[Bug 63852] ServerInfo.java discloses server-version ignoring settings from server.xml

https://bz.apache.org/bugzilla/show_bug.cgi?id=63852 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|---

[Bug 63852] ServerInfo.java discloses server-version ignoring settings from server.xml

https://bz.apache.org/bugzilla/show_bug.cgi?id=63852 --- Comment #16 from Christopher Schultz --- (In reply to Mark Thomas from comment #14) > I'm leaning towards resolving this as WONTFIX. +1 > The server attribute defaults to null whereas ServerInfo (as used in the > ErrorReportValve and othe

[Bug 63852] ServerInfo.java discloses server-version ignoring settings from server.xml

https://bz.apache.org/bugzilla/show_bug.cgi?id=63852 --- Comment #15 from Konstantin Kolinko --- Securing Apache Tomcat 8.5.x is documented at [1]. Both "server" attribute and ErrorReportValve are documented there. BTW, there is a typo in [1]. Its description of the default value "server" attri

[Bug 63852] ServerInfo.java discloses server-version ignoring settings from server.xml

https://bz.apache.org/bugzilla/show_bug.cgi?id=63852 --- Comment #14 from Mark Thomas --- I'm leaning towards resolving this as WONTFIX. The server attribute defaults to null whereas ServerInfo (as used in the ErrorReportValve and other places) defaults to "Apache Tomcat/". I don't see any easy

[Bug 63852] ServerInfo.java discloses server-version ignoring settings from server.xml

https://bz.apache.org/bugzilla/show_bug.cgi?id=63852 --- Comment #13 from Christopher Schultz --- (In reply to Ralf Hauser from comment #9) > Every script kiddie pen tester will complain about it. FTFY -- You are receiving this mail because: You are the assignee for the bug. --

[Bug 63852] ServerInfo.java discloses server-version ignoring settings from server.xml

https://bz.apache.org/bugzilla/show_bug.cgi?id=63852 --- Comment #12 from Michael Osipov --- (In reply to Ralf Hauser from comment #9) > Every penetration tester will complain about it. > If they can be made happy in one go, that would be great. > In the current setup, they in most cases will hav

[Bug 63852] ServerInfo.java discloses server-version ignoring settings from server.xml

https://bz.apache.org/bugzilla/show_bug.cgi?id=63852 --- Comment #11 from Michael Osipov --- (In reply to Mark Thomas from comment #8) > (In reply to Ralf Hauser from comment #5) > >showServerInfo=false > > achieves a similar goal, but why not be consistent with the "server" > > attribute of

[Bug 63852] ServerInfo.java discloses server-version ignoring settings from server.xml

https://bz.apache.org/bugzilla/show_bug.cgi?id=63852 --- Comment #10 from Michael Osipov --- (In reply to Mark Thomas from comment #7) > The tone of some of the comments on this issue is getting a little > unfriendly. > > I'd ask that everyone remind themselves of the ASF code of conduct - > par

[Bug 63852] ServerInfo.java discloses server-version ignoring settings from server.xml

https://bz.apache.org/bugzilla/show_bug.cgi?id=63852 --- Comment #9 from Ralf Hauser --- Every penetration tester will complain about it. If they can be made happy in one go, that would be great. In the current setup, they in most cases will have two points to raise... -- You are receiving this

[Bug 63852] ServerInfo.java discloses server-version ignoring settings from server.xml

https://bz.apache.org/bugzilla/show_bug.cgi?id=63852 --- Comment #8 from Mark Thomas --- (In reply to Ralf Hauser from comment #5) >showServerInfo=false > achieves a similar goal, but why not be consistent with the "server" > attribute of server.xml ? There are some subtle differences. The

[Bug 63852] ServerInfo.java discloses server-version ignoring settings from server.xml

https://bz.apache.org/bugzilla/show_bug.cgi?id=63852 --- Comment #7 from Mark Thomas --- The tone of some of the comments on this issue is getting a little unfriendly. I'd ask that everyone remind themselves of the ASF code of conduct - particularly guideline 2: "Be empathetic, welcoming, frien

[Bug 63852] ServerInfo.java discloses server-version ignoring settings from server.xml

https://bz.apache.org/bugzilla/show_bug.cgi?id=63852 --- Comment #6 from Michael Osipov --- (In reply to Ralf Hauser from comment #5) > Hi Violeta, > > Sure, >showServerInfo=false > achieves a similar goal, but why not be consistent with the "server" > attribute of server.xml ? Because bot

[Bug 63852] ServerInfo.java discloses server-version ignoring settings from server.xml

https://bz.apache.org/bugzilla/show_bug.cgi?id=63852 Ralf Hauser changed: What|Removed |Added Status|NEEDINFO|NEW --- Comment #5 from Ralf Hauser ---

[Bug 63852] ServerInfo.java discloses server-version ignoring settings from server.xml

https://bz.apache.org/bugzilla/show_bug.cgi?id=63852 --- Comment #4 from Violeta Georgieva --- (In reply to Ralf Hauser from comment #2) > Hi Michael, > > Thanks for your comment. > > "Apache Tomcat/8.5.47 (Ubuntu)" > > is not the true version and OS I am using, this is just for illustratio

[Bug 63852] ServerInfo.java discloses server-version ignoring settings from server.xml

https://bz.apache.org/bugzilla/show_bug.cgi?id=63852 Michael Osipov changed: What|Removed |Added Status|NEW |NEEDINFO --- Comment #3 from Michael

[Bug 63852] ServerInfo.java discloses server-version ignoring settings from server.xml

https://bz.apache.org/bugzilla/show_bug.cgi?id=63852 Ralf Hauser changed: What|Removed |Added Status|NEEDINFO|NEW --- Comment #2 from Ralf Hauser ---

[Bug 63852] ServerInfo.java discloses server-version ignoring settings from server.xml

https://bz.apache.org/bugzilla/show_bug.cgi?id=63852 Michael Osipov changed: What|Removed |Added Status|NEW |NEEDINFO --- Comment #1 from Michael

[Bug 63852] ServerInfo.java discloses server-version ignoring settings from server.xml

https://bz.apache.org/bugzilla/show_bug.cgi?id=63852 Ralf Hauser changed: What|Removed |Added Summary|ServerInfo.java |ServerInfo.java discloses