https://bz.apache.org/bugzilla/show_bug.cgi?id=70140
Bug ID: 70140
Summary: Feature request: ServerTokens to support a
"PatchLevels" option
Product: Apache httpd-2
Version: 2.4.63
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Core
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Ideally, this configuraion,
#
ServerTokens PatchLevels
#
should produce something like this in the HTTP header,
...
Date: Tue, 07 Jul 2026 23:02:45 GMT
Server: Apache/2.4.63-13.4 (AlmaLinux) OpenSSL/3.5.5.4
...
(In a cursory look at server/core.c, the mention of AP_SERVER_PATCHLEVEL_NUMBER
makes me hope the request is in the realm of possibility at least as regards
Apache itself.)
The present state of affairs is that some web security scans (at least from
Qualsys) assume vulnerabilities from the detected base version number alone,
without knowing about backported fixes. Thus where backports are used, the
security compliance of an Apache installation cannot be ascertained by scan
without actually launching exploits.
It's true that mod_headers allows informatative communication like,
#
Header always set apache-patchlevel 2.4.63-13.4
#
... but there would be no reason for a certifying body to trust it, being
entered by a possibly dishonest system administrator rather than baked into the
server code.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]