Include the Debian version in our identification

This makes it easier to audit networks for versions patched against security
vulnerabilities.  It has little detrimental effect, as attackers will
generally just try attacks rather than bothering to scan for
vulnerable-looking version strings.  (However, see debian-banner.patch.)

Forwarded: not-needed
Last-Update: 2019-06-05

Patch-Name: package-versioning.patch

2 files changed, 7 insertions, 2 deletions

diff --git a/kex.c b/kex.c
index e09355dbd..65ed6af02 100644
--- a/kex.c
+++ b/kex.c
@@ -1239,7 +1239,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
         if (version_addendum != NULL && *version_addendum == '\0')
                 version_addendum = NULL;
         if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
-           PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+           PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
             version_addendum == NULL ? "" : " ",
             version_addendum == NULL ? "" : version_addendum)) != 0) {
                 error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
diff --git a/version.h b/version.h
index 6b3fadf89..a24017eca 100644
--- a/version.h
+++ b/version.h
@@ -3,4 +3,9 @@
 #define SSH_VERSION     "OpenSSH_8.1"
 
 #define SSH_PORTABLE    "p1"
-#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE
+#define SSH_RELEASE_MINIMUM     SSH_VERSION SSH_PORTABLE
+#ifdef SSH_EXTRAVERSION
+#define SSH_RELEASE     SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION
+#else
+#define SSH_RELEASE     SSH_RELEASE_MINIMUM
+#endif