https://issues.apache.org/bugzilla/show_bug.cgi?id=52751
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
--- Comment #2 from Mark Thomas <ma...@apache.org> 2012-03-20 22:11:07 UTC ---
It is very rare for an attacker to identify the specific Tomcat version and
then target a known vulnerability. It is much more common to see every known
vulnerability probed (for a range of servers) rather than the more targeted
attack described in the patch. I therefore see little point in hiding the
version number. I'd go further than that and say I would prefer to see the
exact Tomcat version in the server header since it provides more assistance to
debugging/monitoring efforts than it does harm.
Even if the version number is hidden there are plenty of other clues to the
exact version number, particularly the line numbers in any stack trace.
Rather than address this specific issue, I'd prefer to see a general solution
to bug 41007 that allowed custom error pages to be specified without having to
write a custom valve.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
