Package: openssh-server Version: 4.3p2-9etch2 Severity: minor During connection openssh-server sends its version string to the client. While that is perfectly ok for the version string itself, the information added to the version string gives away free additional information to a potential attacker about the system sshd is running on.
PROBLEMS 1) telnet ip 22 reveals the information (port scanners can do that as well) Escape character is '^]'. SSH-2.0-OpenSSH_4.3p2 Debian-9etch2 The second part Debian-9etch2 does leak additional information entirely unrelated to openssh-server, thus making attacks on the system (not openssh-server) easier, because you immediately get to know not only what version it is, but also what other packages (dependencies) are installed and how current they are (i.e. if a newer package is available it is most likely that any other package on the system is not newer than that date etc). The "security by obscurity"-argument does not count here, as the information disclosed is not about the package itself but about the underlying system and its status. This is only a minor issue because it does not directly pose a threat itself, however it should be corrected nonetheless, as it is unnecessary and the user cannot change this behaviour by just changing configuration (compiling is necessary). SUGGESTION Change the string in openssh/version.h and compile it again. Please note, that this error is architecture independent and that the information given below is only about where the error was verified. -- System Information: Debian Release: etch Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.25.10 -- This report was not filed by reportbug and may therefore not be 100% compliant with the debian requirements - I am sorry for inconvenience. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]