cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-10304) SystemVM - Apache Web Server Version Number Information Disclosure
Date Wed, 11 Apr 2018 21:59:00 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16434628#comment-16434628
] 

ASF GitHub Bot commented on CLOUDSTACK-10304:
---------------------------------------------

blueorangutan commented on issue #2563: CLOUDSTACK-10304: turn off apache2 server tokens and
signature in systemvms
URL: https://github.com/apache/cloudstack/pull/2563#issuecomment-380609114
 
 
   @rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run
smoke tests

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> SystemVM - Apache Web Server Version Number Information Disclosure
> ------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-10304
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: SystemVM
>    Affects Versions: 4.11.0.0
>            Reporter: Julian Gilbert
>            Assignee: Rohit Yadav
>            Priority: Major
>             Fix For: 4.12.0.0, 4.11.1.0
>
>
> {color:#000000}The Secondary Storage System VM discloses its Apache Web Server version
number in HTTP headers and error pages. This type of information disclosure can lead to medium
vulnerabilities being reported in web vulnerability scanners and reveals the Apache server
version unnecessarily.{color}
> {color:#000000}The apache2 directory structure no longer contains /etc/apache2/conf.d/
in Debian 9 and therefore the appropriate apache2 security configuration file is in another
location. The /opt/cloud/bin/setup/common.sh script has not been updated to reflect this.{color}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message