[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Announce/Security Advisory] monit 4.1.1 released
From: |
Andreas Rust |
Subject: |
Re: [Announce/Security Advisory] monit 4.1.1 released |
Date: |
Tue, 25 Nov 2003 17:03:05 +0100 |
Hi Jan,
I can understand this request and many web-servers offer a configure
switch to turn off the server version number reported in the server
header field and elsewhere. It's seldom used though because it is (at
best) "security through obscurity" and offer no protection at all.
That's right and that's also what I had on my mind. :)
However, it is infact much faster finding a working exploit whenever you
know details about versions. Whenever someone is going after a special service
they start off by checking the version number.
The best security is to upgrade to monit 4.1.1 ASAP and subscribed to
this list. The reported vulnerabilities are confirmed fixed in the
4.1.1 release. (ref: http://s-quadra.com/advisories/Adv-20031124.txt)
In ANY case a hole needs to be closed by upgrading ofcourse, it was just
meant as a future option/request. I for my part put in iptable rules and
change the httpd
port from the default. However, other ppl may not do so, stick to the
default port and
like never update. We all know there are ppl who just forget about anything
as soon as it works.
l8r
Andreas Rust - webnova GmbH
address@hidden - www.webnova.de
Tel: +49 (0)234 - 912 96 10
Fax: +49 (0)234 - 912 96 15
+:----------------------------------------------------------:+
Internet Solutions & Creative Design