[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2009-04-03 Thread Adam Conrad
It's been argued by others in the past, but I honestly don't see how
full ServerTokens are a security risk.  If you prefer not to show them,
you can change it, but most bots out there don't look for what
extensions you may be running before they attempt to attack you.

And, honestly, most attack vectors are through broken applications (like
PHP web forums, for instance), and if you have the application running,
it's pretty obvious that you're also using the language underlying that
application in some form or another.

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2009-08-05 Thread Launchpad Bug Tracker
This bug was fixed in the package apache2 - 2.2.12-1ubuntu1

---
apache2 (2.2.12-1ubuntu1) karmic; urgency=low

  * Merge from debian unstable, remaining changes:
- debian/{control,rules}: enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
- Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.

apache2 (2.2.12-1) unstable; urgency=low

  * New upstream release:
- Adds support for TLS Server Name Indication (closes: #461917 LP: #184131).
  (The Debian default configuration will be changed to use SNI in a later
  version.)
- Fixes timefmt config in SSI (closes: #363964).
- mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
  to enable stricter checking of remote server certificates.
  * Make mod_deflate not compress the content for HEAD requests. This is a
similar issue as CVE-2009-1891.
  * Enable hardening compile options.
  * Switch default LogFormat from %b (size of file sent) to %O (bytes actually
sent) (closes: #272476 LP: #255124)
  * Add the default LANG=C to /etc/apache2/envvars and document it in
README.Debian (closes: #511878).
  * Enable localized error pages by default if the necessary modules are
loaded. Move the config for it from apache2.conf to
/etc/apache2/conf.d/localized-error-pages (closes: #467004). Clarify the
required order of the aliases in the comment (closes: #196795).
  * Change default for ServerTokens to 'OS', to not announce the exact module
versions to the world (LP: #205996)
  * Make a2ensite and friends ignore the same filenames as apache does for
included config files, even if LANG is not C.
  * Merge source packages apache2 and apache2-mpm-itk (current itk version is
2.2.11-02). This removes the binNMU mess necessary for every apache2 upload
(closes: #500885, #512084). Add Steinar to Uploaders. Remove apache2-src
package, which is no longer necessary.
  * Ship our own version of the magic config file (taken from file 4.17-5etch3)
which is still compatible with mod_mime_magic (closes: #483111).
  * Add ThreadLimit to the default config and put ThreadsPerChild and
MaxClients into the correct order so that Apache does not complain
(closes: #495656).
Also add a configuration block for the event MPM in apache2.conf.
  * Fix HTTP PUT with mod_dav failing to detect an aborted connection
(closes: #451563).
  * Change references to httpd.conf in apache2-doc to apache2.conf
(closes: #465393).
  * Clarify the recommended permissions for SSL certificates in README.Debian
(closes: #512778).
  * Document in README.Debian how to name files in conf.d to avoid conflicts
with packages (closes: #493252)
  * Remove 2.0 -> 2.2 upgrade logic from maintainer scripts.
  * Remove other_vhosts_access.log on package purge.

 -- Chuck ShortTue, 04 Aug 2009 20:04:24 +0100

** Changed in: apache2 (Ubuntu)
   Status: Triaged => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-1891

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2009-07-29 Thread Caspar Clemens Mierau
Actually "Full" ServerTokens enable automated worm spreading due to
detailed application version scanning. The point is: There is absolutely
no need to display "Full" Server Tokens by default as you don't gain any
user experience, better server handling or similar features from that
setting. So the argument that most attacks deal with broken application
is no reason for leaking information that actually don't *need* to be
published.

Besides that, /etc/apache2/conf.d/security also has "TraceEnable On" by
default, also making no sense, as this is a debugging setting and
already had specific 0day exploits.

So from a server administrators point of view:

Please consider configuring Apache2 more secure by setting ServerTokens
at least to "Minor" and "TraceEnable Off".


