Re: CVE NIST discrepancies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks Eric  - there are unfortunately a long list of similar CVE's 
so this has created an audit nightmare

1999-0070
1999-0236
1999-0289
2001-0131
2001-1556
2007-0086
2007-1349
2007-4723
2007-5156
2008-2579
2009-0796
2009-2299
2011-1176
2011-1752
2011-1783
2011-2688
2012-3526
2012-4001
2012-4360
2013-0941
2013-0942
2013-2765
2013-4365

Is there any Apache official statement to the bug in NIST that I can refer the auditors to?

On Fri, Aug 14, 2020 at 2:30 PM Eric Covener <covener@xxxxxxxxx> wrote:
On Fri, Aug 14, 2020 at 11:49 AM Nic P <webninja458@xxxxxxxxx> wrote:
>
> Hi
>
> I am struggling through an audit with explaining CVE's listed on NIST that do not appear on the Apache site with any fixes.
>
> CVE-1999-0070 is an example showing in nist site as impacting Apache, but no reference to this on the Apache security pages
>
> https://nvd.nist.gov/vuln/detail/CVE-1999-0070
>
> Can anyone help with this sufficiently to explain to audit?

It's a 20+ year old bug misclassified as affecting all Apache releases
on the NIST site but it seems to be a match for a bug fixed
fixed before 1.3.0 was released (1.2b2 in 1998).  It predates the CVE
system and the CVE doesn't contain anything actionable/identifiable
other than resembling this old bug about the test-cgi sample script.

--
Eric Covener
covener@xxxxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux