@bkerensa, thanks for the constructive contribution to the conversation... i discussed this with a couple folks in #ubuntu-server and one of the Ubuntu php maintainers, and filed this with their feedback.
@all, i'm well aware that security by obscurity is no solution, but as noted by Francois in the linked Debian bug, shipping sane defaults is a reasonable expectation. Advertising the full package version by default just makes it easy for scans to identify vulnerable targets. this is clearly irrelevant in a targeted attack, but it could keep you off a low-hanging-fruit list generated by malicious scanning, which i find to be of value. So the question should be: what's the value in advertising this information by default? As noted in the bug description, I think php version information similar to the information provided by Apache, Nginx, etc. does make sense to an extent, just not listing the full package name. I'll agree with Francois in the linked bug, this is ultimately the maintainers decision, and I'll respect the decision, though I think that a pro vs. con analysis comes down clearly on the side of a better default, be that normalized version info or turning expose_php off. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1002443 Title: php5-fpm exposes full ubuntu package version in headers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1002443/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
