Hi Julian,

The horse the has wandered out if not bolted on this </dodgy_metaphor>, but the 
normal process if you think that you've found a security issue is to email 

For general 'bugs' its worth mentioning it on one of the mailing lists as well 
as filing a bug to get it into peoples consciousness. 

Yes, from now on Github issues are the place to put new issues, although we 
will be looking back through Jira for issues that need resolving when it comes 
to a 4.11.1

Kind regards,

Paul Angus

53 Chandos Place, Covent Garden, London  WC2N 4HSUK

-----Original Message-----
From: Julian.Gilbert <julian.gilb...@open.ac.uk> 
Sent: 10 April 2018 10:45
To: users@cloudstack.apache.org
Subject: CLOUDSTACK-10304


I logged the following JIRA ticket in February:

SystemVM - Apache Web Server Version Number Information Disclosure

The Secondary Storage System VM discloses its Apache Web Server version number 
in HTTP headers and error pages. This type of information disclosure can lead 
to medium vulnerabilities being reported in web vulnerability scanners and 
reveals the Apache server version unnecessarily.
The apache2 directory structure no longer contains /etc/apache2/conf.d/ in 
Debian 9 and therefore the appropriate apache2 security configuration file is 
in another location. The /opt/cloud/bin/setup/common.sh script has not been 
updated to reflect this.

Should this now be moved into the github issue tacking? Or has already been 
picked up in another ticket?

-- The Open University is incorporated by Royal Charter (RC 000391), an exempt 
charity in England & Wales and a charity registered in Scotland (SC 038302). 
The Open University is authorised and regulated by the Financial Conduct 
Authority in relation to its secondary activity of credit broking.

Reply via email to