[jira] [Commented] (CLOUDSTACK-10304) SystemVM - Apache Web Server Version Number Information Disclosure
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16460632#comment-16460632 ] Julian Gilbert commented on CLOUDSTACK-10304: - I'm happy for this to be closed. > SystemVM - Apache Web Server Version Number Information Disclosure > -- > > Key: CLOUDSTACK-10304 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: SystemVM >Affects Versions: 4.11.0.0 >Reporter: Julian Gilbert >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > {color:#00}The Secondary Storage System VM discloses its Apache Web > Server version number in HTTP headers and error pages. This type of > information disclosure can lead to medium vulnerabilities being reported in > web vulnerability scanners and reveals the Apache server version > unnecessarily.{color} > {color:#00}The apache2 directory structure no longer contains > /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2 > security configuration file is in another location. The > /opt/cloud/bin/setup/common.sh script has not been updated to reflect > this.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10304) SystemVM - Apache Web Server Version Number Information Disclosure
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16445737#comment-16445737 ] Boris Stoyanov commented on CLOUDSTACK-10304: - PR has been merged should we close this one? > SystemVM - Apache Web Server Version Number Information Disclosure > -- > > Key: CLOUDSTACK-10304 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: SystemVM >Affects Versions: 4.11.0.0 >Reporter: Julian Gilbert >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > {color:#00}The Secondary Storage System VM discloses its Apache Web > Server version number in HTTP headers and error pages. This type of > information disclosure can lead to medium vulnerabilities being reported in > web vulnerability scanners and reveals the Apache server version > unnecessarily.{color} > {color:#00}The apache2 directory structure no longer contains > /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2 > security configuration file is in another location. The > /opt/cloud/bin/setup/common.sh script has not been updated to reflect > this.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10304) SystemVM - Apache Web Server Version Number Information Disclosure
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16437084#comment-16437084 ] ASF subversion and git services commented on CLOUDSTACK-10304: -- Commit e71d4d4371fdf1595bb42f152ec544243f2087f2 in cloudstack's branch refs/heads/master from [~rohithsharma] [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=e71d4d4 ] CLOUDSTACK-10304: turn off apache2 server tokens and signature in systemvms (#2563) * systemvm: turn off apache2 server tokens and signature This turns off apache2 server version signature/token in headers. Signed-off-by: Rohit Yadav* systemvm: remove invalid code as conf.d is not available now Signed-off-by: Rohit Yadav > SystemVM - Apache Web Server Version Number Information Disclosure > -- > > Key: CLOUDSTACK-10304 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: SystemVM >Affects Versions: 4.11.0.0 >Reporter: Julian Gilbert >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > {color:#00}The Secondary Storage System VM discloses its Apache Web > Server version number in HTTP headers and error pages. This type of > information disclosure can lead to medium vulnerabilities being reported in > web vulnerability scanners and reveals the Apache server version > unnecessarily.{color} > {color:#00}The apache2 directory structure no longer contains > /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2 > security configuration file is in another location. The > /opt/cloud/bin/setup/common.sh script has not been updated to reflect > this.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10304) SystemVM - Apache Web Server Version Number Information Disclosure
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16437081#comment-16437081 ] ASF GitHub Bot commented on CLOUDSTACK-10304: - blueorangutan commented on issue #2563: CLOUDSTACK-10304: turn off apache2 server tokens and signature in systemvms URL: https://github.com/apache/cloudstack/pull/2563#issuecomment-381083667 Packaging result: ✔centos6 ✔centos7 ✔debian. JID-1915 This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > SystemVM - Apache Web Server Version Number Information Disclosure > -- > > Key: CLOUDSTACK-10304 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: SystemVM >Affects Versions: 4.11.0.0 >Reporter: Julian Gilbert >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > {color:#00}The Secondary Storage System VM discloses its Apache Web > Server version number in HTTP headers and error pages. This type of > information disclosure can lead to medium vulnerabilities being reported in > web vulnerability scanners and reveals the Apache server version > unnecessarily.{color} > {color:#00}The apache2 directory structure no longer contains > /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2 > security configuration file is in another location. The > /opt/cloud/bin/setup/common.sh script has not been updated to reflect > this.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10304) SystemVM - Apache Web Server Version Number Information Disclosure
