On Tue, Jun 24, 2014 at 12:45:19AM -0400, Kee, Siokkwan wrote:
> We have an issue currently where documentation released from Brocade indicates Apache HTTP V 2.0.50 is listed as non-vulnerable when bundled together with Brocade FOS V7.1.1.
> As Brocade has listed this as a non-vulnerability, the latest version of the FOS is currently still bundled with Apache HTTP V 2.0.50.
Version 2.0.50 has just celebrated its 10th birthday. In server software
terms that is incredibly old. There have been 15 point releases within
the 2.0 branch since then and the entire 2.0 branch is now retired. I
don't see why any software shipped today would be bundled with such an
old version of Apache.
> (Please refer to the attached listed CVE-2012-0053 in Page 15 onwards on the Vulnerability explanation from Brocade.)
>
> However, during the routine Vulnerability Assessment scan, the Apache HTTP V 2.0.50 reflects that this is a vulnerable version.
> The same is reflected in the Apache HTTP website that this version is vulnerable.
>
> Would appreciate advise from Apache.Org team on comments listed by Brocade (whether is it possible for Apache HTTP V2.0.50 not to be vulnerable when bundled with Brocade FOS) so that we may be able to move forward.
A quick read of the changelog for v2.0.65 reveals:
*) SECURITY: CVE-2012-0053 (cve.mitre.org)
Fix an issue in error responses that could expose "httpOnly" cookies
when no custom ErrorDocument is specified for status code 400.
which seems fairly clear and from which we can infer a simple workaround.
But don't do that - just upgrade Apache instead.
Pete
--
Openstrike - improving business through open source
http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107
Attachment:
pgpSfXgLe8U97.pgp
Description: PGP signature
|