems to have been introduced recently)
> 
> The modification is a welcome improvement.

What's the next improvement planned ? Show the account list ? Add root's
password is the banner also ?

> > 3/ Network administrators who want to see if their network is vulnerable
> > or not should use 'dpkg -l ssh' (the "real" way to get an installed
> > package version).
> 
> You know what the "network" in "network administrator" means, do you?

The network administrators have other tools for this purpose (Applicative
Firewalls, Vulnerability scanners like Nessus, etc...)

> > 4/ As rightfully said in bug report 130876, upstream is certainly unlikely
> > to accept such a dangerous (security-wise) patch. Therefore, just use the
> > upstream code as is.
> 
> Why do you think this patch is dangerous?

I don't "think" it it dangerous, it IS dangerous. Revealing the exact
package version allows anybody to know:
- the OS (Linux),
- distribution (Debian),
- Path of installation of the most current tools,
- compilation options of ssh (kerberos support?, etc).
and that's definatly too much.

If this "feature" is SO usefull, why don't packages like Exim, Apache,
Sendmail, etc... also print their Debian package number in their banner ?

Still not convinced? Look at bugtraq archives (keywords: "information
disclosure"), and you'll see that even allowing to know something like the
web root directory is considered as a vulnerability.

	Cordialement,

--
Vincent RENARDIAS
Directeur Technique
StrongHoldNET / http://www.strongholdnet.com




Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org:
Bug#139505; Package ssh. Full text and rfc822 format available.

Acknowledgement sent to Vincent Renardias <vincent@strongholdnet.com>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org. Full text and rfc822 format available.

Message #46 received at 139505@bugs.debian.org (full text, mbox):

From: Vincent Renardias <vincent@strongholdnet.com>
To: Mark Brown <broonie@sirena.org.uk>
Cc: 139505@bugs.debian.org, Colin Watson <cjwatson@debian.org>
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its banner.
Date: Mon, 25 Mar 2002 16:03:43 +0100 (CET)
On Mon, 25 Mar 2002, Mark Brown wrote:

> On Mon, Mar 25, 2002 at 03:12:47PM +0100, Vincent Renardias wrote:
> 
> > 1/ A bug that lets anyone on Internet know precisely which ssh package
> > version I'm running can hardly be considered as 'wishlist'.
> 
> It also can't really be considered grave, unless changing the version
> string has introduced an exploit in itself.  One might equally well
> suggest that not including the Debian revision is a serious problem
> since it creates the false impression that people are running a
> vulnerable version of SSH.

No, it doesn't introduce a know exploit, but it may show in the future
which exploit to run against this machine.
It's enough to guaranty an inclusion in bugtraq's list of
vulnerabilities. Is this really what we want ?

Cordialement,

--
Vincent RENARDIAS
Directeur Technique
StrongHoldNET / http://www.strongholdnet.com




Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org:
Bug#139505; Package ssh. Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org. Full text and rfc822 format available.

Message #51 received at 139505@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Vincent Renardias <vincent@strongholdnet.com>
Cc: Mark Brown <broonie@sirena.org.uk>, 139505@bugs.debian.org
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its banner.
Date: Mon, 25 Mar 2002 15:06:51 +0000
On Mon, Mar 25, 2002 at 04:03:43PM +0100, Vincent Renardias wrote:
> On Mon, 25 Mar 2002, Mark Brown wrote:
> > On Mon, Mar 25, 2002 at 03:12:47PM +0100, Vincent Renardias wrote:
> > > 1/ A bug that lets anyone on Internet know precisely which ssh package
> > > version I'm running can hardly be considered as 'wishlist'.
> > 
> > It also can't really be considered grave, unless changing the version
> > string has introduced an exploit in itself.  One might equally well
> > suggest that not including the Debian revision is a serious problem
> > since it creates the false impression that people are running a
> > vulnerable version of SSH.
> 
> No, it doesn't introduce a know exploit, but it may show in the future
> which exploit to run against this machine.

Please tell me how it shows this any more than the upstream version in
the standard banner.

> It's enough to guaranty an inclusion in bugtraq's list of
> vulnerabilities.

Please tell me how it guarantees this any more than the upstream version
in the standard banner.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]



Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org:
Bug#139505; Package ssh. Full text and rfc822 format available.

Acknowledgement sent to Mark Brown <broonie@sirena.org.uk>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org. Full text and rfc822 format available.

Message #56 received at 139505@bugs.debian.org (full text, mbox):

From: Mark Brown <broonie@sirena.org.uk>
To: Vincent Renardias <vincent@strongholdnet.com>
Cc: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>, 139505@bugs.debian.org
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its banner.
Date: Mon, 25 Mar 2002 17:08:24 +0000
On Mon, Mar 25, 2002 at 04:00:32PM +0100, Vincent Renardias wrote:
> On Mon, 25 Mar 2002, Florian Weimer wrote:
> > Vincent Renardias <vincent@strongholdnet.com> writes:

> > You know what the "network" in "network administrator" means, do you?

> The network administrators have other tools for this purpose (Applicative
> Firewalls, Vulnerability scanners like Nessus, etc...)

