[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn commit: r40009 - branches/1.6.x

From: Greg Stein <gstein_at_gmail.com>
Date: Wed, 14 Oct 2009 13:25:57 -0400

On Wed, Oct 14, 2009 at 12:56, Mark Phippard <markphip_at_gmail.com> wrote:
> On Wed, Oct 14, 2009 at 12:48 PM, Greg Stein <gstein_at_gmail.com> wrote:
>> On Wed, Oct 14, 2009 at 09:32, Mark Phippard <markphip_at_gmail.com> wrote:
>>> Some would also call it a security fix.
>> Anybody that calls this a "security fix" needs to permanently removed
>> from handling the security of their server.
> There are plenty of users that have to pass security audits that
> considers any server application that advertises its version as at
> least violating a best practice.  In this case, the US Government is
> asking for this as part of deploying Subversion on government servers.
> I have no interest in debating the merits of this.  Apache httpd
> obviously considered it valid when they added a directive to turn this
> off.  If a server admin is using this directive, it seems reasonable
> for Subversion to not overtly advertise its version number.

Oh, I'm not debating the merits either. Simply that it shouldn't be
called a "security fix", and that people who *do* call it that should
have their credentials revoked.

I can write a script to identify the version of an svn server. The
minor version is easy. I could probably distinguish most of the patch
levels, too. So this alleged "security fix" does nothing. An attacker
can easily determine the target's version. And shoot... if he's
exploiting a particular vulnerability, then he can simply *try* it,
and see if the target has a version that is subject to that exploit.


Received on 2009-10-14 19:26:11 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.