Bug#260061: marked as done (apache2: [security] ServerSignature should be Off)

To: Thom May <thom@debian.org>
Cc: Debian Apache Maintainers <debian-apache@lists.debian.org>
Subject: Bug#260061: marked as done (apache2: [security] ServerSignature should be Off)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 18 Jul 2004 14:33:10 -0700
Message-id: <[🔎] handler.260061.D260061.109018619727021.ackdone@bugs.debian.org>
In-reply-to: <20040718212942.GB4565@fandango.home.clearairturbulence.org>
References: <20040718212942.GB4565@fandango.home.clearairturbulence.org> <[🔎] E1Bm66Q-0003ud-Q5@ns.cante.net>

Your message dated Sun, 18 Jul 2004 22:29:43 +0100
with message-id <20040718212942.GB4565@fandango.home.clearairturbulence.org>
and subject line Bug#260061: apache2: [security] ServerSignature should be Off
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 18 Jul 2004 07:28:56 +0000
>From jaalto@cante.net Sun Jul 18 00:28:56 2004
Return-path: <jaalto@cante.net>
Received: from a81-197-3-110.elisa-laajakaista.fi (ns.cante.net) [81.197.3.110] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1Bm66S-0006Ta-00; Sun, 18 Jul 2004 00:28:56 -0700
Received: from jaalto by ns.cante.net with local (Exim 4.34)
	id 1Bm66Q-0003ud-Q5; Sun, 18 Jul 2004 10:28:55 +0300
MIME-Version: 1.0
From: Jari Aalto <jari.aalto@poboxes.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
X-Mailer: reportbug 2.63
Date: Sun, 18 Jul 2004 10:28:54 +0300
Message-Id: <[🔎] E1Bm66Q-0003ud-Q5@ns.cante.net>
Sender: Jari Aalto <jaalto@cante.net>
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Rcpt-To: submit@bugs.debian.org, jari.aalto@poboxes.com
X-SA-Exim-Mail-From: jaalto@cante.net
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: apache2: [security] ServerSignature should be Off
X-SA-Exim-Version: 4.0 (built Sat, 24 Apr 2004 12:31:30 +0200)
X-SA-Exim-Scanned: Yes (on ns.cante.net)
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Package: apache2
Version: 2.0.50-5
Severity: normal
Tags: security

/etc/apache2/sites-available/default contains default settings for 
normal site. I believe that it would be more safe not to announce
server version like it does right now:

  ServerSignature On

A safer set of options would be:

  ServerSignature  Off
  ServerTokens     ProductOnly


-- System Information:
Debian Release: testing/unstable
Architecture: i386 (i686)
Kernel: Linux 2.4.26.20040601
Locale: LANG=C, LC_CTYPE=C (ignored: LC_ALL set to en_US)

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork           2.0.50-5   Traditional model for Apache2

-- debconf-show failed

---------------------------------------
Received: (at 260061-done) by bugs.debian.org; 18 Jul 2004 21:29:57 +0000
>From thom@debian.org Sun Jul 18 14:29:57 2004
Return-path: <thom@debian.org>
Received: from amnesiac.heapspace.net [195.54.228.42] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1BmJEL-000716-00; Sun, 18 Jul 2004 14:29:57 -0700
Received: from localhost (localhost [127.0.0.1])
	by amnesiac.heapspace.net (Postfix) with ESMTP id D3A1B57EB;
	Sun, 18 Jul 2004 22:29:43 +0100 (BST)
Received: from amnesiac.heapspace.net ([127.0.0.1])
 by localhost (amnesiac.heapspace.net [127.0.0.1]) (amavisd-new, port 10024)
 with LMTP id 47036-05; Sun, 18 Jul 2004 22:29:43 +0100 (BST)
Received: from fandango.home.clearairturbulence.org (dev.bitch-whore.com [213.208.111.147])
	by amnesiac.heapspace.net (Postfix) with ESMTP id 58FB557D1;
	Sun, 18 Jul 2004 22:29:43 +0100 (BST)
Received: by fandango.home.clearairturbulence.org (Postfix, from userid 1000)
	id 028A8382E062; Sun, 18 Jul 2004 22:29:43 +0100 (BST)
Date: Sun, 18 Jul 2004 22:29:43 +0100
From: Thom May <thom@debian.org>
To: Jari Aalto <jari.aalto@poboxes.com>, 260061-done@bugs.debian.org
Subject: Re: Bug#260061: apache2: [security] ServerSignature should be Off
Message-ID: <20040718212942.GB4565@fandango.home.clearairturbulence.org>
References: <[🔎] E1Bm66Q-0003ud-Q5@ns.cante.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
In-Reply-To: <[🔎] E1Bm66Q-0003ud-Q5@ns.cante.net>
X-Operating-System: Linux/2.6.7-mm2 (i686)
User-Agent: Mutt/1.5.6+20040523i
X-Virus-Scanned: by amavisd-new at heapspace.net
Delivered-To: 260061-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_01,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

sorry, neither I nor Matt believe in security through obscurity.
If you wish to change it, go ahead. But the default remains as it stands.
-Thom

Reply to:

References:
- Bug#260061: apache2: [security] ServerSignature should be Off
  - From: Jari Aalto <jari.aalto@poboxes.com>

Prev by Date: Processed: merge
Next by Date: Your application
Previous by thread: Bug#260061: apache2: [security] ServerSignature should be Off
Next by thread: Bug#260063: apache2: suggestion to add new file - conf.d/security.conf
Index(es):
- Date
- Thread