monit-general
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Announce/Security Advisory] monit 4.1.1 released


From: Andreas Rust
Subject: Re: [Announce/Security Advisory] monit 4.1.1 released
Date: Tue, 25 Nov 2003 17:03:05 +0100


Hi Jan,


I can understand this request and many web-servers offer a configure
switch to turn off the server version number reported in the server
header field and elsewhere. It's seldom used though because it is (at
best) "security through obscurity" and offer no protection at all.

That's right and that's also what I had on my mind. :)
However, it is infact much faster finding a working exploit whenever you
know details about versions. Whenever someone is going after a special service
they start off by checking the version number.

The best security is to upgrade to monit 4.1.1 ASAP and subscribed to
this list. The reported vulnerabilities are confirmed fixed in the
4.1.1 release. (ref: http://s-quadra.com/advisories/Adv-20031124.txt)


In ANY case a hole needs to be closed by upgrading ofcourse, it was just
meant as a future option/request. I for my part put in iptable rules and change the httpd port from the default. However, other ppl may not do so, stick to the default port and like never update. We all know there are ppl who just forget about anything as soon as it works.

l8r


    Andreas Rust     -   webnova GmbH
    address@hidden  -   www.webnova.de
    Tel:  +49 (0)234 - 912 96 10
    Fax:  +49 (0)234 - 912 96 15
+:----------------------------------------------------------:+
      Internet Solutions & Creative Design

reply via email to

[Prev in Thread] Current Thread [Next in Thread]