Lazarus Long <[EMAIL PROTECTED]> writes: > > severity 130876 wishlist > > thanks > > > > This is not a bug. > > This is definitely a security risk.
It helps auditing a large farm of Debian machines. For example, there is currently no reliable way to remotely tell if a box running OpenSSH 1.2.3 is using an up-to-date Debian version with the security fix. An attacker will simply try all his exploits and move to the next machine if they are unsuccesful. The good guys can do that, too, but they cannot be sure if they just got the offsets wrong or something like that, so that the machine is vulnerable despite the attack was not successful. -- Florian Weimer [EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898