service version disclosure
Reindl Harald
h.reindl at thelounge.net
Mon Jan 9 08:07:28 UTC 2012
Am 09.01.2012 07:27, schrieb Ed Marshall:
> On Sun, Jan 8, 2012 at 5:42 PM, Reindl Harald <h.reindl at thelounge.net> wrote:
>> if a software-package, information, disclosure is NOT NEEDED it has
>> to be disabled - again: take some security education!
>
> And, there we go.
>
> Convince upstream to change their behavior (but, read their FAQ on
> this exact question first, and try to understand why they've chosen
> that stance), or convince the current openssh package maintainers why
> they should patch the Fedora version of openssh in defiance of
> upstream's wishes.
would you please realize that sshd was only ONE sample
but well, so i will hestititate useful requests in the future and
continue rebuilding half of the distribution by my own to get rid
of nonsense like unsecure defaults, missing systemd-integration
and automatic restarts of services while packages are updated
> That will be much more productive than insisting that people who are
> disagreeing with you in good faith are uneducated
sorry, but if somebody does not realize that "ServerTokens OS" is
a unsecure httpd-default while every security-expert and most
documentations out there will tell you why this is the logical
conclusion and not insisting anyone
the only sense in "ServerTokens OS" is that you can see bad
administration with one look in the header - the problem is
that this information is enough for bad guys to look closer
on other services too
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120109/706f52a5/attachment.sig>
More information about the devel
mailing list