Just for your information a list of differences in the ServerTokens settings:

  ServerTokens Prod[uctOnly]

Server sends (e.g.): Server: Apache

ServerTokens Major

Server sends (e.g.): Server: Apache/2

ServerTokens Minor

Server sends (e.g.): Server: Apache/2.0

ServerTokens Min[imal]

Server sends (e.g.): Server: Apache/2.0.41

ServerTokens OS

Server sends (e.g.): Server: Apache/2.0.41 (Unix)

ServerTokens Full (or not specified)

Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

This setting applies to the entire server, and cannot be enabled or
disabled on a virtualhost-by-virtualhost basis.

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2008-03-27 Thread Chuck Short
Thanks for the bug report, this request might be a little too late for
hardy but it will be considered for Ibex.

Thanks
chuck

** Changed in: apache2 (Ubuntu)
   Importance: Undecided => Wishlist
   Status: New => Triaged

** Tags added: ibex-server

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2008-03-27 Thread Chuck Short
Thanks for the bug report, this request might be a little too late for
hardy but it will be considered for Ibex.

Thanks
chuck

** Changed in: apache2 (Ubuntu)
   Importance: Undecided => Wishlist
   Status: New => Triaged

** Tags added: ibex-server

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2009-04-03 Thread Adam Conrad
It's been argued by others in the past, but I honestly don't see how
full ServerTokens are a security risk.  If you prefer not to show them,
you can change it, but most bots out there don't look for what
extensions you may be running before they attempt to attack you.

And, honestly, most attack vectors are through broken applications (like
PHP web forums, for instance), and if you have the application running,
it's pretty obvious that you're also using the language underlying that
application in some form or another.

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2009-04-03 Thread Adam Conrad
It's been argued by others in the past, but I honestly don't see how
full ServerTokens are a security risk.  If you prefer not to show them,
you can change it, but most bots out there don't look for what
extensions you may be running before they attempt to attack you.

And, honestly, most attack vectors are through broken applications (like
PHP web forums, for instance), and if you have the application running,
it's pretty obvious that you're also using the language underlying that
application in some form or another.

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2009-08-05 Thread Launchpad Bug Tracker
This bug was fixed in the package apache2 - 2.2.12-1ubuntu1

---
apache2 (2.2.12-1ubuntu1) karmic; urgency=low

  * Merge from debian unstable, remaining changes:
- debian/{control,rules}: enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
- Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.

apache2 (2.2.12-1) unstable; urgency=low

  * New upstream release:
- Adds support for TLS Server Name Indication (closes: #461917 LP: #184131).
  (The Debian default configuration will be changed to use SNI in a later
  version.)
- Fixes timefmt config in SSI (closes: #363964).
- mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
  to enable stricter checking of remote server certificates.
  * Make mod_deflate not compress the content for HEAD requests. This is a
similar issue as CVE-2009-1891.
  * Enable hardening compile options.
  * Switch default LogFormat from %b (size of file sent) to %O (bytes actually
sent) (closes: #272476 LP: #255124)
  * Add the default LANG=C to /etc/apache2/envvars and document it in
README.Debian (closes: #511878).
  * Enable localized error pages by default if the necessary modules are
loaded. Move the config for it from apache2.conf to
/etc/apache2/conf.d/localized-error-pages (closes: #467004). Clarify the
required order of the aliases in the comment (closes: #196795).
  * Change default for ServerTokens to 'OS', to not announce the exact module
versions to the world (LP: #205996)
  * Make a2ensite and friends ignore the same filenames as apache does for
included config files, even if LANG is not C.
  * Merge source packages apache2 and apache2-mpm-itk (current itk version is
2.2.11-02). This removes the binNMU mess necessary for every apache2 upload
(closes: #500885, #512084). Add Steinar to Uploaders. Remove apache2-src
package, which is no longer necessary.
  * Ship our own version of the magic config file (taken from file 4.17-5etch3)
which is still compatible with mod_mime_magic (closes: #483111).
  * Add ThreadLimit to the default config and put ThreadsPerChild and
MaxClients into the correct order so that Apache does not complain
(closes: #495656).
Also add a configuration block for the event MPM in apache2.conf.
  * Fix HTTP PUT with mod_dav failing to detect an aborted connection
(closes: #451563).
  * Change references to httpd.conf in apache2-doc to apache2.conf
(closes: #465393).
  * Clarify the recommended permissions for SSL certificates in README.Debian
(closes: #512778).
  * Document in README.Debian how to name files in conf.d to avoid conflicts
with packages (closes: #493252)
  * Remove 2.0 -> 2.2 upgrade logic from maintainer scripts.
  * Remove other_vhosts_access.log on package purge.

