Am 07.01.2012 06:35, schrieb Digimer: >> if you have a big customer which hires a 3rd party auditor >> you are NOT in the poisiton to give such arguments or >> you can give them but you can not change ANYTHING in >> the fact that finally "fix it or shutdown the service" >> is what you have to do > > If you have a "security expert" who can't grasp the concept of > back-ported bug fixes, and is unwilling to test for specific > vulnerabilities' existence, it's time to get a new expert.
you are missing the point A BIG CUSTOMER has a security-expert >> if i need to know my version of sshd or any other service >> i make a "rpm -qa | grep package", if somebody else likes >> to know he has to tell the question as i have for foreign >> servers > > Connecting programs don't have the luxury of 'rpm -q', and must rely on > the version returned by the server to know how to pass data. Things > change over time, and you certainly can't expect a server to behave the > same over (sometimes long) periods of time. connecting program rely on the PROTOCL version currently: SSH-2.0-OpenSSH_5.8 but "SSH-2.0" si the only relevant part here! for other services like imap, smtp and whatever there is also no single need for a client to know even the server-software the client only needs to know the capabilities of the server and since you wrote "concept of back-ported bug fixes" you seem to know that the server-software / version in this context is nonsense
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
