himanshug commented on pull request #9832: URL: https://github.com/apache/druid/pull/9832#issuecomment-639193923
> But these jetty upgrades are only fixed in the latest version and customers on older releases can still be exposed to these vulnerabilities. change here is only giving the user a false sense of security, real and only fix in that situation to prevent attack would be to upgrade to a version of Druid that has sufficiently updated jetty version or else the "prevention" here is not gonna prevent anything but only make "security review" happy. however, I understand this change could be considered something that makes the attacker's life a teeny tiny bit difficult, so still LGTM. Personally, I am not sure why we would wanna include it in the header ever and introduce yet another configuration that no-one needs. can we just remove that config and make Druid never send jetty version in the header. I will let other reviewers weigh-in on that. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
