Package: openssh-server Version: 1:7.9p1-9 Severity: normal Hi,
I've remarked a security issue with openssh-server. The problem manifests if you run netcat. Example : netcat localhost 22 In that case the string displayed is : SSH-2.0-OpenSSH_7.9p1 Debian-9 At least the Debian string should not be displayed, because otherwise it leaks information about the installed system, with possible consequences a more severe attack somewhere else. Could you please remove the string refering to Debian ? -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-2-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openssh-server depends on: ii adduser 3.118 ii debconf [debconf-2.0] 1.5.71 ii dpkg 1.19.5 ii libaudit1 1:2.8.4-2 ii libc6 2.28-8 ii libcom-err2 1.44.5-1 ii libgssapi-krb5-2 1.17-2 ii libkrb5-3 1.17-2 ii libpam-modules 1.3.1-5 ii libpam-runtime 1.3.1-5 ii libpam0g 1.3.1-5 ii libselinux1 2.8-1+b1 ii libssl1.1 1.1.1b-1 ii libsystemd0 241-1 ii libwrap0 7.6.q-28 ii lsb-base 10.2019031300 ii openssh-client 1:7.9p1-9 ii openssh-sftp-server 1:7.9p1-9 ii procps 2:3.3.15-2 ii ucf 3.0038+nmu1 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages openssh-server recommends: ii libpam-systemd 241-1 ii ncurses-term 6.1+20181013-2 ii xauth 1:1.0.10-1 Versions of packages openssh-server suggests: ii ksshaskpass [ssh-askpass] 4:5.14.5-1 pn molly-guard <none> pn monkeysphere <none> pn rssh <none> pn ufw <none> -- debconf information excluded
