service version disclosure
Chris Adams
cmadams at hiwaay.net
Sat Jan 7 07:43:34 UTC 2012
Once upon a time, Reindl Harald <h.reindl at thelounge.net> said:
> Am 07.01.2012 06:35, schrieb Digimer:
> > If you have a "security expert" who can't grasp the concept of
> > back-ported bug fixes, and is unwilling to test for specific
> > vulnerabilities' existence, it's time to get a new expert.
>
> you are missing the point A BIG CUSTOMER has a security-expert
Well, a big customer has a so-called or self-proclaimed security expert.
That is your opportunity to educate the customer and possibly gain some
security business for yourself.
Do you actually use Fedora for security-conscious big-buisness
customers? I use RHEL, and if they question versions from some external
scan, I quote Red Hat's backport policy. Any sane scan will reference
CVEs, and fixed CVEs are listed in the RPM changelogs (so I can quote
those to show security).
If you filter out versions, you're liable to get a security "report"
that lists every vulnerability in Apache, OpenSSH, sendmail/postfix/etc.
If you manage to filter out program names (not always possible), you'll
get a list of every CVE referencing the service listening on a port
("port 53 looks like it is running a DNS server; here's a list of things
that might be wrong").
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the devel
mailing list