On Wed, 26 Mar 2003 jlewis@lewis.org wrote:
One obvious problem with this would be that certain vendors prefer to backport security fixes to older versions rather than test and release new versions...so an insecure-looking version string may actually have had fixes applied.
I think you're talking about RedHat, right? What other vendors take this approach? I know that at a recent job I set out to scan for what versions of things were running on a bunch of boxes, and all the RedHat boxes were showing as running vulnerable versions of OpenSSH. While personally I think this is a bogus way to manage security fixes, there are probably many many RedHat boxes out there running BIND. Short of pointing out the error of their ways or expecting them to roll something into their own patches to fix the notification system, how would you handle that? I mean, at least on the ssh thing, they didn't even change the version string one bit, not even a 'rh-p1' or something. So as far as your scanner knows, and as far as the script kiddies know, you're running a vulnerable version. Charles
---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________