You realise that many of the vulnerability testers actually just probe
the version number?

> Still not convinced? Look at bugtraq archives (keywords: "information
> disclosure"), and you'll see that even allowing to know something like the
> web root directory is considered as a vulnerability.

One could apply the same argument equally well to any disclosure of the
version number, including that done by default by SSH.  If you're going
to get worked up about something get worked up about that.

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."



Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org:
Bug#139505; Package ssh. Full text and rfc822 format available.

Acknowledgement sent to Vincent Renardias <vincent@strongholdnet.com>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org. Full text and rfc822 format available.

Message #61 received at 139505@bugs.debian.org (full text, mbox):

From: Vincent Renardias <vincent@strongholdnet.com>
To: Mark Brown <broonie@sirena.org.uk>
Cc: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>, 139505@bugs.debian.org
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its banner.
Date: Mon, 25 Mar 2002 18:12:42 +0100 (CET)
On Mon, 25 Mar 2002, Mark Brown wrote:

> On Mon, Mar 25, 2002 at 04:00:32PM +0100, Vincent Renardias wrote:
> > On Mon, 25 Mar 2002, Florian Weimer wrote:
> > > Vincent Renardias <vincent@strongholdnet.com> writes:
> 
> > > You know what the "network" in "network administrator" means, do you?
> 
> > The network administrators have other tools for this purpose (Applicative
> > Firewalls, Vulnerability scanners like Nessus, etc...)
> 
> You realise that many of the vulnerability testers actually just probe
> the version number?

yes, and the default banner of SSH is enough for this purpose; no use to
add any extra information.

> > Still not convinced? Look at bugtraq archives (keywords: "information
> > disclosure"), and you'll see that even allowing to know something like the
> > web root directory is considered as a vulnerability.
> 
> One could apply the same argument equally well to any disclosure of the
> version number, including that done by default by SSH.  If you're going
> to get worked up about something get worked up about that.

SSH version number (default banner) is okay-ish. Adding deliberatly the
distribution name & ssh package version is giving away too much
informations.

Cordialement,

--
Vincent RENARDIAS
Directeur Technique
StrongHoldNET / http://www.strongholdnet.com




Severity set to `wishlist'. Request was from Alex Pennace <alex@pennace.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org:
Bug#139505; Package ssh. Full text and rfc822 format available.

Acknowledgement sent to "Jonathan D. Amery" <jdamery@chiark.greenend.org.uk>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org. Full text and rfc822 format available.

Message #68 received at 139505@bugs.debian.org (full text, mbox):

From: "Jonathan D. Amery" <jdamery@chiark.greenend.org.uk>
To: 139505@bugs.debian.org
Cc: vincent@strongholdnet.com, broonie@sirena.org.uk, Weimer@CERT.Uni-Stuttgart.DE
Subject: Re: Bug#139505: ssh announces 'Debian' and package version in its banner.
Date: Thu, 28 Mar 2002 13:00:50 +0000 (GMT)
> Vincent Renardias <vincent@strongholdnet.com> writes:
> > On Mon, 25 Mar 2002, Mark Brown wrote:
> > On Mon, Mar 25, 2002 at 04:00:32PM +0100, Vincent Renardias wrote:
> > > On Mon, 25 Mar 2002, Florian Weimer wrote:
> > > > Vincent Renardias <vincent@strongholdnet.com> writes:
> > > > You know what the "network" in "network administrator" means, do you?
> > > The network administrators have other tools for this purpose (Applicative
> > > Firewalls, Vulnerability scanners like Nessus, etc...)
> > You realise that many of the vulnerability testers actually just probe
> > the version number?
> yes, and the default banner of SSH is enough for this purpose; no use to
> add any extra information.

 Why do you claim this, when the Debian version often has different (and
usually less) security problems than upstream with the same upstream
version number (thanks to the stable security update policy).

> > > Still not convinced? Look at bugtraq archives 
(keywords: "information
> > > disclosure"), and you'll see that even allowing to know something like the
> > > web root directory is considered as a vulnerability.
> > One could apply the same argument equally well to any disclosure of the
> > version number, including that done by default by SSH.  If you're going
> > to get worked up about something get worked up about that.
> SSH version number (default banner) is okay-ish. Adding deliberatly the
> distribution name & ssh package version is giving away too much
> informations.

 How does adding this information actually make the system more insecure
than it already is?

-- 
Jonathan Amery.       'Be still, and acknowledge that I am God,
   #####               supreme over nations, supreme over the world.'
  #######__o             Yahweh Saboath is with us,
  #######'/              our citadel, the God of Jacob.   - Ps46:10-11 (NJB)




Merged 130876 139505 149877. Request was from "M.C. Vernon" <mcv21@cus.cam.ac.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 130876 139505 149877 155669. Request was from "M.C. Vernon" <mcv21@cus.cam.ac.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: security Request was from Matt Zimmerman <mdz@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 130876 139505 149877 155669 183848. Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 130876 139505 149877 155669 183848 492557. Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. (Sun, 27 Jul 2008 10:12:06 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 07:52:30 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.