Bug#649888: Hide /icons index

[Stefan Fritsch]

On Thursday 24 November 2011, Mathieu Parent wrote:
> Currently, on any Debian-based apache2, anyone can browse the
> /icons URL.
> 
> Anyone can see that odf6* icons are present (-> this is Debian
> specific) and the date of these icons correspond to the build date.
> 
> So one can deduce the version and arch (for example "29-Sep-2011
> 23:00" is apache2 2.2.16-6+squeeze4 amd64)

Not leaking the arch is certainly a valid request.

> Recommendation: remove the "Indexes" option in
> 'config-dir/mods-available/alias.conf' [1].

But disabling the Index page is not enough. The server sends the date 
of the icons in the Last-Modified header. Setting the icon dates 
during build time should work, though.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#649888: Hide /icons index

[Mathieu Parent]

Package: apache2
Version: 2.2.21-2
Tags: security
Severity: minor

Hi,

Currently, on any Debian-based apache2, anyone can browse the /icons URL.

Anyone can see that odf6* icons are present (-> this is Debian
specific) and the date of these icons correspond to the build date.

So one can deduce the version and arch (for example "29-Sep-2011
23:00" is apache2 2.2.16-6+squeeze4 amd64)

Recommendation: remove the "Indexes" option in
'config-dir/mods-available/alias.conf' [1].

Regards

-- 
Mathieu Parent

[1]: 
http://anonscm.debian.org/viewvc/pkg-apache/trunk/apache2/config-dir/mods-available/alias.conf?revision=410&view=markup



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org