 -- Chuck ShortTue, 04 Aug 2009 20:04:24 +0100

** Changed in: apache2 (Ubuntu)
   Status: Triaged => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-1891

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2009-07-29 Thread Caspar Clemens Mierau
Actually "Full" ServerTokens enable automated worm spreading due to
detailed application version scanning. The point is: There is absolutely
no need to display "Full" Server Tokens by default as you don't gain any
user experience, better server handling or similar features from that
setting. So the argument that most attacks deal with broken application
is no reason for leaking information that actually don't *need* to be
published.

Besides that, /etc/apache2/conf.d/security also has "TraceEnable On" by
default, also making no sense, as this is a debugging setting and
already had specific 0day exploits.

So from a server administrators point of view:

Please consider configuring Apache2 more secure by setting ServerTokens
at least to "Minor" and "TraceEnable Off".


Just for your information a list of differences in the ServerTokens settings:

  ServerTokens Prod[uctOnly]

Server sends (e.g.): Server: Apache

ServerTokens Major

Server sends (e.g.): Server: Apache/2

ServerTokens Minor

Server sends (e.g.): Server: Apache/2.0

ServerTokens Min[imal]

Server sends (e.g.): Server: Apache/2.0.41

ServerTokens OS

Server sends (e.g.): Server: Apache/2.0.41 (Unix)

ServerTokens Full (or not specified)

Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

This setting applies to the entire server, and cannot be enabled or
disabled on a virtualhost-by-virtualhost basis.

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2008-03-27 Thread Chuck Short
Thanks for the bug report, this request might be a little too late for
hardy but it will be considered for Ibex.

Thanks
chuck

** Changed in: apache2 (Ubuntu)
   Importance: Undecided => Wishlist
   Status: New => Triaged

** Tags added: ibex-server

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2009-07-29 Thread Caspar Clemens Mierau
Actually "Full" ServerTokens enable automated worm spreading due to
detailed application version scanning. The point is: There is absolutely
no need to display "Full" Server Tokens by default as you don't gain any
user experience, better server handling or similar features from that
setting. So the argument that most attacks deal with broken application
is no reason for leaking information that actually don't *need* to be
published.

Besides that, /etc/apache2/conf.d/security also has "TraceEnable On" by
default, also making no sense, as this is a debugging setting and
already had specific 0day exploits.

So from a server administrators point of view:

Please consider configuring Apache2 more secure by setting ServerTokens
at least to "Minor" and "TraceEnable Off".


Just for your information a list of differences in the ServerTokens settings:

  ServerTokens Prod[uctOnly]

Server sends (e.g.): Server: Apache

ServerTokens Major

Server sends (e.g.): Server: Apache/2

ServerTokens Minor

Server sends (e.g.): Server: Apache/2.0

ServerTokens Min[imal]

Server sends (e.g.): Server: Apache/2.0.41

ServerTokens OS

Server sends (e.g.): Server: Apache/2.0.41 (Unix)

ServerTokens Full (or not specified)

Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

This setting applies to the entire server, and cannot be enabled or
disabled on a virtualhost-by-virtualhost basis.

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2009-08-05 Thread Launchpad Bug Tracker
This bug was fixed in the package apache2 - 2.2.12-1ubuntu1

---
apache2 (2.2.12-1ubuntu1) karmic; urgency=low

  * Merge from debian unstable, remaining changes:
- debian/{control,rules}: enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
- Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.

