On 6 January 2012 21:46, Kevin Kofler <kevin.kofler@xxxxxxxxx> wrote: > Reindl Harald wrote: >> would it not be a good idea to NOT disclosure service versions? >> https://bugzilla.redhat.com/show_bug.cgi?id=718133 >> >> you will more and more have the "problem" of 3rd party >> security scans to your servers and currently in the case >> of openssh the only solution is to tkae the F16-src-rpm >> and rebuild it for your F15 machines > > If the scan is looking at the version to determine vulnerability, it is > completely broken, useless and unsupportable, because fixes can be > backported. I am going with Kevin on this one. The real hacking tools check to see if a vulnerability works or not. The broken "audit" scanners only check to see if a header is this or that. Not putting the header only gets you past the auditors and doesn't stop the real hacker from getting in if the vulnerability is there. -- Stephen J Smoogen. "The core skill of innovators is error recovery, not failure avoidance." Randy Nelson, President of Pixar University. "Years ago my mother used to say to me,... Elwood, you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant. You may quote me." —James Stewart as Elwood P. Dowd -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
