Reported version numbers of base openssl and sshd
Vladimir Terziev
Vladimir.Terziev at bwinparty.com
Wed Oct 5 13:23:08 UTC 2016
In fact with RedHat the same issue exists.
Every time we have an audit (not PCI only), we have to explain the auditors the back-porting politics of RedHat and show them the change-log of the packages.
Roger, you can follow similar way. Your FreeBSD systems are at certain security patch-level (uname -r). You can show that to the auditors along to a log of the changes this patch-level incorporates in it.
Vladimir
On Oct 5, 2016, at 3:51 PM, Dag-Erling Smørgrav <des at des.no>
wrote:
> Roger Eddins <support at purplecat.net> writes:
>> [...] Across the board we are finding other processes in commerce
>> tools rejecting transactions due to version number deficiencies and
>> the problem is growing rapidly. My hope would be that the team would
>> reconsider the version number question as it is the biggest deficiency
>> we experience daily using the FreeBSD OS.
>
> Once again: how do they handle RHEL? Because Red Hat, the 800-pound
> gorilla of the Open Source world, does the same thing that we do:
> backport patches without bumping the version number. And in fact, they
> do *less* than we do, because for OpenSSL and OpenSSH, we havea version
> suffixes which should reflect the date of the last patch, so even an
> automated scanner *can* be taught to distinguish a vulnerable machine
> from a patched one - as long as secteam remembers to bump the suffix
> when they patch the software.
>
> DES
> --
> Dag-Erling Smørgrav - des at des.no
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
More information about the freebsd-hackers
mailing list