apache2 (2.2.12-1) unstable; urgency=low

  * New upstream release:
- Adds support for TLS Server Name Indication (closes: #461917 LP: #184131).
  (The Debian default configuration will be changed to use SNI in a later
  version.)
- Fixes timefmt config in SSI (closes: #363964).
- mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
  to enable stricter checking of remote server certificates.
  * Make mod_deflate not compress the content for HEAD requests. This is a
similar issue as CVE-2009-1891.
  * Enable hardening compile options.
  * Switch default LogFormat from %b (size of file sent) to %O (bytes actually
sent) (closes: #272476 LP: #255124)
  * Add the default LANG=C to /etc/apache2/envvars and document it in
README.Debian (closes: #511878).
  * Enable localized error pages by default if the necessary modules are
loaded. Move the config for it from apache2.conf to
/etc/apache2/conf.d/localized-error-pages (closes: #467004). Clarify the
required order of the aliases in the comment (closes: #196795).
  * Change default for ServerTokens to 'OS', to not announce the exact module
versions to the world (LP: #205996)
  * Make a2ensite and friends ignore the same filenames as apache does for
included config files, even if LANG is not C.
  * Merge source packages apache2 and apache2-mpm-itk (current itk version is
2.2.11-02). This removes the binNMU mess necessary for every apache2 upload
(closes: #500885, #512084). Add Steinar to Uploaders. Remove apache2-src
package, which is no longer necessary.
  * Ship our own version of the magic config file (taken from file 4.17-5etch3)
which is still compatible with mod_mime_magic (closes: #483111).
  * Add ThreadLimit to the default config and put ThreadsPerChild and
MaxClients into the correct order so that Apache does not complain
(closes: #495656).
Also add a configuration block for the event MPM in apache2.conf.
  * Fix HTTP PUT with mod_dav failing to detect an aborted connection
(closes: #451563).
  * Change references to httpd.conf in apache2-doc to apache2.conf
(closes: #465393).
  * Clarify the recommended permissions for SSL certificates in README.Debian
(closes: #512778).
  * Document in README.Debian how to name files in conf.d to avoid conflicts
with packages (closes: #493252)
  * Remove 2.0 -> 2.2 upgrade logic from maintainer scripts.
  * Remove other_vhosts_access.log on package purge.

 -- Chuck ShortTue, 04 Aug 2009 20:04:24 +0100

** Changed in: apache2 (Ubuntu)
   Status: Triaged => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-1891

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2008-03-27 Thread Chuck Short
Thanks for the bug report, this request might be a little too late for
hardy but it will be considered for Ibex.

Thanks
chuck

** Changed in: apache2 (Ubuntu)
   Importance: Undecided => Wishlist
   Status: New => Triaged

** Tags added: ibex-server

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2008-03-27 Thread Chuck Short
Thanks for the bug report, this request might be a little too late for
hardy but it will be considered for Ibex.

Thanks
chuck

** Changed in: apache2 (Ubuntu)
   Importance: Undecided => Wishlist
   Status: New => Triaged

** Tags added: ibex-server

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2009-04-03 Thread Adam Conrad
It's been argued by others in the past, but I honestly don't see how
full ServerTokens are a security risk.  If you prefer not to show them,
you can change it, but most bots out there don't look for what
extensions you may be running before they attempt to attack you.

And, honestly, most attack vectors are through broken applications (like
PHP web forums, for instance), and if you have the application running,
it's pretty obvious that you're also using the language underlying that
application in some form or another.

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2009-08-05 Thread Launchpad Bug Tracker
This bug was fixed in the package apache2 - 2.2.12-1ubuntu1

---
apache2 (2.2.12-1ubuntu1) karmic; urgency=low

  * Merge from debian unstable, remaining changes:
- debian/{control,rules}: enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
- Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.

