https://bz.apache.org/bugzilla/show_bug.cgi?id=58238
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WONTFIX
Status|NEW |RESOLVED
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
Security is a balance and I am of the view that the current balance is right.
In favour of implementing this change:
- Exact version information can help a attacker determine if a site is
vulnerable to a known vulnerability when Tomcat is deployed in production.
Against implementing this change:
- Exact version information can help a debug in an issue if an error occurs in
development and/or production.
- Attackers rarely look for a specific version first and then try an attack.
They typically automate all known attacks regardless of any version (or even
product) reported.
- The focus should be on working around or upgrading Tomcat instances with
known vulnerabilities that impact an organisation - not on trying to hide the
fact that there is a problem. Having the verison number easily available
- IT is consistent with the httpd view [1]
[1] http://httpd.apache.org/docs/current/mod/core.html#servertokens
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
