First Last Prev Next    This bug is not in your last search results.
Bug 55577 - Enhance cherrypy config and suppress cherrypy version
Enhance cherrypy config and suppress cherrypy version
Status: CLOSED DUPLICATE of bug 43633
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-4
Assigned To: Florian Best
Jürn Brodersen
https://git.knut.univention.de/univen...
:
: 51303 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2023-01-18 11:55 CET by Florian Best
Modified: 2023-06-16 14:38 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.011
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2022121621000466
Bug group (optional): Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2023-01-18 11:55:22 CET 
A security scan by a customer wants to disable the cherrypy version disclosure.
While our source is open source and one can just lookup the used cherrypy versions easily, this doesn't improve any security but helps we don't get such reports anymore. Therefore we should disable it.

"""
CherryPy web server version disclosure (ASVS:14.3.3)

This RISK does not introduce a vulnerability by itself. The headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers. This facilitates further steps.

Request:
GET /univention/saml/iframe/ HTTP/1.1
Response:
HTTP/1.1 302 Found
Date: Wed, 26 Feb 2020 14:04:49 GMT
Server: CherryPy/3.5.0
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: master-only
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Length: 6587
Content-Type: text/html;charset=utf-8
"""

while we are at it we can also improve the cherrypy startup and general performance by deactivating the startup checkers and exclude the possibility to mount WSGI applications.
Comment 1 Florian Best univentionstaff 2023-01-18 13:49:42 CET 
*** Bug 51303 has been marked as a duplicate of this bug. ***
Comment 2 Dirk Wiesenthal univentionstaff 2023-06-06 09:55:11 CEST 
Cherrypy won't be used anymore with UCS 5.0-4
Comment 3 Florian Best univentionstaff 2023-06-11 11:20:14 CEST 
obsolete by Bug #43633.

*** This bug has been marked as a duplicate of bug 43633 ***
Comment 4 Jürn Brodersen univentionstaff 2023-06-16 14:38:29 CEST 
OK:

No commits for bug 55577 in ucs 5.0-4
Still some mentions of cherrypy: `git grep cherrypy` but nothing critical or related to this bug.

-> Close as duplicate
First Last Prev Next    This bug is not in your last search results.