Reported version numbers of base openssl and sshd
Dag-Erling Smørgrav
des at des.no
Wed Oct 5 12:51:14 UTC 2016
Roger Eddins <support at purplecat.net> writes:
> [...] Across the board we are finding other processes in commerce
> tools rejecting transactions due to version number deficiencies and
> the problem is growing rapidly. My hope would be that the team would
> reconsider the version number question as it is the biggest deficiency
> we experience daily using the FreeBSD OS.
Once again: how do they handle RHEL? Because Red Hat, the 800-pound
gorilla of the Open Source world, does the same thing that we do:
backport patches without bumping the version number. And in fact, they
do *less* than we do, because for OpenSSL and OpenSSH, we havea version
suffixes which should reflect the date of the last patch, so even an
automated scanner *can* be taught to distinguish a vulnerable machine
from a patched one - as long as secteam remembers to bump the suffix
when they patch the software.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-hackers
mailing list