On Thursday 24 November 2011, Mathieu Parent wrote: > Currently, on any Debian-based apache2, anyone can browse the > /icons URL. > > Anyone can see that odf6* icons are present (-> this is Debian > specific) and the date of these icons correspond to the build date. > > So one can deduce the version and arch (for example "29-Sep-2011 > 23:00" is apache2 2.2.16-6+squeeze4 amd64)
Not leaking the arch is certainly a valid request. > Recommendation: remove the "Indexes" option in > 'config-dir/mods-available/alias.conf' [1]. But disabling the Index page is not enough. The server sends the date of the icons in the Last-Modified header. Setting the icon dates during build time should work, though. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
