|Summary:||Set expose_php in php.ini from On to Off|
|Product:||[Fedora] Fedora||Reporter:||Robert Scheck <redhat-bugzilla>|
|Component:||php||Assignee:||Joe Orton <jorton>|
|Status:||CLOSED WONTFIX||QA Contact:||David Lawrence <dkl>|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2007-04-16 15:05:00 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Robert Scheck 2007-03-24 23:06:42 UTC
Description of problem: Set expose_php in php.ini from On to Off or is there any reason to show without any limitation that we've got the huge security hole called PHP installed? Version-Release number of selected component (if applicable): php-5.2.1-3 Expected results: Set expose_php in php.ini from On to Off
Comment 1 Joe Orton 2007-03-26 09:46:40 UTC
Thanks for the suggestion. This is the upstream default, I think that should be respected; as the saying goes, obscurity does not imply security, in any case.
Comment 2 Robert Scheck 2007-03-26 10:11:35 UTC
Sorry, I can't agree with you. It's okay when it's upstream default, but we should act similar to OpenSSH at this downstream point. As the PHP version is normally never bumped, even if security holes are fixed, many many many pseudo security companies (!) complain, that PHP is not up-to-date (because of the PHP version) and vulnerable to abc and xyz, which isn't the case. And this applies especially to RHEL, where PHP versions are just old (but patched)... OpenSSH solved this problem by introducing a vendor string, maybe that's usefull for PHP, too. My personal easy solution would be, just to turn off the expose of PHP by downstream default.
Comment 3 Joe Orton 2007-04-16 15:05:00 UTC
Attempting to satisfy the remote-version-scanning tools is a futile task, and is not sufficient justification to deviate from the upstream default. The only way to reliably detect version/release/patchlevel is to do so locally. If you think it is correct to set expose_php to Off by default, then convince upstream first and the Fedora package will follow.