Univention Bugzilla – Bug 55577
Enhance cherrypy config and suppress cherrypy version
Last modified: 2023-06-16 14:38:29 CEST
A security scan by a customer wants to disable the cherrypy version disclosure. While our source is open source and one can just lookup the used cherrypy versions easily, this doesn't improve any security but helps we don't get such reports anymore. Therefore we should disable it. """ CherryPy web server version disclosure (ASVS:14.3.3) This RISK does not introduce a vulnerability by itself. The headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers. This facilitates further steps. Request: GET /univention/saml/iframe/ HTTP/1.1 Response: HTTP/1.1 302 Found Date: Wed, 26 Feb 2020 14:04:49 GMT Server: CherryPy/3.5.0 X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: master-only X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Length: 6587 Content-Type: text/html;charset=utf-8 """ while we are at it we can also improve the cherrypy startup and general performance by deactivating the startup checkers and exclude the possibility to mount WSGI applications.
*** Bug 51303 has been marked as a duplicate of this bug. ***
Cherrypy won't be used anymore with UCS 5.0-4
obsolete by Bug #43633. *** This bug has been marked as a duplicate of bug 43633 ***
OK: No commits for bug 55577 in ucs 5.0-4 Still some mentions of cherrypy: `git grep cherrypy` but nothing critical or related to this bug. -> Close as duplicate