cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-10304) SystemVM - Apache Web Server Version Number Information Disclosure
Date Fri, 13 Apr 2018 08:45:00 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16437020#comment-16437020
] 

ASF subversion and git services commented on CLOUDSTACK-10304:
--------------------------------------------------------------

Commit e71d4d4371fdf1595bb42f152ec544243f2087f2 in cloudstack's branch refs/heads/4.11 from
[~rohithsharma]
[ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=e71d4d4 ]

CLOUDSTACK-10304: turn off apache2 server tokens and signature in systemvms (#2563)

* systemvm: turn off apache2 server tokens and signature

This turns off apache2 server version signature/token in headers.

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

* systemvm: remove invalid code as conf.d is not available now

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>


> SystemVM - Apache Web Server Version Number Information Disclosure
> ------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-10304
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: SystemVM
>    Affects Versions: 4.11.0.0
>            Reporter: Julian Gilbert
>            Assignee: Rohit Yadav
>            Priority: Major
>             Fix For: 4.12.0.0, 4.11.1.0
>
>
> {color:#000000}The Secondary Storage System VM discloses its Apache Web Server version
number in HTTP headers and error pages. This type of information disclosure can lead to medium
vulnerabilities being reported in web vulnerability scanners and reveals the Apache server
version unnecessarily.{color}
> {color:#000000}The apache2 directory structure no longer contains /etc/apache2/conf.d/
in Debian 9 and therefore the appropriate apache2 security configuration file is in another
location. The /opt/cloud/bin/setup/common.sh script has not been updated to reflect this.{color}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message