ASF subversion and git services commented on CLOUDSTACK-10304:

Commit e71d4d4371fdf1595bb42f152ec544243f2087f2 in cloudstack's branch 
refs/heads/master from [~rohithsharma]
[ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=e71d4d4 ]

CLOUDSTACK-10304: turn off apache2 server tokens and signature in systemvms 

* systemvm: turn off apache2 server tokens and signature

This turns off apache2 server version signature/token in headers.

Signed-off-by: Rohit Yadav <rohit.ya...@shapeblue.com>

* systemvm: remove invalid code as conf.d is not available now

Signed-off-by: Rohit Yadav <rohit.ya...@shapeblue.com>

> SystemVM - Apache Web Server Version Number Information Disclosure
> ------------------------------------------------------------------
>                 Key: CLOUDSTACK-10304
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: SystemVM
>    Affects Versions:
>            Reporter: Julian Gilbert
>            Assignee: Rohit Yadav
>            Priority: Major
>             Fix For:,
> {color:#000000}The Secondary Storage System VM discloses its Apache Web 
> Server version number in HTTP headers and error pages. This type of 
> information disclosure can lead to medium vulnerabilities being reported in 
> web vulnerability scanners and reveals the Apache server version 
> unnecessarily.{color}
> {color:#000000}The apache2 directory structure no longer contains 
> /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2 
> security configuration file is in another location. The 
> /opt/cloud/bin/setup/common.sh script has not been updated to reflect 
> this.{color}

This message was sent by Atlassian JIRA

Reply via email to