Isn't this a potential security issue? A co-worker recently portscanned my Debian box with the "windows network scanner," or something like that. One thing I noticed was that the scanner appeared to somehow come up with the full debian package name of ssh on my box... if you moused over "ssh" in the list of open ports, a little tooltip type box would pop up that said "ssh_debian3.4p1-2" or something like that. A malicious person who's aware of what patches are or aren't in what debian packages could easily see whether or not my computer was vulnerable to whatever's wrong with ssh when I get portscanned.
This isn't necessarily an issue of keeping my box up-to-date, either, since the most recent debian package could still be vulnerable to recent bugs at any given time. It's easy enough to find out what OS a computer's running but, if the exact package version isn't so readily available, there would be no way for script kiddies who are looking for vulnerable boxes to know that the admin hasn't rolled his own updated package and installed it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
