httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sander Holthaus - Orange XL" <i...@orangexl.com>
Subject Re: [users@httpd] Suggestion (security related)
Date Wed, 22 Jan 2003 15:31:10 GMT
This really depends on how you look at it. I think this idea is not good!
Instead of solving the problem, you are suggesting to hide it. Webservers
should always be properly patched/updated and configured. If they aren't,
they shouldn't be up in the first place.

Kind Regards,
Sander

----- Original Message -----
From: "Lars Hecking" <lhecking@nmrc.ucc.ie>
To: <users@httpd.apache.org>
Sent: Wednesday, January 22, 2003 3:49 PM
Subject: [users@httpd] Suggestion (security related)


>
>  The default httpd.conf file that gets installed should set ServerTokens
to
>  Prod rather than Full. Especially with 1.3.x, the information about the
>  installed OpenSSL version makes it effortlessly simple to find out
whether
>  a web server is vulnerable to one of the published OpenSSL remote root
>  exploits.
>
>  http://www.cert.org/advisories/CA-2002-23.html
>  http://www.cert.org/advisories/CA-2002-27.html
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message