[Bug 3800] OpenSSH 9.9p2 Minor Version Detection Issue in Qualys/Tenable for CVE-2025-26465 & CVE-2025-26466
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Mar 11 20:58:42 AEDT 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3800
--- Comment #2 from suryalegend89 <suryalegend89 at gmail.com> ---
Hi Damien Miller ,
Thank you for your response.
I am seeking clarification on how OpenSSH reports its software version.
As per the RFC Protocol Version Exchange, the identification string
format is:
SSH-protoversion-softwareversion SP comments CR LF
However, VersionAddendum appends the minor version in the comments
rather than including it in the software version itself. For example:
SSH-2.0-OpenSSH_9.9 p2 <CR><LF>
This suggests that the minor version (p2) is not part of the software
version but is instead added as a comment.
For cross-verification, I tested on Ubuntu, and it includes the minor
version in the software version string:
SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.11
Is there a specific reason why OpenSSH omits the minor version from the
software version field?
Any insights would be greatly appreciated!
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list