31758 – Tomcat version number in error messages

Bug 31758 - Tomcat version number in error messages

Summary: Tomcat version number in error messages

Status:	RESOLVED INVALID

Alias:	None

Product:	Tomcat 5
Classification:	Unclassified
Component:	Catalina (show other bugs)
Version:	5.0.28
Hardware:	All All

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2004-10-18 14:43 UTC by Mark Claassen
Modified:	2004-11-16 19:05 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Claassen 2004-10-18 14:43:48 UTC

There was a "bug" fixed in the apache webserver somewhere back in 1.3 (maybe 
1.3.26 or so) to hide the exact version number in error messages.  Has there 
been any consideration to doing the same in Tomcat?  The reason for the change 
was that in knowing the exact version, a hacker might be able to exploit a 
vulnerability known in that particular version.

I know there are ways to hide the exact version by creating custom 
errorLogValves and such, but it seems I should have to.  Also, I am not sure 
what all classes I need to override to get rid of all the version numbers.  

This may seem a minor point, but security folks love to make big issues out of 
minor points like this.

I am not sure which Tomcat component this falls into, probably several since 
many things handle their own error messages

Comment 1 Remy Maucherat 2004-10-18 15:01:34 UTC

You can do it already.