Ubuntu
openssh package

german only: OpenSSH gibt Angreifern zu viele Informationen preis

Bug #426245 reported by Neumann
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: openssh-server

Sorry, german bug-report only.

Ich benutze Ubuntu 8.04 (LTS) Server und bin gerade dabei ihn abzusichern. Leider bekomme ich es nicht hin OpenSSH zum schweigen zu bringen! Der OpenSSH Dienst meldet sich immer mit "OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)" ... mich stört das er so viel detailiert über das Betriebssystem plaudert.

Man hat mir empfohlen die Quellen neu zu bauen, das halte ich für Bug-Report-Würdig. Es reicht die SSH Version und welches Protokoll verwendet wird: Aus der OpenSSH-FAQ "OpenSSH, like most SSH implementations, reports its name and version to clients when they connect, e.g. SSH-2.0-OpenSSH_3.9".

Gruß
Willi

# lsb_release -rd
Description: Ubuntu 8.04.3 LTS
Release: 8.04

#apt-cache policy openssh-server
openssh-server:
  Installed: 1:4.7p1-8ubuntu1.2
  Candidate: 1:4.7p1-8ubuntu1.2
  Version table:
 *** 1:4.7p1-8ubuntu1.2 0
        500 http://update.onlinehome-server.info hardy-updates/main Packages
        500 http://update.onlinehome-server.info hardy-security/main Packages
        100 /var/lib/dpkg/status
     1:4.7p1-8ubuntu1 0
        500 http://update.onlinehome-server.info hardy/main Packages

See original description
Neumann (wineumann)
visibility: private → public
Neumann (wineumann)
description: updated
Revision history for this message
Kees Cook (kees) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Your bug report is more likely to get attention if it is made in English, since this is the language understood by the majority of Ubuntu developers. Additionally, please only mark a bug as "security" if it shows evidence of allowing attackers to cross privilege boundaries or to directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

security vulnerability: yes → no
Changed in openssh (Ubuntu):
status: New → Incomplete
Revision history for this message
Kees Cook (kees) wrote :

Additionally, this is not a bug, but rather expected behavior: https://wiki.ubuntu.com/SecurityTeam/FAQ#SSH

Revision history for this message
Chuck Short (zulcss) wrote :

We'd like to figure out what's causing this bug for you, but we haven't heard back from you in a while. Could you please provide the requested information? Thanks!

Revision history for this message
Chuck Short (zulcss) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to "New". Thanks again!

Changed in openssh (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.