Wichert Akkerman writes:
> Previously Matthew Vernon wrote:
> > retitle 130876 Sending server software version information should be
> > optional
>
> I'm not sure I agree with that: that easily leads to the configurable
> version response option that was discussed on openssh-dev recently wh
Previously Matthew Vernon wrote:
> retitle 130876 Sending server software version information should be optional
I'm not sure I agree with that: that easily leads to the configurable
version response option that was discussed on openssh-dev recently where
it was concluded that is not a good idea.
retitle 130876 Sending server software version information should be optional
severity 130876 wishlist
quit
I'll get back to you in more detail when I have time, but in the mean
time - if you want to produce and maintain (since I'm damn sure
upstream wouldn't want to know) a patch that creates a c
Wichert Akkerman writes:
> Previously Matthew Vernon wrote:
> > retitle 130876 Sending server software version information should be optional
>
> I'm not sure I agree with that: that easily leads to the configurable
> version response option that was discussed on openssh-dev recently where
Previously Matthew Vernon wrote:
> retitle 130876 Sending server software version information should be optional
I'm not sure I agree with that: that easily leads to the configurable
version response option that was discussed on openssh-dev recently where
it was concluded that is not a good idea.
On Sun, Feb 10, 2002 at 02:47:11AM +, Lazarus Long wrote:
> As I have said in the past, this is definitely a security risk.
> There is no reason that such information should be exposed to attackers.
We may as well take down the debian.org web pages, since they expose a
wealth of information to
Lazarus Long <[EMAIL PROTECTED]> writes:
> As I have said in the past, this is definitely a security risk.
No, it isn't. The fact that the SSH protocol encourages implementors
to exhibit version numbers has helped us greatly while recovering from
the catastrophic buffer overflow bug.
> Of cours
retitle 130876 Sending server software version information should be optional
severity 130876 wishlist
quit
I'll get back to you in more detail when I have time, but in the mean
time - if you want to produce and maintain (since I'm damn sure
upstream wouldn't want to know) a patch that creates a
On Sun, Feb 10, 2002 at 02:47:11AM +, Lazarus Long wrote:
> As I have said in the past, this is definitely a security risk.
> There is no reason that such information should be exposed to attackers.
We may as well take down the debian.org web pages, since they expose a
wealth of information t
On 10/02/02, Lazarus Long wrote:
> On Sat, Jan 26, 2002 at 12:25:08PM +, Matthew Vernon wrote:
> > Lazarus Long writes:
> > > Introduces security hole by divulging too much information to an
> > > attacker about the underlying system.
> > The rationale behind this, is that there are man
On 10/02/02, Lazarus Long wrote:
> On Sat, Jan 26, 2002 at 12:25:08PM +, Matthew Vernon wrote:
> > Lazarus Long writes:
> > > Introduces security hole by divulging too much information to an
> > > attacker about the underlying system.
> > The rationale behind this, is that there are ma
reopen 130876
severity 130876 grave
thanks
As I have said in the past, this is definitely a security risk.
There is no reason that such information should be exposed to attackers.
'dpkg -l ssh' provides a Debian-specific version string, and there is no
reason this needs to be exposed to those who
reopen 130876
severity 130876 grave
thanks
As I have said in the past, this is definitely a security risk.
There is no reason that such information should be exposed to attackers.
'dpkg -l ssh' provides a Debian-specific version string, and there is no
reason this needs to be exposed to those wh
13 matches
Mail list logo
