Hi Julian, The horse the has wandered out if not bolted on this </dodgy_metaphor>, but the normal process if you think that you've found a security issue is to email 'secur...@cloudstack.apache.org'.
For general 'bugs' its worth mentioning it on one of the mailing lists as well as filing a bug to get it into peoples consciousness. Yes, from now on Github issues are the place to put new issues, although we will be looking back through Jira for issues that need resolving when it comes to a 4.11.1 Kind regards, Paul Angus paul.an...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue -----Original Message----- From: Julian.Gilbert <julian.gilb...@open.ac.uk> Sent: 10 April 2018 10:45 To: email@example.com Subject: CLOUDSTACK-10304 Hi! I logged the following JIRA ticket in February: CLOUDSTACK-10304 SystemVM - Apache Web Server Version Number Information Disclosure The Secondary Storage System VM discloses its Apache Web Server version number in HTTP headers and error pages. This type of information disclosure can lead to medium vulnerabilities being reported in web vulnerability scanners and reveals the Apache server version unnecessarily. The apache2 directory structure no longer contains /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2 security configuration file is in another location. The /opt/cloud/bin/setup/common.sh script has not been updated to reflect this. Should this now be moved into the github issue tacking? Or has already been picked up in another ticket? Regards, Julian -- The Open University is incorporated by Royal Charter (RC 000391), an exempt charity in England & Wales and a charity registered in Scotland (SC 038302). The Open University is authorised and regulated by the Financial Conduct Authority in relation to its secondary activity of credit broking.