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16437022#comment-16437022 ] ASF GitHub Bot commented on CLOUDSTACK-10304: - blueorangutan commented on issue #2563: CLOUDSTACK-10304: turn off apache2 server tokens and signature in systemvms URL: https://github.com/apache/cloudstack/pull/2563#issuecomment-381068164 @rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > SystemVM - Apache Web Server Version Number Information Disclosure > -- > > Key: CLOUDSTACK-10304 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: SystemVM >Affects Versions: 4.11.0.0 >Reporter: Julian Gilbert >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > {color:#00}The Secondary Storage System VM discloses its Apache Web > Server version number in HTTP headers and error pages. This type of > information disclosure can lead to medium vulnerabilities being reported in > web vulnerability scanners and reveals the Apache server version > unnecessarily.{color} > {color:#00}The apache2 directory structure no longer contains > /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2 > security configuration file is in another location. The > /opt/cloud/bin/setup/common.sh script has not been updated to reflect > this.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10304) SystemVM - Apache Web Server Version Number Information Disclosure
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16437019#comment-16437019 ] ASF GitHub Bot commented on CLOUDSTACK-10304: - DaanHoogland closed pull request #2563: CLOUDSTACK-10304: turn off apache2 server tokens and signature in systemvms URL: https://github.com/apache/cloudstack/pull/2563 This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/systemvm/debian/etc/apache2/conf-enabled/security.conf b/systemvm/debian/etc/apache2/conf-enabled/security.conf new file mode 100644 index 000..498d147c3f2 --- /dev/null +++ b/systemvm/debian/etc/apache2/conf-enabled/security.conf @@ -0,0 +1,3 @@ +ServerTokens Prod +ServerSignature Off +TraceEnable Off diff --git a/systemvm/debian/opt/cloud/bin/setup/common.sh b/systemvm/debian/opt/cloud/bin/setup/common.sh index a84d8814a8b..e24a27790b7 100755 --- a/systemvm/debian/opt/cloud/bin/setup/common.sh +++ b/systemvm/debian/opt/cloud/bin/setup/common.sh @@ -496,9 +496,6 @@ clean_ipalias_config() { setup_apache2_common() { sed -i 's/^Include ports.conf.*/# CS: Done by Python CsApp config\n#Include ports.conf/g' /etc/apache2/apache2.conf - [ -f /etc/apache2/conf.d/security ] && sed -i -e "s/^ServerTokens .*/ServerTokens Prod/g" /etc/apache2/conf.d/security - [ -f /etc/apache2/conf.d/security ] && sed -i -e "s/^ServerSignature .*/ServerSignature Off/g" /etc/apache2/conf.d/security - # Disable listing of http://SSVM-IP/icons folder for security issue. see article http://www.i-lateral.com/tutorials/disabling-the-icons-folder-on-an-ubuntu-web-server/ [ -f /etc/apache2/mods-available/alias.conf ] && sed -i s/"Options Indexes MultiViews"/"Options -Indexes MultiViews"/ /etc/apache2/mods-available/alias.conf This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > SystemVM - Apache Web Server Version Number Information Disclosure > -- > > Key: CLOUDSTACK-10304 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: SystemVM >Affects Versions: 4.11.0.0 >Reporter: Julian Gilbert >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > {color:#00}The Secondary Storage System VM discloses its Apache Web > Server version number in HTTP headers and error pages. This type of > information disclosure can lead to medium vulnerabilities being reported in > web vulnerability scanners and reveals the Apache server version > unnecessarily.{color} > {color:#00}The apache2 directory structure no longer contains > /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2 > security configuration file is in another location. The > /opt/cloud/bin/setup/common.sh script has not been updated to reflect > this.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10304) SystemVM - Apache Web Server Version Number Information Disclosure
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16437020#comment-16437020 ] ASF subversion and git services commented on CLOUDSTACK-10304: -- Commit e71d4d4371fdf1595bb42f152ec544243f2087f2 in cloudstack's branch refs/heads/4.11 from [~rohithsharma] [ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=e71d4d4 ] CLOUDSTACK-10304: turn off apache2 server tokens and signature in systemvms (#2563) * systemvm: turn off apache2 server tokens and signature This turns off apache2 server version signature/token in headers. Signed-off-by: Rohit Yadav* systemvm: remove invalid code as conf.d is not available now Signed-off-by: Rohit Yadav > SystemVM - Apache Web Server Version Number Information Disclosure > -- > > Key: CLOUDSTACK-10304 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: SystemVM >Affects Versions: 4.11.0.0 >Reporter: Julian Gilbert >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > {color:#00}The Secondary Storage System VM discloses its Apache Web > Server version number in HTTP headers and error pages. This type of > information disclosure can lead to medium vulnerabilities being reported in > web vulnerability scanners and reveals the Apache server version > unnecessarily.{color} > {color:#00}The apache2 directory structure no longer contains > /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2 > security configuration file is in another location. The > /opt/cloud/bin/setup/common.sh script has not been updated to reflect > this.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10304) SystemVM - Apache Web Server Version Number Information Disclosure
