Re: version 1.3.20

> > > > "Server: IBM_HTTP_SERVER/1.3.19.4 Apache/1.3.20 (Unix)" as answer.

> > Do i understand it right: changing to version number has to be done
> > "on purpose" - the standard value is the right and most recent. If you
> > want to show another versionnumber, you have to adjust it.
>
> It's not a trivial task. Unless there's a *reason* why someone would
> go to the trouble of re-compiling and faking a different version
> number, it's probably safe to assume that they haven't. The standard
> value for it is the correct one, naturally. Not necessarily the most
> recent if they haven't upgraded recently, of course.

as this is not really apache but the apache-based ibmhttpd, one can
safely assume that the ServerTokens were changed on purpose.

that being said, ibm like debian or openbsd, tends to stay at some
stable version and to backport later security and bugfixes to it.
wether ibmhttpd/1.3.19.4 is current or not can be seen from the
release notes on ibm's download page (ibmhttpd is provided for free
(as in beer not speech!))

but it could be of course all be a scam and there's iis3.0 in that
special "make apache look vulnerable" version with forged ServerTokens
behind it ;-)

joachim

jring@web.de (Joachim Ring) wrote in message news:<3ae246c1.0306241228.22176d8f@posting.google. com>...
> > > > > "Server: IBM_HTTP_SERVER/1.3.19.4 Apache/1.3.20 (Unix)" as answer.
>
> > > Do i understand it right: changing to version number has to be done
> > > "on purpose" - the standard value is the right and most recent. If you
> > > want to show another versionnumber, you have to adjust it.
> >
> > It's not a trivial task. Unless there's a *reason* why someone would
> > go to the trouble of re-compiling and faking a different version
> > number, it's probably safe to assume that they haven't. The standard
> > value for it is the correct one, naturally. Not necessarily the most
> > recent if they haven't upgraded recently, of course.
>
> as this is not really apache but the apache-based ibmhttpd, one can
> safely assume that the ServerTokens were changed on purpose.
>
> that being said, ibm like debian or openbsd, tends to stay at some
> stable version and to backport later security and bugfixes to it.
> wether ibmhttpd/1.3.19.4 is current or not can be seen from the
> release notes on ibm's download page (ibmhttpd is provided for free
> (as in beer not speech!))
>
> but it could be of course all be a scam and there's iis3.0 in that
> special "make apache look vulnerable" version with forged ServerTokens
> behind it ;-)
>
> joachim

joachim, bitte, nich so compliecen, a request tells me that it is a
1.3.20 -i known for sure that the guy who is managing this server is a
responsible guy who is very good in a lot of domains (linux, ibm MF)
and is concerned about security .... but nobody can be a specialist in
anything ... how can i be sure everything on that server is ok? I 'm
not the guy that can interprete the whole list of releases info from
1.3.20 until 1.3.27 and verify all the patches ...
so can you or somebody else can verify for me the state off that
server - not in this forum i presume - i really ok.

is showing a version Apache/1.3.20 critical

adriaan.vermeersch@socmut.be (Adriaan Vermeersch) wrote in message news:<b1a9b796.0306251638.10d1a6b6@posting.google. com>...
> jring@web.de (Joachim Ring) wrote in message news:<3ae246c1.0306241228.22176d8f@posting.google. com>...
> > > > > > "Server: IBM_HTTP_SERVER/1.3.19.4 Apache/1.3.20 (Unix)" as answer.
>
> > > > Do i understand it right: changing to version number has to be done
> > > > "on purpose" - the standard value is the right and most recent. If you
> > > > want to show another versionnumber, you have to adjust it.
> > >
> > > It's not a trivial task. Unless there's a *reason* why someone would
> > > go to the trouble of re-compiling and faking a different version
> > > number, it's probably safe to assume that they haven't. The standard
> > > value for it is the correct one, naturally. Not necessarily the most
> > > recent if they haven't upgraded recently, of course.
> >
> > as this is not really apache but the apache-based ibmhttpd, one can
> > safely assume that the ServerTokens were changed on purpose.
> >
> > that being said, ibm like debian or openbsd, tends to stay at some
> > stable version and to backport later security and bugfixes to it.
> > wether ibmhttpd/1.3.19.4 is current or not can be seen from the
> > release notes on ibm's download page (ibmhttpd is provided for free
> > (as in beer not speech!))
> >
> > but it could be of course all be a scam and there's iis3.0 in that
> > special "make apache look vulnerable" version with forged ServerTokens
> > behind it ;-)
> >
> > joachim
>
> joachim, bitte, nich so compliecen, a request tells me that it is a
> 1.3.20 -i known for sure that the guy who is managing this server is a
> responsible guy who is very good in a lot of domains (linux, ibm MF)
> and is concerned about security .... but nobody can be a specialist in
> anything ... how can i be sure everything on that server is ok? I 'm
> not the guy that can interprete the whole list of releases info from
> 1.3.20 until 1.3.27 and verify all the patches ...
> so can you or somebody else can verify for me the state off that
> server - not in this forum i presume - i really ok.
>
> is showing a version Apache/1.3.20 critical

Meanwhile I got confirmation that the servertokens has been changed on
that server and the displaying "Apache/1.3.20" is just for misleading
possible attackers! Thx for your comments.