Anyway, I am more wondering if 2.2.22 is even on track to address these issues. Or if there are patches for 2.2.X (I found trunk patches but they only dealt with some of the CVE and didn't address the 2.2 branch). The amount of information available for these CVEs since sparse compared to my past experience but perhaps I'm searching incorrectly.
Following up my previous post in case anyone else has the same issue with PCI Scans, I actually came across what I needed via a RedHat CVE response. In short, RedHat reiterated and agreed with the Apache server project consensus was they don't consider CVE-2011-4415 as a valid security concern:
https://bugzilla.redhat.com/show_bug.cgi?id=750935 "Upstream consensus is that any resource consumption issues triggered by bad .htaccess configuration are not considered security: http://thread.gmane.org/gmane.comp.apache.devel/46339/focus=46768"; This same statement also covers CVE-2011-3607.This explains why I couldn't find anything out about the issues through normal channels and why nothing is tagged for a 2.2.22 release, etc. Hopefully, we'll see the PCI scanners drop these CVEs from their compliance scans but wanted to keep you all in the loop. I'll bcc one of the security contacts I have at our scanner so they know more about the false positive.
Regards, KAM --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|