As far as I see, I think that the misleading is in this line of the Debian's package code:
debian/rules:47:SSH_EXTRAVERSION := $(DISTRIBUTION)-$(shell dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p' | sed -e 's/[^-]*-//') Where *dpkg-parsechangelog* shows: <pre> Source: openssh Version: 1:6.7p1-5+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Yves-Alexis Perez <cor...@debian.org> Date: Wed, 13 Jan 2016 22:08:52 +0100 Changes: openssh (1:6.7p1-5+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Disable roaming in openssh client: roaming code is vulnerable to an information leak (CVE-2016-0777) and heap-based buffer overflow (CVE-2016-0778). </pre> The *sed* command extracts 5+deb8u1 from 1:6.7p1-5+deb8u1 and this number is the Debian's OpenSSH version number but not the Debian Distro Release number so, the "SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u1" banner really means: "Hi this is a OpenSSH_6.7p released by Debian and identify with 5+deb8u1 version" Below these lines, the latest 20 released packages: (1:6.7p1-5+deb8u1) (1:6.7p1-5) (1:6.7p1-4) (1:6.7p1-3) (1:6.7p1-2) (1:6.7p1-1) New (from (1:6.6p1-8) (1:6.6p1-7) (1:6.6p1-6) (1:6.6p1-5) (1:6.6p1-4) (1:6.6p1-3) (1:6.6p1-2) (1:6.6p1-1) New (1:6.5p1-6) (1:6.5p1-5) (1:6.5p1-4) On 02/22/2016 01:51 PM, Carlos Alberto Lopez Perez wrote: > Package: openssh-server > Version: 1:6.7p1-5+deb8u1 > > > Hi, > > I have noticed this: > > $ nc old-debian-lenny-machine 22 > SSH-2.0-OpenSSH_5.1p1 Debian-5 > > $ nc just-fresh-installed-debian-jessie-machine 22 > SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u1 > > > Why the Debian banner is still advertising Debian 5 on a Debian 8 machine? > > > Maybe the best solution is to just disable this banner by default ? > https://bugs.debian.org/786987 > > > Thanks. > -- Pablo Saavedra RodiƱo psaave...@igalia.com | Mail www.igalia.com | Web