You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2004/10/18 16:43:49 UTC
DO NOT REPLY [Bug 31758] New: -
Tomcat version number in error messages
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=31758>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=31758
Tomcat version number in error messages
Summary: Tomcat version number in error messages
Product: Tomcat 5
Version: 5.0.28
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: Other
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: mac@donnell.com
There was a "bug" fixed in the apache webserver somewhere back in 1.3 (maybe
1.3.26 or so) to hide the exact version number in error messages. Has there
been any consideration to doing the same in Tomcat? The reason for the change
was that in knowing the exact version, a hacker might be able to exploit a
vulnerability known in that particular version.
I know there are ways to hide the exact version by creating custom
errorLogValves and such, but it seems I should have to. Also, I am not sure
what all classes I need to override to get rid of all the version numbers.
This may seem a minor point, but security folks love to make big issues out of
minor points like this.
I am not sure which Tomcat component this falls into, probably several since
many things handle their own error messages
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org