Actually "Full" ServerTokens enable automated worm spreading due to detailed application version scanning. The point is: There is absolutely no need to display "Full" Server Tokens by default as you don't gain any user experience, better server handling or similar features from that setting. So the argument that most attacks deal with broken application is no reason for leaking information that actually don't *need* to be published.
Besides that, /etc/apache2/conf.d/security also has "TraceEnable On" by default, also making no sense, as this is a debugging setting and already had specific 0day exploits. So from a server administrators point of view: Please consider configuring Apache2 more secure by setting ServerTokens at least to "Minor" and "TraceEnable Off". Just for your information a list of differences in the ServerTokens settings: ServerTokens Prod[uctOnly] Server sends (e.g.): Server: Apache ServerTokens Major Server sends (e.g.): Server: Apache/2 ServerTokens Minor Server sends (e.g.): Server: Apache/2.0 ServerTokens Min[imal] Server sends (e.g.): Server: Apache/2.0.41 ServerTokens OS Server sends (e.g.): Server: Apache/2.0.41 (Unix) ServerTokens Full (or not specified) Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2 This setting applies to the entire server, and cannot be enabled or disabled on a virtualhost-by-virtualhost basis. -- ServerTokens Full in apache2.conf (security risk?) https://bugs.launchpad.net/bugs/205996 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
