You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by "Hyrum K. Wright" <hy...@hyrumwright.org> on 2009/10/14 13:30:00 UTC
Re: svn commit: r40009 - branches/1.6.x
On Oct 14, 2009, at 4:02 AM, Senthil Kumaran S wrote:
> Author: stylesen
> Date: Wed Oct 14 02:02:05 2009
> New Revision: 40009
>
> Log:
> On the '1.6.x' branch:
>
> * STATUS: Nominate r40008.
>
> Modified:
> branches/1.6.x/STATUS
>
> Modified: branches/1.6.x/STATUS
> URL: http://svn.collab.net/viewvc/svn/branches/1.6.x/STATUS?pathrev=40009&r1=40008&r2=40009
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
> --- branches/1.6.x/STATUS Wed Oct 14 01:52:15 2009 (r40008)
> +++ branches/1.6.x/STATUS Wed Oct 14 02:02:05 2009 (r40009)
> @@ -146,5 +146,12 @@ Candidate changes:
> Votes:
> +1: rhuijben
>
> + * r40008
> + Respect Apache's ServerSignature directive.
> + Justification:
> + Many subversion server administrators want it.
> + Votes:
> + +1: stylesen
> +
This sure looks a lot like a feature and not a bug fix.
-Hyrum
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2407538
Re: svn commit: r40009 - branches/1.6.x
Posted by Greg Stein <gs...@gmail.com>.
On Wed, Oct 14, 2009 at 12:56, Mark Phippard <ma...@gmail.com> wrote:
> On Wed, Oct 14, 2009 at 12:48 PM, Greg Stein <gs...@gmail.com> wrote:
>> On Wed, Oct 14, 2009 at 09:32, Mark Phippard <ma...@gmail.com> wrote:
>>> Some would also call it a security fix.
>>
>> Anybody that calls this a "security fix" needs to permanently removed
>> from handling the security of their server.
>
> There are plenty of users that have to pass security audits that
> considers any server application that advertises its version as at
> least violating a best practice. In this case, the US Government is
> asking for this as part of deploying Subversion on government servers.
>
> I have no interest in debating the merits of this. Apache httpd
> obviously considered it valid when they added a directive to turn this
> off. If a server admin is using this directive, it seems reasonable
> for Subversion to not overtly advertise its version number.
Oh, I'm not debating the merits either. Simply that it shouldn't be
called a "security fix", and that people who *do* call it that should
have their credentials revoked.
I can write a script to identify the version of an svn server. The
minor version is easy. I could probably distinguish most of the patch
levels, too. So this alleged "security fix" does nothing. An attacker
can easily determine the target's version. And shoot... if he's
exploiting a particular vulnerability, then he can simply *try* it,
and see if the target has a version that is subject to that exploit.
Cheers,
-g
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2407662
Re: svn commit: r40009 - branches/1.6.x
Posted by Mark Phippard <ma...@gmail.com>.
On Wed, Oct 14, 2009 at 12:48 PM, Greg Stein <gs...@gmail.com> wrote:
> On Wed, Oct 14, 2009 at 09:32, Mark Phippard <ma...@gmail.com> wrote:
>> Some would also call it a security fix.
>
> Anybody that calls this a "security fix" needs to permanently removed
> from handling the security of their server.
There are plenty of users that have to pass security audits that
considers any server application that advertises its version as at
least violating a best practice. In this case, the US Government is
asking for this as part of deploying Subversion on government servers.
I have no interest in debating the merits of this. Apache httpd
obviously considered it valid when they added a directive to turn this
off. If a server admin is using this directive, it seems reasonable
for Subversion to not overtly advertise its version number.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2407644
Re: svn commit: r40009 - branches/1.6.x
Posted by Greg Stein <gs...@gmail.com>.
On Wed, Oct 14, 2009 at 09:32, Mark Phippard <ma...@gmail.com> wrote:
> On Wed, Oct 14, 2009 at 9:30 AM, Hyrum K. Wright <hy...@hyrumwright.org> wrote:
>> On Oct 14, 2009, at 4:02 AM, Senthil Kumaran S wrote:
>>
>>> Author: stylesen
>>> Date: Wed Oct 14 02:02:05 2009
>>> New Revision: 40009
>>>
>>> Log:
>>> On the '1.6.x' branch:
>>>
>>> * STATUS: Nominate r40008.
