php5-fpm exposes full ubuntu package version in headers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php5 (Debian) |
Fix Released
|
Unknown
|
|||
php5 (Ubuntu) |
Opinion
|
Wishlist
|
Unassigned |
Bug Description
Issue: php5-fpm sets a header displaying the full Ubuntu package version
What should happen: At most, the version of PHP should be shown similar to
how Apache version is shown, e.g. PHP/5.3.10
What happens: the full Ubuntu package version is exposed in the X-Powered-By
header
nathan@
HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Mon, 21 May 2012 18:51:17 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.
nathan@
nathan@
* Restarting PHP5 FastCGI Process Manager php5-fpm [ OK ]
nathan@
HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Mon, 21 May 2012 18:51:57 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: php5-fpm 5.3.10-1ubuntu3.1
Uname: Linux 3.0.18-linode43 i686
ApportVersion: 2.0.1-0ubuntu7
Architecture: i386
Date: Mon May 21 11:52:47 2012
InstallationMedia:
ProcEnviron:
TERM=xterm
PATH=(custom, user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: php5
UpgradeStatus: No upgrade log present (probably fresh install)
modified.
mtime.conffile.
tags: | removed: php server |
Changed in php5 (Debian): | |
status: | Unknown → Won't Fix |
Changed in php5 (Debian): | |
status: | Won't Fix → Fix Released |
I think that full version number is important and we will gain no extra security by hiding it by default, just more pain when debugging. You always have an option to disable the headers yourself, if you think it will gain you any extra security.