Feature #43707
open
Show on the footer the current version of Redmine that's being hosted
Description
It's difficult for a normal user to see which version the Redmine is on. Having the version number on every page's footer would be great. This would be useful for example when reporting issues about Redmine, to include the version number in the description or in the field "Affected version" in case of a defect.
Updated by Marius BĂLTEANU about 2 months ago
- Status changed from New to Needs feedback
From a security perspective, it is better not to expose the running version, as it makes it easier for attackers to identify and exploit version-specific vulnerabilities.
This is a standard security best practice (similar to "Security through obscurity" layers), much like configuring web servers or application environments to hide version information from response headers.
Even though I see the convenience, I am in favor of not implementing this to keep the default installation as secure as possible.
Updated by Nikos Heikkilä about 1 month ago
Marius BĂLTEANU wrote in #note-1:
From a security perspective, it is better not to expose the running version, as it makes it easier for attackers to identify and exploit version-specific vulnerabilities.
If Redmine becomes vulnerable simply because someone knows the version number, then we could argue that the system is already insecure. Attackers have most likely already enough fingerprints to figure out the (near) exact version of the running instance. https://cwe.mitre.org/data/definitions/656.html