https://bz.apache.org/bugzilla/show_bug.cgi?id=70140

            Bug ID: 70140
           Summary: Feature request: ServerTokens to support a
                    "PatchLevels" option
           Product: Apache httpd-2
           Version: 2.4.63
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

Ideally, this configuraion,

#
ServerTokens PatchLevels
#

should produce something like this in the HTTP header,

...
Date: Tue, 07 Jul 2026 23:02:45 GMT
Server: Apache/2.4.63-13.4 (AlmaLinux) OpenSSL/3.5.5.4
...

(In a cursory look at server/core.c, the mention of AP_SERVER_PATCHLEVEL_NUMBER
makes me hope the request is in the realm of possibility at least as regards
Apache itself.) 

The present state of affairs is that some web security scans (at least from
Qualsys) assume vulnerabilities from the detected base version number alone,
without knowing about backported fixes. Thus where backports are used, the
security compliance of an Apache installation cannot be ascertained by scan
without actually launching exploits.

It's true that mod_headers allows informatative communication like,

#
Header always set apache-patchlevel 2.4.63-13.4
#

... but there would be no reason for a certifying body to trust it, being
entered by a possibly dishonest system administrator rather than baked into the
server code.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to