[
https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16437019#comment-16437019
]
ASF GitHub Bot commented on CLOUDSTACK-10304:
---------------------------------------------
DaanHoogland closed pull request #2563: CLOUDSTACK-10304: turn off apache2
server tokens and signature in systemvms
URL: https://github.com/apache/cloudstack/pull/2563
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/systemvm/debian/etc/apache2/conf-enabled/security.conf
b/systemvm/debian/etc/apache2/conf-enabled/security.conf
new file mode 100644
index 00000000000..498d147c3f2
--- /dev/null
+++ b/systemvm/debian/etc/apache2/conf-enabled/security.conf
@@ -0,0 +1,3 @@
+ServerTokens Prod
+ServerSignature Off
+TraceEnable Off
diff --git a/systemvm/debian/opt/cloud/bin/setup/common.sh
b/systemvm/debian/opt/cloud/bin/setup/common.sh
index a84d8814a8b..e24a27790b7 100755
--- a/systemvm/debian/opt/cloud/bin/setup/common.sh
+++ b/systemvm/debian/opt/cloud/bin/setup/common.sh
@@ -496,9 +496,6 @@ clean_ipalias_config() {
setup_apache2_common() {
sed -i 's/^Include ports.conf.*/# CS: Done by Python CsApp config\n#Include
ports.conf/g' /etc/apache2/apache2.conf
- [ -f /etc/apache2/conf.d/security ] && sed -i -e "s/^ServerTokens
.*/ServerTokens Prod/g" /etc/apache2/conf.d/security
- [ -f /etc/apache2/conf.d/security ] && sed -i -e "s/^ServerSignature
.*/ServerSignature Off/g" /etc/apache2/conf.d/security
-
# Disable listing of http://SSVM-IP/icons folder for security issue. see
article
http://www.i-lateral.com/tutorials/disabling-the-icons-folder-on-an-ubuntu-web-server/
[ -f /etc/apache2/mods-available/alias.conf ] && sed -i s/"Options Indexes
MultiViews"/"Options -Indexes MultiViews"/
/etc/apache2/mods-available/alias.conf
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> SystemVM - Apache Web Server Version Number Information Disclosure
> ------------------------------------------------------------------
>
> Key: CLOUDSTACK-10304
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: SystemVM
> Affects Versions: 4.11.0.0
> Reporter: Julian Gilbert
> Assignee: Rohit Yadav
> Priority: Major
> Fix For: 4.12.0.0, 4.11.1.0
>
>
> {color:#000000}The Secondary Storage System VM discloses its Apache Web
> Server version number in HTTP headers and error pages. This type of
> information disclosure can lead to medium vulnerabilities being reported in
> web vulnerability scanners and reveals the Apache server version
> unnecessarily.{color}
> {color:#000000}The apache2 directory structure no longer contains
> /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2
> security configuration file is in another location. The
> /opt/cloud/bin/setup/common.sh script has not been updated to reflect
> this.{color}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