apache2 (2.2.12-1) unstable; urgency=low

  * New upstream release:
- Adds support for TLS Server Name Indication (closes: #461917 LP: #184131).
  (The Debian default configuration will be changed to use SNI in a later
  version.)
- Fixes timefmt config in SSI (closes: #363964).
- mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
  to enable stricter checking of remote server certificates.
  * Make mod_deflate not compress the content for HEAD requests. This is a
similar issue as CVE-2009-1891.
  * Enable hardening compile options.
  * Switch default LogFormat from %b (size of file sent) to %O (bytes actually
sent) (closes: #272476 LP: #255124)
  * Add the default LANG=C to /etc/apache2/envvars and document it in
README.Debian (closes: #511878).
  * Enable localized error pages by default if the necessary modules are
loaded. Move the config for it from apache2.conf to
/etc/apache2/conf.d/localized-error-pages (closes: #467004). Clarify the
required order of the aliases in the comment (closes: #196795).
  * Change default for ServerTokens to 'OS', to not announce the exact module
versions to the world (LP: #205996)
  * Make a2ensite and friends ignore the same filenames as apache does for
included config files, even if LANG is not C.
  * Merge source packages apache2 and apache2-mpm-itk (current itk version is
2.2.11-02). This removes the binNMU mess necessary for every apache2 upload
(closes: #500885, #512084). Add Steinar to Uploaders. Remove apache2-src
package, which is no longer necessary.
  * Ship our own version of the magic config file (taken from file 4.17-5etch3)
which is still compatible with mod_mime_magic (closes: #483111).
  * Add ThreadLimit to the default config and put ThreadsPerChild and
MaxClients into the correct order so that Apache does not complain
(closes: #495656).
Also add a configuration block for the event MPM in apache2.conf.
  * Fix HTTP PUT with mod_dav failing to detect an aborted connection
(closes: #451563).
  * Change references to httpd.conf in apache2-doc to apache2.conf
(closes: #465393).
  * Clarify the recommended permissions for SSL certificates in README.Debian
(closes: #512778).
  * Document in README.Debian how to name files in conf.d to avoid conflicts
with packages (closes: #493252)
  * Remove 2.0 -> 2.2 upgrade logic from maintainer scripts.
  * Remove other_vhosts_access.log on package purge.

 -- Chuck ShortTue, 04 Aug 2009 20:04:24 +0100

** Changed in: apache2 (Ubuntu)
   Status: Triaged => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-1891

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2009-07-29 Thread Caspar Clemens Mierau
Actually "Full" ServerTokens enable automated worm spreading due to
detailed application version scanning. The point is: There is absolutely
no need to display "Full" Server Tokens by default as you don't gain any
user experience, better server handling or similar features from that
setting. So the argument that most attacks deal with broken application
is no reason for leaking information that actually don't *need* to be
published.

Besides that, /etc/apache2/conf.d/security also has "TraceEnable On" by
default, also making no sense, as this is a debugging setting and
already had specific 0day exploits.

So from a server administrators point of view:

Please consider configuring Apache2 more secure by setting ServerTokens
at least to "Minor" and "TraceEnable Off".


Just for your information a list of differences in the ServerTokens settings:

  ServerTokens Prod[uctOnly]

Server sends (e.g.): Server: Apache

ServerTokens Major

Server sends (e.g.): Server: Apache/2

ServerTokens Minor

Server sends (e.g.): Server: Apache/2.0

ServerTokens Min[imal]

Server sends (e.g.): Server: Apache/2.0.41

ServerTokens OS

Server sends (e.g.): Server: Apache/2.0.41 (Unix)

ServerTokens Full (or not specified)

Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

This setting applies to the entire server, and cannot be enabled or
disabled on a virtualhost-by-virtualhost basis.

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2009-04-03 Thread Adam Conrad
It's been argued by others in the past, but I honestly don't see how
full ServerTokens are a security risk.  If you prefer not to show them,
you can change it, but most bots out there don't look for what
extensions you may be running before they attempt to attack you.

And, honestly, most attack vectors are through broken applications (like
PHP web forums, for instance), and if you have the application running,
it's pretty obvious that you're also using the language underlying that
application in some form or another.

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2009-08-05 Thread Launchpad Bug Tracker
This bug was fixed in the package apache2 - 2.2.12-1ubuntu1

---
apache2 (2.2.12-1ubuntu1) karmic; urgency=low

  * Merge from debian unstable, remaining changes:
- debian/{control,rules}: enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
- Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.

