[Standards-JIG] Re: Client Capabilities (rant)

Julien PUYDT julien.puydt at laposte.net
Tue Dec 6 06:30:44 UTC 2005


Tony Finch a écrit :
> On Sat, 3 Dec 2005, Trejkaz wrote:
> 
>>Actually, giving away even the client version is often considered to be a
>>security hole.  If a fix comes out for FooClient 1.2 and you're running a
>>client which tells everyone you're running FooClient 1.1, you're definitely
>>at risk.
>  
> Most exploits ignore any version information and go ahead regardless. All
> they care about is whether the exploit succeeds or not. Of course, you
> might be running a patched FooClient 1.1 which is not exploitable but
> which to casual observers might appear to be.

I would also think that a client may return the same version 1.2 in 
jabber even if they are in fact 1.2.x, if the program capabilities are 
still those found in 1.2 ...

Snark on #gnomemeeting



More information about the Standards mailing list