https://bz.apache.org/bugzilla/show_bug.cgi?id=63852
Mark Thomas changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|---
https://bz.apache.org/bugzilla/show_bug.cgi?id=63852
--- Comment #16 from Christopher Schultz ---
(In reply to Mark Thomas from comment #14)
> I'm leaning towards resolving this as WONTFIX.
+1
> The server attribute defaults to null whereas ServerInfo (as used in the
> ErrorReportValve and othe
https://bz.apache.org/bugzilla/show_bug.cgi?id=63852
--- Comment #15 from Konstantin Kolinko ---
Securing Apache Tomcat 8.5.x is documented at [1]. Both "server" attribute and
ErrorReportValve are documented there.
BTW, there is a typo in [1]. Its description of the default value "server"
attri
https://bz.apache.org/bugzilla/show_bug.cgi?id=63852
--- Comment #14 from Mark Thomas ---
I'm leaning towards resolving this as WONTFIX.
The server attribute defaults to null whereas ServerInfo (as used in the
ErrorReportValve and other places) defaults to "Apache Tomcat/".
I don't see any easy
https://bz.apache.org/bugzilla/show_bug.cgi?id=63852
--- Comment #13 from Christopher Schultz ---
(In reply to Ralf Hauser from comment #9)
> Every script kiddie pen tester will complain about it.
FTFY
--
You are receiving this mail because:
You are the assignee for the bug.
--
https://bz.apache.org/bugzilla/show_bug.cgi?id=63852
--- Comment #12 from Michael Osipov ---
(In reply to Ralf Hauser from comment #9)
> Every penetration tester will complain about it.
> If they can be made happy in one go, that would be great.
> In the current setup, they in most cases will hav
https://bz.apache.org/bugzilla/show_bug.cgi?id=63852
--- Comment #11 from Michael Osipov ---
(In reply to Mark Thomas from comment #8)
> (In reply to Ralf Hauser from comment #5)
> >showServerInfo=false
> > achieves a similar goal, but why not be consistent with the "server"
> > attribute of
https://bz.apache.org/bugzilla/show_bug.cgi?id=63852
--- Comment #10 from Michael Osipov ---
(In reply to Mark Thomas from comment #7)
> The tone of some of the comments on this issue is getting a little
> unfriendly.
>
> I'd ask that everyone remind themselves of the ASF code of conduct -
> par
https://bz.apache.org/bugzilla/show_bug.cgi?id=63852
--- Comment #9 from Ralf Hauser ---
Every penetration tester will complain about it.
If they can be made happy in one go, that would be great.
In the current setup, they in most cases will have two points to raise...
--
You are receiving this
https://bz.apache.org/bugzilla/show_bug.cgi?id=63852
--- Comment #8 from Mark Thomas ---
(In reply to Ralf Hauser from comment #5)
>showServerInfo=false
> achieves a similar goal, but why not be consistent with the "server"
> attribute of server.xml ?
There are some subtle differences.
The
https://bz.apache.org/bugzilla/show_bug.cgi?id=63852
--- Comment #7 from Mark Thomas ---
The tone of some of the comments on this issue is getting a little unfriendly.
I'd ask that everyone remind themselves of the ASF code of conduct -
particularly guideline 2:
"Be empathetic, welcoming, frien
https://bz.apache.org/bugzilla/show_bug.cgi?id=63852
--- Comment #6 from Michael Osipov ---
(In reply to Ralf Hauser from comment #5)
> Hi Violeta,
>
> Sure,
>showServerInfo=false
> achieves a similar goal, but why not be consistent with the "server"
> attribute of server.xml ?
Because bot
https://bz.apache.org/bugzilla/show_bug.cgi?id=63852
Ralf Hauser changed:
What|Removed |Added
Status|NEEDINFO|NEW
--- Comment #5 from Ralf Hauser ---
https://bz.apache.org/bugzilla/show_bug.cgi?id=63852
--- Comment #4 from Violeta Georgieva ---
(In reply to Ralf Hauser from comment #2)
> Hi Michael,
>
> Thanks for your comment.
>
> "Apache Tomcat/8.5.47 (Ubuntu)"
>
> is not the true version and OS I am using, this is just for illustratio
https://bz.apache.org/bugzilla/show_bug.cgi?id=63852
Michael Osipov changed:
What|Removed |Added
Status|NEW |NEEDINFO
--- Comment #3 from Michael
https://bz.apache.org/bugzilla/show_bug.cgi?id=63852
Ralf Hauser changed:
What|Removed |Added
Status|NEEDINFO|NEW
--- Comment #2 from Ralf Hauser ---
https://bz.apache.org/bugzilla/show_bug.cgi?id=63852
Michael Osipov changed:
What|Removed |Added
Status|NEW |NEEDINFO
--- Comment #1 from Michael
https://bz.apache.org/bugzilla/show_bug.cgi?id=63852
Ralf Hauser changed:
What|Removed |Added
Summary|ServerInfo.java |ServerInfo.java discloses
18 matches
Mail list logo