Lazarus Long <[EMAIL PROTECTED]> writes: > As I have said in the past, this is definitely a security risk.
No, it isn't. The fact that the SSH protocol encourages implementors to exhibit version numbers has helped us greatly while recovering from the catastrophic buffer overflow bug. > Of course it is "useful," Matthew, but that admin can do so, safely > *logged in to* the machine in question, with the 'dpkg -l ssh' command > I mentioned above. There is no need to advertise any vulnerabilities > to those *outside* the machine. But there is. Your local CERT might want to warn you that you are running a vulnerable implementation of a network service. We regularly disconnect Debian/timetravel systems because the version identification of a service suggests that they are still running a vulnerable version. That's tough luck for Debian users, but better be safe than sorry. -- Florian Weimer [EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
