[consulting] RE : security of CHANGELOG.txt
Sam Tresler
sam at treslerdesigns.com
Tue Sep 29 14:55:23 UTC 2009
In general, I would think that if they know enough to look at your
changelog, they know enough to just test for the security exploit in
question. i.e. "those who know to look" probably do know how to look.
-Sam
On Sep 29, 2009, at 2:22 AM, fgm wrote:
> If you don't keep core up to date, it can be seen as such, but of
> course the vulnerabilityis not the CHANGELOG per se, but the fact
> that you are not upgrading.
>
> It's basically complaining about the symptom without caring for the
> disease.
> ________________________________________
> De : consulting-bounces at drupal.org [consulting-bounces at drupal.org]
> de la part de Matt Chapman [Matt at NinjitsuWeb.com]
> Date d'envoi : lundi 28 septembre 2009 22:21
> À : A list for Drupal consultants and Drupal service/hosting providers
> Objet : [consulting] security of CHANGELOG.txt
>
> Do others consider it a security risk to leave CHANGELOG.txt web
> accessible; i.e., broadcasting what version of Drupal you're running,
> for those who know to look?
>
> -Matt
>
>
>
> _______________________________________________
> consulting mailing list
> consulting at drupal.org
> http://lists.drupal.org/mailman/listinfo/consulting
> _______________________________________________
> consulting mailing list
> consulting at drupal.org
> http://lists.drupal.org/mailman/listinfo/consulting
More information about the consulting
mailing list