[
https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16437020#comment-16437020
]
ASF subversion and git services commented on CLOUDSTACK-10304:
--------------------------------------------------------------
Commit e71d4d4371fdf1595bb42f152ec544243f2087f2 in cloudstack's branch
refs/heads/4.11 from [~rohithsharma]
[ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=e71d4d4 ]
CLOUDSTACK-10304: turn off apache2 server tokens and signature in systemvms
(#2563)
* systemvm: turn off apache2 server tokens and signature
This turns off apache2 server version signature/token in headers.
Signed-off-by: Rohit Yadav <[email protected]>
* systemvm: remove invalid code as conf.d is not available now
Signed-off-by: Rohit Yadav <[email protected]>
> SystemVM - Apache Web Server Version Number Information Disclosure
> ------------------------------------------------------------------
>
> Key: CLOUDSTACK-10304
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: SystemVM
> Affects Versions: 4.11.0.0
> Reporter: Julian Gilbert
> Assignee: Rohit Yadav
> Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> {color:#000000}The Secondary Storage System VM discloses its Apache Web
> Server version number in HTTP headers and error pages. This type of
> information disclosure can lead to medium vulnerabilities being reported in
> web vulnerability scanners and reveals the Apache server version
> unnecessarily.{color}
> {color:#000000}The apache2 directory structure no longer contains
> /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2
> security configuration file is in another location. The
> /opt/cloud/bin/setup/common.sh script has not been updated to reflect
> this.{color}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
