** Visibility changed to: Public ** Description changed:
Binary package hint: apache In Ubuntu/Debian, Apache by default enables ETags. OpenBSD has released a patch that addresses ETags giving out sensitive information by, - encoded using a private hash the Inode numbers returned from the server - to avoid the release of sensitive information. + encoding the ETag info using a private hash with the Inode numbers + returned from the server to avoid the release of sensitive information. My NeXPose scanner, detected the presence of ETags, and logged it as a vulnerability. Their claim is as follows: Certain versions of Apache use the requested file's inode number to construct the 'ETag' response header. While not a vulnerability in and of itself, this information makes certain NFS attacks much simpler to execute. ************************************************************************************************************************************************************ The recommendation (from googling [1]) is to use mod_header and configure as below: Header unset ETag FileETag None ************************************************************************************************************************************************************ While this indeed "disables" ETag information, I would much rather we use OpenBSD's route of the "solution" by encoding the ETag value. Can someone please confirm whether or not this has already been implemented? I've searched the bugs DB and the BackPorts DB and could NOT locate any information in regards to this topic. Thank you, URLs: [1] : http://www.lavluda.com/tag/etag/ [2] : Bugtraq ID (BID): http://www.securityfocus.com/bid/6939 -- Apache ETag Inode Information Leakage https://bugs.launchpad.net/bugs/384910 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
