Project

General

Profile

Actions

Bug #11160

closed

We should not send Jetty version in header response

Added by François ARMAND over 5 years ago. Updated over 5 years ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
Packaging
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Regression:

Description

We have a response header telling Jetty version:

Server "Jetty(7.6.21.v20160908)" 

This is the default behavior for jetty and is a little dumb: at best, it leaks information usable to forge an attack.

We should disable that, either by removing the header in apache, or by changing to "false" the value of attribute "sendServerVersion" in file "/opt/rudder/jetty7/etc/jetty.xml"


Related issues 2 (0 open2 closed)

Related to Rudder - Bug #11159: JSESSION cookie should be "secure"ReleasedBenoît PECCATTEActions
Related to Rudder - Bug #19163: Do not display the jetty version numberReleasedAlexis MoussetActions
Actions #1

Updated by François ARMAND over 5 years ago

  • Copied from Bug #11159: JSESSION cookie should be "secure" added
Actions #2

Updated by François ARMAND over 5 years ago

  • Copied from deleted (Bug #11159: JSESSION cookie should be "secure")
Actions #3

Updated by François ARMAND over 5 years ago

  • Status changed from New to Rejected

Closed in #11159

Actions #4

Updated by François ARMAND over 5 years ago

  • Related to Bug #11159: JSESSION cookie should be "secure" added
Actions #5

Updated by François ARMAND about 1 year ago

  • Related to Bug #19163: Do not display the jetty version number added
Actions

Also available in: Atom PDF