Page 1 of 1

Is there a way to know which updates could fix this issue?

Posted: Tue Nov 12, 2019 3:49 pm
by CET
I inherited a Thunderstone appliance application and our security scan recently revealed the below problem. I need to do an upgrade to get it fixed but there is a large list of updates that we have available as I do not think this service has been touched on our end for a few years.

Also, is there no/low/high change that downloading/installing an update will cause the application to quit working/introduce extra bugs?

Name:
Apache Server ETag Header Information Disclosure
Description: The remote web server is affected by an information disclosure vulnerability due to the ETag header providing sensitive information that could aid an attacker, such as the inode number of requested files.

Solution:
Modify the HTTP ETag header of the web server to not include file inodes in the ETag header calculation. Refer to the linked Apache documentation for more information.

Is there a way to know which updates could fix this issue?

Posted: Wed Nov 13, 2019 10:41 am
by mark
thunderstonePatch and/or Apache updates will resolve that unless your appliance is particularly old. Or you can fix it yourself by editing the Apache config using System->System Setup->Webmin. Login as "admin" using the same password as for the admin account of the regular admin interface.

Add
FileETag MTime Size
to the bottom of the apache config (Webmin->Apache->Edit Config Files->httpd.conf) and restarting.
Save then "Apply Changes".