Bug #14667
closed
Disable TRACE in Apache
Description
TRACE should be disabled in Apache per CERT Vulnerability Note VU#867593 (http://www.kb.cert.org/vuls/id/867593)
The attached patch file disables TRACE, ServerSignature, and minimizes ServerTokens to reduce the gathering of attack vector data in a production environment.
Files
Updated by Brian Shaw about 8 years ago
- File httpd.conf-p0.patch httpd.conf-p0.patch added
Actually attaching the patch file.
Updated by Dominic Cleal about 8 years ago
- Project changed from Foreman to Installer
- Category changed from Security to External modules
- Status changed from New to Feedback
I'm guessing you're using the Foreman installer? If so, the Apache configuration is managed by the puppetlabs-apache module, so I'd recommend sending a patch to that project if they'll accept it to change the defaults: https://github.com/puppetlabs/puppetlabs-apache
Updated by Brian Shaw about 8 years ago
Thank you for the quick response. I am using the installer but, didn't realize that was part of puppet. I will file a change request with them.
Brian
Updated by Dominic Cleal about 8 years ago
- Status changed from Feedback to Rejected
That'd be great, thanks.
Updated by Tomer Brisker almost 7 years ago
- Status changed from Rejected to Closed
- Pull request https://github.com/theforeman/foreman-installer/pull/236 added