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16436501#comment-16436501 ] ASF GitHub Bot commented on CLOUDSTACK-10304: - blueorangutan commented on issue #2563: CLOUDSTACK-10304: turn off apache2 server tokens and signature in systemvms URL: https://github.com/apache/cloudstack/pull/2563#issuecomment-380978801 Trillian test result (tid-2496) Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7 Total time taken: 91764 seconds Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr2563-t2496-kvm-centos7.zip Intermitten failure detected: /marvin/tests/smoke/test_routers.py Smoke tests completed. 66 look OK, 1 have error(s) Only failed tests results shown below: Test | Result | Time (s) | Test File --- | --- | --- | --- test_04_restart_network_wo_cleanup | `Failure` | 3.98 | test_routers.py This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > SystemVM - Apache Web Server Version Number Information Disclosure > -- > > Key: CLOUDSTACK-10304 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: SystemVM >Affects Versions: 4.11.0.0 >Reporter: Julian Gilbert >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > {color:#00}The Secondary Storage System VM discloses its Apache Web > Server version number in HTTP headers and error pages. This type of > information disclosure can lead to medium vulnerabilities being reported in > web vulnerability scanners and reveals the Apache server version > unnecessarily.{color} > {color:#00}The apache2 directory structure no longer contains > /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2 > security configuration file is in another location. The > /opt/cloud/bin/setup/common.sh script has not been updated to reflect > this.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10304) SystemVM - Apache Web Server Version Number Information Disclosure
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16435410#comment-16435410 ] ASF GitHub Bot commented on CLOUDSTACK-10304: - rhtyd commented on issue #2563: CLOUDSTACK-10304: turn off apache2 server tokens and signature in systemvms URL: https://github.com/apache/cloudstack/pull/2563#issuecomment-380778512 @jgilbert35 I checked debian9's apache2 filesystem layout, we don't see to sed stuff, we can remove the change and simply include a file as done in this PR. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > SystemVM - Apache Web Server Version Number Information Disclosure > -- > > Key: CLOUDSTACK-10304 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: SystemVM >Affects Versions: 4.11.0.0 >Reporter: Julian Gilbert >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > {color:#00}The Secondary Storage System VM discloses its Apache Web > Server version number in HTTP headers and error pages. This type of > information disclosure can lead to medium vulnerabilities being reported in > web vulnerability scanners and reveals the Apache server version > unnecessarily.{color} > {color:#00}The apache2 directory structure no longer contains > /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2 > security configuration file is in another location. The > /opt/cloud/bin/setup/common.sh script has not been updated to reflect > this.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10304) SystemVM - Apache Web Server Version Number Information Disclosure
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16435397#comment-16435397 ] ASF GitHub Bot commented on CLOUDSTACK-10304: - jgilbert35 commented on issue #2563: CLOUDSTACK-10304: turn off apache2 server tokens and signature in systemvms URL: https://github.com/apache/cloudstack/pull/2563#issuecomment-380775957 Should cloudstack/systemvm/debian/opt/cloud/bin/setup/common.sh also be considered? The setup_apache2_common() function contains references to ServerTokens and ServerSignature. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > SystemVM - Apache Web Server Version Number Information Disclosure > -- > > Key: CLOUDSTACK-10304 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: SystemVM >Affects Versions: 4.11.0.0 >Reporter: Julian Gilbert >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > {color:#00}The Secondary Storage System VM discloses its Apache Web > Server version number in HTTP headers and error pages. This type of > information disclosure can lead to medium vulnerabilities being reported in > web vulnerability scanners and reveals the Apache server version > unnecessarily.{color} > {color:#00}The apache2 directory structure no longer contains > /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2 > security configuration file is in another location. The > /opt/cloud/bin/setup/common.sh script has not been updated to reflect > this.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10304) SystemVM - Apache Web Server Version Number Information Disclosure
