[mapserver-dev] Dropping Version Output?
Michael Smith
michael.smith.erdc at gmail.com
Wed Feb 16 05:17:31 PST 2022
Agree with you that’s it’s a standard checklist item (in DoD for STIGs). But fundamentally useless. The security auditors agree but yeah, checklist folks are generally not persuadable. I can see a config option.
Mike
--
Michael Smith
US Army Corps of Engineers
Remote Sensing/GIS Center
From: MapServer-dev <mapserver-dev-bounces at lists.osgeo.org> on behalf of "Nash, Edward" <E.Nash at dvz-mv.de>
Date: Wednesday, February 16, 2022 at 7:15 AM
To: MapServer Dev Mailing List <mapserver-dev at lists.osgeo.org>
Subject: Re: [mapserver-dev] Dropping Version Output?
It may or may not be pure security theatre (personally, I’d tend to agree with you on that), but ‘round these parts then not publishing the versions of external software components used is pretty high up on standard checklists for securing systems (and is low-hanging fruit for anyone to check, so shows up pretty quickly), so being able to configure it out would save plenty of hassle.
Ed
Von: MapServer-dev [mailto:mapserver-dev-bounces at lists.osgeo.org] Im Auftrag von michael.smith.erdc at gmail.com
Gesendet: Mittwoch, 16. Februar 2022 12:37
An: Tom Kralidis <tomkralidis at gmail.com>
Cc: MapServer Dev Mailing List <mapserver-dev at lists.osgeo.org>
Betreff: Re: [mapserver-dev] Dropping Version Output?
Also, I’d say that any perceived extra security by not having this info in the response is not really security, just security theatre.
Keep it in.
Michael Smith
US Army Corps
On Feb 16, 2022, at 6:34 AM, Tom Kralidis <tomkralidis at gmail.com> wrote:
I would suggest keeping at least the version somewhere in the responses (i.e. current behaviour, or
move to an HTTP header). For scenarios where users do not have access to the deployment environment,
this information is critical.
..Tom
On Tue, Feb 15, 2022 at 8:49 PM Steve Lime <sdlime at gmail.com> wrote:
What do folks think about dropping the version output from MapServer? That is, output like:
<!-- MapServer version 7.6.4 OUTPUT=PNG OUTPUT=JPEG SUPPORTS=PROJ SUPPORTS=AGG SUPPORTS=FREETYPE SUPPORTS=CAIRO SUPPORTS=ICONV SUPPORTS=WMS_SERVER SUPPORTS=WMS_CLIENT SUPPORTS=WFS_SERVER SUPPORTS=WCS_SERVER SUPPORTS=GEOS SUPPORTS=POINT_Z_M SUPPORTS=PBF INPUT=JPEG INPUT=POSTGIS INPUT=OGR INPUT=GDAL INPUT=SHAPEFILE -->
I'm not sure that advertising version and supported components makes sense anymore. Might be able to make it tunable via the config file but I'm not sure that's even necessary.
--Steve
_______________________________________________
MapServer-dev mailing list
MapServer-dev at lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-dev
_______________________________________________
MapServer-dev mailing list
MapServer-dev at lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-dev
_______________________________________________ MapServer-dev mailing list MapServer-dev at lists.osgeo.org https://lists.osgeo.org/mailman/listinfo/mapserver-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20220216/688cdd45/attachment.html>
More information about the MapServer-dev
mailing list