[
https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16434600#comment-16434600
]
Rohit Yadav commented on CLOUDSTACK-10304:
------------------------------------------
[~jgilbert] - please use Github issues in future to report issues. For any
security issues please use the security ML, see cloudstack.apache.org on
mailing list details. I've fixed the issue here that you can help test:
https://github.com/apache/cloudstack/pull/2563
> SystemVM - Apache Web Server Version Number Information Disclosure
> ------------------------------------------------------------------
>
> Key: CLOUDSTACK-10304
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: SystemVM
> Affects Versions: 4.11.0.0
> Reporter: Julian Gilbert
> Assignee: Rohit Yadav
> Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> {color:#000000}The Secondary Storage System VM discloses its Apache Web
> Server version number in HTTP headers and error pages. This type of
> information disclosure can lead to medium vulnerabilities being reported in
> web vulnerability scanners and reveals the Apache server version
> unnecessarily.{color}
> {color:#000000}The apache2 directory structure no longer contains
> /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2
> security configuration file is in another location. The
> /opt/cloud/bin/setup/common.sh script has not been updated to reflect
> this.{color}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
