On Wed, Oct 14, 2009 at 12:56, Mark Phippard <markphip_at_gmail.com> wrote:
> On Wed, Oct 14, 2009 at 12:48 PM, Greg Stein <gstein_at_gmail.com> wrote:
>> On Wed, Oct 14, 2009 at 09:32, Mark Phippard <markphip_at_gmail.com> wrote:
>>> Some would also call it a security fix.
>>
>> Anybody that calls this a "security fix" needs to permanently removed
>> from handling the security of their server.
>
> There are plenty of users that have to pass security audits that
> considers any server application that advertises its version as at
> least violating a best practice. In this case, the US Government is
> asking for this as part of deploying Subversion on government servers.
>
> I have no interest in debating the merits of this. Apache httpd
> obviously considered it valid when they added a directive to turn this
> off. If a server admin is using this directive, it seems reasonable
> for Subversion to not overtly advertise its version number.
Oh, I'm not debating the merits either. Simply that it shouldn't be
called a "security fix", and that people who *do* call it that should
have their credentials revoked.
I can write a script to identify the version of an svn server. The
minor version is easy. I could probably distinguish most of the patch
levels, too. So this alleged "security fix" does nothing. An attacker
can easily determine the target's version. And shoot... if he's
exploiting a particular vulnerability, then he can simply *try* it,
and see if the target has a version that is subject to that exploit.
Cheers,
-g
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2407662
Received on 2009-10-14 19:26:11 CEST