https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #22 from Santi Jumpla ---
FUN88 ทางเข้าเล่น 2022 สล็อต SLOT หวย เกมส์ กีฬา สมัครฟัน88 วันนี้
รับโบนัสเครดิตฟรี 150%
References:
https://sites.google.com/view/fun88asia1/
--
You are receiving this mail because:
You are the assig
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
Mark Thomas changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|---
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #20 from Phillip Webb ---
FWIW we're still getting quite a bit of interest in this on the Spring Boot
issue tracker. It seems like a fair number would like the ability to not send
the header.
--
You are receiving this mail because
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #19 from Anthony J. Biacco ---
Sorry, i don't REBUILD the jar, i just leave
org/apache/catalina/util/ServerInfo.properties there after modded as suggested
in the Valves section of
https://tomcat.apache.org/tomcat-8.0-doc/security-ho
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #18 from Anthony J. Biacco ---
I usually just modify server.* org/apache/catalina/util/ServerInfo.properties
and rebuild catalina.jar.
Not exactly ideal, but fairly trivial for me at least to mask the info.
--
You are receiving th
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
Michael Osipov <1983-01...@gmx.net> changed:
What|Removed |Added
CC||1983-01...@gmx.net
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #17 from Greg Turnquist ---
I tend to lean towards security experts (like OWASP) that indicate it's
preferable to reduce information leakage, rather than simply asserting there is
no real world risk here.
The rest of the industry h
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #16 from Christopher Schultz ---
(In reply to Mark Thomas from comment #9)
> I remain unconvinced that there are any real world security benefits to be
> gained by removing the security header.
Agreed.
> The bandwidth argument car
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #15 from Mark Thomas ---
Ignoring the reasoning isn't a red herring. It is part of deciding what the
best solution is. "Because someone wants it" is not, on its own, sufficient
justification.
The patch looks like a good start if we
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #14 from Phillip Webb ---
I've been mulling this issue over a little bit more and I think that the
arguments about whether removing the header offers any real world security or
bandwidth benefits are a bit of a red herring. There's
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #13 from Phillip Webb ---
Created attachment 33364
--> https://bz.apache.org/bugzilla/attachment.cgi?id=33364&action=edit
Suggested patch
Something like this. (not including tests yet as not sure where to add them)
--
You are r
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #12 from Phillip Webb ---
For more information about what's driving this request see
https://github.com/spring-projects/spring-boot/issues/4730. We've specifically
looking for feature parity across all embedded servlet containers th
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #11 from Phillip Webb ---
Removing all server header processing code will break back compatibility.
Specifically, this recently added Spring Boot feature [1] will stop working
since it relies on the `server` attribute being picked u
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
Phillip Webb changed:
What|Removed |Added
CC||pw...@pivotal.io
--- Comment #10 from P
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #9 from Mark Thomas ---
I remain unconvinced that there are any real world security benefits to be
gained by removing the security header.
The bandwidth argument carries slightly more weight but we are only talking 27
bytes per res
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #8 from Remy Maucherat ---
"2) if a Server header was set by a web application, we should remove it": I
see no reason to do that.
--
You are receiving this mail because:
You are the assignee for the bug.
-
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #7 from Phillip Webb ---
Thanks! Sorry, I should have checked that.
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #6 from Mark Thomas ---
Read BUILDING.txt for details on the minimum Ant version required.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #5 from Phillip Webb ---
I'm trying to create a patch for this but I don't seem to be able to build
8.0.x from trunk.
Running `ant test` gives me:
test-bio:
BUILD FAILED
/Users/pwebb/projects/tomcat/trunk/build.xml:1374: The foll
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #4 from Konstantin Kolinko ---
1. The place to patch is
org.apache.coyote.http11.Http11Processor.prepareResponse()
If this feature is enabled, then it means that
1) if none Server header is set by a web application, we should skip
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #3 from Rob Winch ---
Thank you for the responses.
> It is also worth noting that because many system admins fake the server
> header, most attackers try scanning for all known vulnerabilities anyway.
Some hackers may target spec
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #2 from Mark Thomas ---
I don't see any significant information leakage here, even if the exact Tomcat
version is provided.
Assume you have a Tomcat instance running 8.0.30 (no known vulnerabilities as I
type this). How does it mak
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
Remy Maucherat changed:
What|Removed |Added
Severity|normal |enhancement
--- Comment #1 from Remy
23 matches
Mail list logo
