On 12/21/2011 1:18 PM, Pete Houston wrote:
On Wed, Dec 21, 2011 at 12:42:02PM -0500, Kevin A. McGrail wrote:Our server is being flagged for PCI non-compliance because of these CVE's but there doesn't appear to be a fix, a workaround or any information I can find.There seem to be 2 obvious workarounds: 1. Don't load mod_setenvif. That's where the problem lies - if the vulnerable code isn't loaded then your application isn't vulnerable.
I'm unfortunately using the setenvif to block bad useragents.
Good points but hard to convince the PCI scanners of these type of workarounds in my experience and we have a decent amount of software that uses .htaccess files for things like apache DBI in mod_perl.2. Don't use .htaccess files. Neither vulnerability can be triggered if you AllowOverride None. This is good for security anyway and if you are dealing with PCI related data I'd recommend this regardless of any issues in the code. It'll also be more efficient.
Plus, they are also flagging us for having +Indexes on /icons (literally the default Apache icons). Like that's a security issue ;-)
Anyway, I am more wondering if 2.2.22 is even on track to address these issues. Or if there are patches for 2.2.X (I found trunk patches but they only dealt with some of the CVE and didn't address the 2.2 branch). The amount of information available for these CVEs since sparse compared to my past experience but perhaps I'm searching incorrectly.
regards, KAM --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|