[Bug 1002443] Re: php5-fpm exposes full ubuntu package version in headers
** Changed in: php5 (Debian) Status: Won't Fix = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1002443 Title: php5-fpm exposes full ubuntu package version in headers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1002443/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1002443] Re: php5-fpm exposes full ubuntu package version in headers
I think that full version number is important and we will gain no extra security by hiding it by default, just more pain when debugging. You always have an option to disable the headers yourself, if you think it will gain you any extra security. ** Bug watch added: Debian Bug tracker #582204 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582204 ** Also affects: php5 (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582204 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1002443 Title: php5-fpm exposes full ubuntu package version in headers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1002443/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1002443] Re: php5-fpm exposes full ubuntu package version in headers
** Changed in: php5 (Debian) Status: Unknown = Won't Fix -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1002443 Title: php5-fpm exposes full ubuntu package version in headers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1002443/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1002443] Re: php5-fpm exposes full ubuntu package version in headers
Security by obscurity doesn't actually work. Hiding the version number will not affect whether your system is secure or not, and it's quite likely that an attacker would simply run his script regardless of the version number displayed on your website. If this is important in your environment, please use expose_php to disable the banner in your configuration. ** Changed in: php5 (Ubuntu) Status: New = Opinion ** Changed in: php5 (Ubuntu) Importance: Undecided = Wishlist -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1002443 Title: php5-fpm exposes full ubuntu package version in headers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1002443/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1002443] Re: php5-fpm exposes full ubuntu package version in headers
@Marc: I tried to explain the security by obscurity flaw ;) and that one should just focus on a hardened install and not so much about exposed version info in their header. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1002443 Title: php5-fpm exposes full ubuntu package version in headers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1002443/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1002443] Re: php5-fpm exposes full ubuntu package version in headers
@bkerensa, thanks for the constructive contribution to the conversation... i discussed this with a couple folks in #ubuntu-server and one of the Ubuntu php maintainers, and filed this with their feedback. @all, i'm well aware that security by obscurity is no solution, but as noted by Francois in the linked Debian bug, shipping sane defaults is a reasonable expectation. Advertising the full package version by default just makes it easy for scans to identify vulnerable targets. this is clearly irrelevant in a targeted attack, but it could keep you off a low-hanging-fruit list generated by malicious scanning, which i find to be of value. So the question should be: what's the value in advertising this information by default? As noted in the bug description, I think php version information similar to the information provided by Apache, Nginx, etc. does make sense to an extent, just not listing the full package name. I'll agree with Francois in the linked bug, this is ultimately the maintainers decision, and I'll respect the decision, though I think that a pro vs. con analysis comes down clearly on the side of a better default, be that normalized version info or turning expose_php off. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1002443 Title: php5-fpm exposes full ubuntu package version in headers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1002443/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1002443] Re: php5-fpm exposes full ubuntu package version in headers
-- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1002443 Title: php5-fpm exposes full ubuntu package version in headers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1002443/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