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16434628#comment-16434628 ] ASF GitHub Bot commented on CLOUDSTACK-10304: - blueorangutan commented on issue #2563: CLOUDSTACK-10304: turn off apache2 server tokens and signature in systemvms URL: https://github.com/apache/cloudstack/pull/2563#issuecomment-380609114 @rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > SystemVM - Apache Web Server Version Number Information Disclosure > -- > > Key: CLOUDSTACK-10304 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: SystemVM >Affects Versions: 4.11.0.0 >Reporter: Julian Gilbert >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > {color:#00}The Secondary Storage System VM discloses its Apache Web > Server version number in HTTP headers and error pages. This type of > information disclosure can lead to medium vulnerabilities being reported in > web vulnerability scanners and reveals the Apache server version > unnecessarily.{color} > {color:#00}The apache2 directory structure no longer contains > /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2 > security configuration file is in another location. The > /opt/cloud/bin/setup/common.sh script has not been updated to reflect > this.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10304) SystemVM - Apache Web Server Version Number Information Disclosure
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16434627#comment-16434627 ] ASF GitHub Bot commented on CLOUDSTACK-10304: - rhtyd commented on issue #2563: CLOUDSTACK-10304: turn off apache2 server tokens and signature in systemvms URL: https://github.com/apache/cloudstack/pull/2563#issuecomment-380608955 @blueorangutan test This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > SystemVM - Apache Web Server Version Number Information Disclosure > -- > > Key: CLOUDSTACK-10304 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: SystemVM >Affects Versions: 4.11.0.0 >Reporter: Julian Gilbert >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > {color:#00}The Secondary Storage System VM discloses its Apache Web > Server version number in HTTP headers and error pages. This type of > information disclosure can lead to medium vulnerabilities being reported in > web vulnerability scanners and reveals the Apache server version > unnecessarily.{color} > {color:#00}The apache2 directory structure no longer contains > /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2 > security configuration file is in another location. The > /opt/cloud/bin/setup/common.sh script has not been updated to reflect > this.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10304) SystemVM - Apache Web Server Version Number Information Disclosure
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16434614#comment-16434614 ] ASF GitHub Bot commented on CLOUDSTACK-10304: - blueorangutan commented on issue #2563: CLOUDSTACK-10304: turn off apache2 server tokens and signature in systemvms URL: https://github.com/apache/cloudstack/pull/2563#issuecomment-380607397 Packaging result: ✔centos6 ✔centos7 ✔debian. JID-1906 This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > SystemVM - Apache Web Server Version Number Information Disclosure > -- > > Key: CLOUDSTACK-10304 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: SystemVM >Affects Versions: 4.11.0.0 >Reporter: Julian Gilbert >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > {color:#00}The Secondary Storage System VM discloses its Apache Web > Server version number in HTTP headers and error pages. This type of > information disclosure can lead to medium vulnerabilities being reported in > web vulnerability scanners and reveals the Apache server version > unnecessarily.{color} > {color:#00}The apache2 directory structure no longer contains > /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2 > security configuration file is in another location. The > /opt/cloud/bin/setup/common.sh script has not been updated to reflect > this.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10304) SystemVM - Apache Web Server Version Number Information Disclosure
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16434600#comment-16434600 ] Rohit Yadav commented on CLOUDSTACK-10304: -- [~jgilbert] - please use Github issues in future to report issues. For any security issues please use the security ML, see cloudstack.apache.org on mailing list details. I've fixed the issue here that you can help test: https://github.com/apache/cloudstack/pull/2563 > SystemVM - Apache Web Server Version Number Information Disclosure > -- > > Key: CLOUDSTACK-10304 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: SystemVM >Affects Versions: 4.11.0.0 >Reporter: Julian Gilbert >Assignee: Rohit Yadav >Priority: Major > Fix For: 4.12.0.0, 4.11.1.0 > > > {color:#00}The Secondary Storage System VM discloses its Apache Web > Server version number in HTTP headers and error pages. This type of > information disclosure can lead to medium vulnerabilities being reported in > web vulnerability scanners and reveals the Apache server version > unnecessarily.{color} > {color:#00}The apache2 directory structure no longer contains > /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2 > security configuration file is in another location. The > /opt/cloud/bin/setup/common.sh script has not been updated to reflect > this.{color} -- This message was sent by Atlassian JIRA (v7.6.3#76005)