Am 07.01.2012 06:35, schrieb Digimer:
> if you have a big customer which hires a 3rd party auditor
> you are NOT in the poisiton to give such arguments or
> you can give them but you can not change ANYTHING in
> the fact that finally "fix it or shutdown the service"
> is what you have to do
If you have a "security expert" who can't grasp the concept of
back-ported bug fixes, and is unwilling to test for specific
vulnerabilities' existence, it's time to get a new expert.
you are missing the point A BIG CUSTOMER has a security-expert
> if i need to know my version of sshd or any other service
> i make a "rpm -qa | grep package", if somebody else likes
> to know he has to tell the question as i have for foreign
> servers
Connecting programs don't have the luxury of 'rpm -q', and must rely on
the version returned by the server to know how to pass data. Things
change over time, and you certainly can't expect a server to behave the
same over (sometimes long) periods of time.
connecting program rely on the PROTOCL version
currently: SSH-2.0-OpenSSH_5.8
but "SSH-2.0" si the only relevant part here!
for other services like imap, smtp and whatever there is also no
single need for a client to know even the server-software
the client only needs to know the capabilities of the server
and since you wrote "concept of back-ported bug fixes" you seem
to know that the server-software / version in this context is
nonsense