Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 233776 - Set expose_php in php.ini from On to Off
Summary: Set expose_php in php.ini from On to Off
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: php
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Joe Orton
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-24 23:06 UTC by Robert Scheck
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-04-16 15:05:00 UTC


Attachments (Terms of Use)

Description Robert Scheck 2007-03-24 23:06:42 UTC
Description of problem:
Set expose_php in php.ini from On to Off or is there any reason to show without 
any limitation that we've got the huge security hole called PHP installed?

Version-Release number of selected component (if applicable):
php-5.2.1-3

Expected results:
Set expose_php in php.ini from On to Off

Comment 1 Joe Orton 2007-03-26 09:46:40 UTC
Thanks for the suggestion.  This is the upstream default, I think that should be
respected; as the saying goes, obscurity does not imply security, in any case.

Comment 2 Robert Scheck 2007-03-26 10:11:35 UTC
Sorry, I can't agree with you. It's okay when it's upstream default, but we 
should act similar to OpenSSH at this downstream point. As the PHP version is 
normally never bumped, even if security holes are fixed, many many many pseudo 
security companies (!) complain, that PHP is not up-to-date (because of the PHP 
version) and vulnerable to abc and xyz, which isn't the case. And this applies 
especially to RHEL, where PHP versions are just old (but patched)...

OpenSSH solved this problem by introducing a vendor string, maybe that's 
usefull for PHP, too. My personal easy solution would be, just to turn off the 
expose of PHP by downstream default.

Comment 3 Joe Orton 2007-04-16 15:05:00 UTC
Attempting to satisfy the remote-version-scanning tools is a futile task, and is
not sufficient justification to deviate from the upstream default.  The only way
to reliably detect version/release/patchlevel is to do so locally.

If you think it is correct to set expose_php to Off by default, then convince
upstream first and the Fedora package will follow.


Note You need to log in before you can comment on or make changes to this bug.