>>>
>>> Modified:
>>> branches/1.6.x/STATUS
>>>
>>> Modified: branches/1.6.x/STATUS
>>> URL: http://svn.collab.net/viewvc/svn/branches/1.6.x/STATUS?pathrev=40009&r1=40008&r2=40009
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> ======================================================================
>>> --- branches/1.6.x/STATUS Wed Oct 14 01:52:15 2009 (r40008)
>>> +++ branches/1.6.x/STATUS Wed Oct 14 02:02:05 2009 (r40009)
>>> @@ -146,5 +146,12 @@ Candidate changes:
>>> Votes:
>>> +1: rhuijben
>>>
>>> + * r40008
>>> + Respect Apache's ServerSignature directive.
>>> + Justification:
>>> + Many subversion server administrators want it.
>>> + Votes:
>>> + +1: stylesen
>>> +
>>
>> This sure looks a lot like a feature and not a bug fix.
>>
>
> Some would also call it a security fix.
Anybody that calls this a "security fix" needs to permanently removed
from handling the security of their server.
Cheers,
-g
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2407643
Re: svn commit: r40009 - branches/1.6.x
Posted by Mark Phippard <ma...@gmail.com>.
On Wed, Oct 14, 2009 at 9:30 AM, Hyrum K. Wright <hy...@hyrumwright.org> wrote:
> On Oct 14, 2009, at 4:02 AM, Senthil Kumaran S wrote:
>
>> Author: stylesen
>> Date: Wed Oct 14 02:02:05 2009
>> New Revision: 40009
>>
>> Log:
>> On the '1.6.x' branch:
>>
>> * STATUS: Nominate r40008.
>>
>> Modified:
>> branches/1.6.x/STATUS
>>
>> Modified: branches/1.6.x/STATUS
>> URL: http://svn.collab.net/viewvc/svn/branches/1.6.x/STATUS?pathrev=40009&r1=40008&r2=40009
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> ======================================================================
>> --- branches/1.6.x/STATUS Wed Oct 14 01:52:15 2009 (r40008)
>> +++ branches/1.6.x/STATUS Wed Oct 14 02:02:05 2009 (r40009)
>> @@ -146,5 +146,12 @@ Candidate changes:
>> Votes:
>> +1: rhuijben
>>
>> + * r40008
>> + Respect Apache's ServerSignature directive.
>> + Justification:
>> + Many subversion server administrators want it.
>> + Votes:
>> + +1: stylesen
>> +
>
> This sure looks a lot like a feature and not a bug fix.
>
Some would also call it a security fix.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2407540
Re: svn commit: r40009 - branches/1.6.x
Posted by "C. Michael Pilato" <cm...@collab.net>.
Hyrum K. Wright wrote:
> Sounds good to me. Perhaps the item in STATUS could be updated to
> explain the "fix" nature of this revision.
Done.
--
C. Michael Pilato <cm...@collab.net>
CollabNet <> www.collab.net <> Distributed Development On Demand
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2407669
Re: svn commit: r40009 - branches/1.6.x
Posted by "Hyrum K. Wright" <hy...@hyrumwright.org>.
On Oct 14, 2009, at 8:43 AM, C. Michael Pilato wrote:
> Hyrum K. Wright wrote:
>
> [...]
>
>>> @@ -146,5 +146,12 @@ Candidate changes:
>>> Votes:
>>> +1: rhuijben
>>>
>>> + * r40008
>>> + Respect Apache's ServerSignature directive.
>>> + Justification:
>>> + Many subversion server administrators want it.
>>> + Votes:
>>> + +1: stylesen
>>> +
>>
>> This sure looks a lot like a feature and not a bug fix.
>
> I think it's actually security concerns that are driving the thing.
> Admins
> can use "ServerSignature off" to prevent Apache from reporting the
> presence
> and version of mod_dav_svn, but can't hide the version from Subversion
> directory listings. Definitely more "fix" and "feature", in my
> opinion.
Sounds good to me. Perhaps the item in STATUS could be updated to
explain the "fix" nature of this revision.
-Hyrum
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2407599
Re: svn commit: r40009 - branches/1.6.x
Posted by "C. Michael Pilato" <cm...@collab.net>.
Hyrum K. Wright wrote:
[...]
>> @@ -146,5 +146,12 @@ Candidate changes:
>> Votes:
>> +1: rhuijben
>>
>> + * r40008
>> + Respect Apache's ServerSignature directive.
>> + Justification:
>> + Many subversion server administrators want it.
>> + Votes:
>> + +1: stylesen
>> +
>
> This sure looks a lot like a feature and not a bug fix.
I think it's actually security concerns that are driving the thing. Admins
can use "ServerSignature off" to prevent Apache from reporting the presence
and version of mod_dav_svn, but can't hide the version from Subversion
directory listings. Definitely more "fix" and "feature", in my opinion.
--
C. Michael Pilato <cm...@collab.net>
CollabNet <> www.collab.net <> Distributed Development On Demand
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2407541