service version disclosure

[Reindl Harald]

Am 07.01.2012 06:13, schrieb Stephen John Smoogen:
> On 6 January 2012 21:46, Kevin Kofler <kevin.kofler at chello.at> wrote:
>> Reindl Harald wrote:
>>> would it not be a good idea to NOT disclosure service versions?
>>> https://bugzilla.redhat.com/show_bug.cgi?id=718133
>>>
>>> you will more and more have the "problem" of 3rd party
>>> security scans to your servers and currently in the case
>>> of openssh the only solution is to tkae the F16-src-rpm
>>> and rebuild it for your F15 machines
>>
>> If the scan is looking at the version to determine vulnerability, it is
>> completely broken, useless and unsupportable, because fixes can be
>> backported.

if you have a big customer which hires a 3rd party auditor
you are NOT in the poisiton to give such arguments or
you can give them but you can not change ANYTHING in
the fact that finally "fix it or shutdown the service"
is what you have to do

> I am going with Kevin on this one. The real hacking tools check to see
> if a vulnerability works or not. The broken "audit" scanners only
> check to see if a header is this or that. Not putting the header only
> gets you past the auditors and doesn't stop the real hacker from
> getting in if the vulnerability is there.

that is not the point
the point is why in the wolrd must we spit out versions?

yes, i know it is security by obscurity
but does it hurt?

if i need to know my version of sshd or any other service
i make a "rpm -qa | grep package", if somebody else likes
to know he has to tell the question as i have for foreign
servers

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120107/b8066af6/attachment.sig>