apache2 (2.2.12-1) unstable; urgency=low

  * New upstream release:
- Adds support for TLS Server Name Indication (closes: #461917 LP: #184131).
  (The Debian default configuration will be changed to use SNI in a later
  version.)
- Fixes timefmt config in SSI (closes: #363964).
- mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
  to enable stricter checking of remote server certificates.
  * Make mod_deflate not compress the content for HEAD requests. This is a
similar issue as CVE-2009-1891.
  * Enable hardening compile options.
  * Switch default LogFormat from %b (size of file sent) to %O (bytes actually
sent) (closes: #272476 LP: #255124)
  * Add the default LANG=C to /etc/apache2/envvars and document it in
README.Debian (closes: #511878).
  * Enable localized error pages by default if the necessary modules are
loaded. Move the config for it from apache2.conf to
/etc/apache2/conf.d/localized-error-pages (closes: #467004). Clarify the
required order of the aliases in the comment (closes: #196795).
  * Change default for ServerTokens to 'OS', to not announce the exact module
versions to the world (LP: #205996)
  * Make a2ensite and friends ignore the same filenames as apache does for
included config files, even if LANG is not C.
  * Merge source packages apache2 and apache2-mpm-itk (current itk version is
2.2.11-02). This removes the binNMU mess necessary for every apache2 upload
(closes: #500885, #512084). Add Steinar to Uploaders. Remove apache2-src
package, which is no longer necessary.
  * Ship our own version of the magic config file (taken from file 4.17-5etch3)
which is still compatible with mod_mime_magic (closes: #483111).
  * Add ThreadLimit to the default config and put ThreadsPerChild and
MaxClients into the correct order so that Apache does not complain
(closes: #495656).
Also add a configuration block for the event MPM in apache2.conf.
  * Fix HTTP PUT with mod_dav failing to detect an aborted connection
(closes: #451563).
  * Change references to httpd.conf in apache2-doc to apache2.conf
(closes: #465393).
  * Clarify the recommended permissions for SSL certificates in README.Debian
(closes: #512778).
  * Document in README.Debian how to name files in conf.d to avoid conflicts
with packages (closes: #493252)
  * Remove 2.0 -> 2.2 upgrade logic from maintainer scripts.
  * Remove other_vhosts_access.log on package purge.

 -- Chuck ShortTue, 04 Aug 2009 20:04:24 +0100

** Changed in: apache2 (Ubuntu)
   Status: Triaged => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-1891

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2009-07-29 Thread Caspar Clemens Mierau
Actually "Full" ServerTokens enable automated worm spreading due to
detailed application version scanning. The point is: There is absolutely
no need to display "Full" Server Tokens by default as you don't gain any
user experience, better server handling or similar features from that
setting. So the argument that most attacks deal with broken application
is no reason for leaking information that actually don't *need* to be
published.

Besides that, /etc/apache2/conf.d/security also has "TraceEnable On" by
default, also making no sense, as this is a debugging setting and
already had specific 0day exploits.

So from a server administrators point of view:

Please consider configuring Apache2 more secure by setting ServerTokens
at least to "Minor" and "TraceEnable Off".


Just for your information a list of differences in the ServerTokens settings:

  ServerTokens Prod[uctOnly]

Server sends (e.g.): Server: Apache

ServerTokens Major

Server sends (e.g.): Server: Apache/2

ServerTokens Minor

Server sends (e.g.): Server: Apache/2.0

ServerTokens Min[imal]

Server sends (e.g.): Server: Apache/2.0.41

ServerTokens OS

Server sends (e.g.): Server: Apache/2.0.41 (Unix)

ServerTokens Full (or not specified)

Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

This setting applies to the entire server, and cannot be enabled or
disabled on a virtualhost-by-virtualhost basis.

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2008-03-27 Thread Chuck Short
Thanks for the bug report, this request might be a little too late for
hardy but it will be considered for Ibex.

Thanks
chuck

** Changed in: apache2 (Ubuntu)
   Importance: Undecided => Wishlist
   Status: New => Triaged

** Tags added: ibex-server

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2009-04-03 Thread Adam Conrad
It's been argued by others in the past, but I honestly don't see how
full ServerTokens are a security risk.  If you prefer not to show them,
you can change it, but most bots out there don't look for what
extensions you may be running before they attempt to attack you.

And, honestly, most attack vectors are through broken applications (like
PHP web forums, for instance), and if you have the application running,
it's pretty obvious that you're also using the language underlying that
application in some form or another.

