cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-10304) SystemVM - Apache Web Server Version Number Information Disclosure
Date Thu, 12 Apr 2018 11:42:00 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16435397#comment-16435397
] 

ASF GitHub Bot commented on CLOUDSTACK-10304:
---------------------------------------------

jgilbert35 commented on issue #2563: CLOUDSTACK-10304: turn off apache2 server tokens and
signature in systemvms
URL: https://github.com/apache/cloudstack/pull/2563#issuecomment-380775957
 
 
   Should cloudstack/systemvm/debian/opt/cloud/bin/setup/common.sh also be considered? The
setup_apache2_common() function contains references to ServerTokens and ServerSignature.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> SystemVM - Apache Web Server Version Number Information Disclosure
> ------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-10304
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: SystemVM
>    Affects Versions: 4.11.0.0
>            Reporter: Julian Gilbert
>            Assignee: Rohit Yadav
>            Priority: Major
>             Fix For: 4.12.0.0, 4.11.1.0
>
>
> {color:#000000}The Secondary Storage System VM discloses its Apache Web Server version
number in HTTP headers and error pages. This type of information disclosure can lead to medium
vulnerabilities being reported in web vulnerability scanners and reveals the Apache server
version unnecessarily.{color}
> {color:#000000}The apache2 directory structure no longer contains /etc/apache2/conf.d/
in Debian 9 and therefore the appropriate apache2 security configuration file is in another
location. The /opt/cloud/bin/setup/common.sh script has not been updated to reflect this.{color}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message