Project

General

Profile

Actions
Copy link

Bug #11160

closed

We should not send Jetty version in header response

Added by François ARMAND over 7 years ago. Updated over 7 years ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
Packaging
Target version:
3.1.22
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
Fix check:
Regression:

Description

We have a response header telling Jetty version:

Server "Jetty(7.6.21.v20160908)"

This is the default behavior for jetty and is a little dumb: at best, it leaks information usable to forge an attack.

We should disable that, either by removing the header in apache, or by changing to "false" the value of attribute "sendServerVersion" in file "/opt/rudder/jetty7/etc/jetty.xml"

Related issues 2 (0 open2 closed)

Related to Rudder - Bug #11159: JSESSION cookie should be "secure"ReleasedBenoît PECCATTEActions
Related to Rudder - Bug #19163: Do not display the jetty version numberReleasedAlexis MoussetActions
Actions
Copy link
 #1

Updated by François ARMAND over 7 years ago

  • Copied from Bug #11159: JSESSION cookie should be "secure" added
Actions
Copy link
 #2

Updated by François ARMAND over 7 years ago

  • Copied from deleted (Bug #11159: JSESSION cookie should be "secure")
Actions
Copy link
 #3

Updated by François ARMAND over 7 years ago

  • Status changed from New to Rejected

Closed in #11159

Actions
Copy link
 #4

Updated by François ARMAND over 7 years ago

  • Related to Bug #11159: JSESSION cookie should be "secure" added
Actions
Copy link
 #5

Updated by François ARMAND almost 3 years ago

  • Related to Bug #19163: Do not display the jetty version number added
Actions
Copy link

Also available in: Atom PDF