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2009-08-05 Thread Launchpad Bug Tracker
This bug was fixed in the package apache2 - 2.2.12-1ubuntu1

---
apache2 (2.2.12-1ubuntu1) karmic; urgency=low

  * Merge from debian unstable, remaining changes:
- debian/{control,rules}: enable PIE hardening.
- debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
- Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.

apache2 (2.2.12-1) unstable; urgency=low

  * New upstream release:
- Adds support for TLS Server Name Indication (closes: #461917 LP: #184131).
  (The Debian default configuration will be changed to use SNI in a later
  version.)
- Fixes timefmt config in SSI (closes: #363964).
- mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
  to enable stricter checking of remote server certificates.
  * Make mod_deflate not compress the content for HEAD requests. This is a
similar issue as CVE-2009-1891.
  * Enable hardening compile options.
  * Switch default LogFormat from %b (size of file sent) to %O (bytes actually
sent) (closes: #272476 LP: #255124)
  * Add the default LANG=C to /etc/apache2/envvars and document it in
README.Debian (closes: #511878).
  * Enable localized error pages by default if the necessary modules are
loaded. Move the config for it from apache2.conf to
/etc/apache2/conf.d/localized-error-pages (closes: #467004). Clarify the
required order of the aliases in the comment (closes: #196795).
  * Change default for ServerTokens to 'OS', to not announce the exact module
versions to the world (LP: #205996)
  * Make a2ensite and friends ignore the same filenames as apache does for
included config files, even if LANG is not C.
  * Merge source packages apache2 and apache2-mpm-itk (current itk version is
2.2.11-02). This removes the binNMU mess necessary for every apache2 upload
(closes: #500885, #512084). Add Steinar to Uploaders. Remove apache2-src
package, which is no longer necessary.
  * Ship our own version of the magic config file (taken from file 4.17-5etch3)
which is still compatible with mod_mime_magic (closes: #483111).
  * Add ThreadLimit to the default config and put ThreadsPerChild and
MaxClients into the correct order so that Apache does not complain
(closes: #495656).
Also add a configuration block for the event MPM in apache2.conf.
  * Fix HTTP PUT with mod_dav failing to detect an aborted connection
(closes: #451563).
  * Change references to httpd.conf in apache2-doc to apache2.conf
(closes: #465393).
  * Clarify the recommended permissions for SSL certificates in README.Debian
(closes: #512778).
  * Document in README.Debian how to name files in conf.d to avoid conflicts
with packages (closes: #493252)
  * Remove 2.0 -> 2.2 upgrade logic from maintainer scripts.
  * Remove other_vhosts_access.log on package purge.

 -- Chuck ShortTue, 04 Aug 2009 20:04:24 +0100

** Changed in: apache2 (Ubuntu)
   Status: Triaged => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-1891

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 205996] Re: ServerTokens Full in apache2.conf (security risk?)

2009-07-29 Thread Caspar Clemens Mierau
Actually "Full" ServerTokens enable automated worm spreading due to
detailed application version scanning. The point is: There is absolutely
no need to display "Full" Server Tokens by default as you don't gain any
user experience, better server handling or similar features from that
setting. So the argument that most attacks deal with broken application
is no reason for leaking information that actually don't *need* to be
published.

Besides that, /etc/apache2/conf.d/security also has "TraceEnable On" by
default, also making no sense, as this is a debugging setting and
already had specific 0day exploits.

So from a server administrators point of view:

Please consider configuring Apache2 more secure by setting ServerTokens
at least to "Minor" and "TraceEnable Off".


Just for your information a list of differences in the ServerTokens settings:

  ServerTokens Prod[uctOnly]

Server sends (e.g.): Server: Apache

ServerTokens Major

Server sends (e.g.): Server: Apache/2

ServerTokens Minor

Server sends (e.g.): Server: Apache/2.0

ServerTokens Min[imal]

Server sends (e.g.): Server: Apache/2.0.41

ServerTokens OS

Server sends (e.g.): Server: Apache/2.0.41 (Unix)

ServerTokens Full (or not specified)

Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

This setting applies to the entire server, and cannot be enabled or
disabled on a virtualhost-by-virtualhost basis.

-- 
ServerTokens Full in apache2.conf (security risk?)
https://bugs.launchpad.net/bugs/205996
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs