Project

General

Profile

Actions
Copy link

Bug #19163

closed

Do not display the jetty version number

Added by Julien BRIAULT about 3 years ago. Updated almost 2 years ago.

Status:
Released
Priority:
N/A
Assignee:
Alexis Mousset
Category:
Security
Target version:
6.2.12
Pull Request:
https://github.com/Normation/rudder-p...
Severity:
UX impact:
User visibility:
Effort required:
Very Small
Priority:
0
Name check:
Needs change
Fix check:
Checked
Regression:

Description

For security reasons, it seems important to stop sending the Jetty version number.
All this in order to strengthen the security of Rudder (in case of pentest for example).

To disable the display of the version number:

jetty.send.server.version=false

Files

jetty_version.png (46.1 KB) jetty_version.png Elaad FURREEDAN, 2021-12-14 12:39

Related issues 1 (0 open1 closed)

Related to Rudder - Bug #11160: We should not send Jetty version in header responseRejectedActions
Actions
Copy link
 #1

Updated by François ARMAND almost 3 years ago

Can you be more precise where you want to hide it?

If it's in response header, AFAIK it's filtered out by apache, and so it's only viewable on localhost (and if you are localhost, you can already see much more with ps or whatever).

But, right, it's not a big deal to set the VM option (it's more to understand the criticity of the problem).

Actions
Copy link
 #2

Updated by François ARMAND almost 3 years ago

  • Tracker changed from Architecture to Bug
  • Priority set to 0
Actions
Copy link
 #3

Updated by François ARMAND over 2 years ago

  • Related to Bug #11160: We should not send Jetty version in header response added
Actions
Copy link
 #4

Updated by François ARMAND over 2 years ago

Actually, we want to set the option by default in all case: there is no case where we want to send these informations, be it in local or not.
And we should remove the header rewrite from Apache config (from https://issues.rudder.io/issues/11160) to simplify things in a following minor.

Actions
Copy link
 #5

Updated by Elaad FURREEDAN over 2 years ago

this refers to the version of jetty exposed on a 401 error page for example

Actions
Copy link
 #6

Updated by Elaad FURREEDAN over 2 years ago

  • Assignee set to Elaad FURREEDAN
  • Target version changed from Ideas (not version specific) to 6.2.12
Actions
Copy link
 #7

Updated by Elaad FURREEDAN over 2 years ago

  • Status changed from New to In progress
Actions
Copy link
 #8

Updated by Elaad FURREEDAN over 2 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Elaad FURREEDAN to Alexis Mousset
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/2554
Actions
Copy link
 #9

Updated by Anonymous over 2 years ago

  • Status changed from Pending technical review to Pending release
Actions
Copy link
 #10

Updated by Alexis Mousset over 2 years ago

  • Fix check changed from To do to Checked
Actions
Copy link
 #11

Updated by Vincent MEMBRÉ over 2 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 6.2.12 and 7.0.0~rc2 which were released today.

Actions
Copy link

Also available in: Atom PDF