On Sat, Jan 7, 2012 at 5:24 AM, Bruno Wolff III <bruno@xxxxxxxx> wrote: > On Sat, Jan 07, 2012 at 05:09:42 +0100, > Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: >> >> however - why do we spit the current running versions to everyone? > > It can help when trouble shooting problems. The current version isn't > really that helpful to attackers anyway. It's about as easy to just to try > an exploit as it is to first test to see if the exploit might work and > then try it. Actually, knowing the exact build/version can help select the right exploit/payload so that the exploit succeeds on the first try (and leaves no or very little evidence behind) instead of trying 10 different variangs and causing a large log/IDS signature. Hence, the less specific the version information is, the better. (Address randomization is often a larger obstacle than an unknown build/version number, but address randomization only affects a certain class of vulnerabilities.) In the particular case of SSH, we are really dealing with a "protocol identifier", not a "version number" and it needs to be treated as such - ideally by the auditors as well. Mirek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
