Re: [users@httpd] Help required for security vulnerabilities in 1.3.29

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 11/28/05, syona m <syona2k@xxxxxxxxx> wrote:
> Hi All,
>
> This is a little urgent. We are making use of apache 1.3.29 in our project
> and while running "Nessus" security scan shows what it believes to be
> security vulnerabilties found within Apache ports.  They need to know if
> these are validsecurity concerns or "False Positives" . Below are the case
> ids

First, you need to think a little more about what you are doing before
sending scattershot email to every address you can find.  You sent
this message also to me personally, to our security notification
address (which specifically forbids messages of this type) and to
god-only-knows how many other addresses.  I find this very rude and
inconsiderate since it wastes the time of the people who you want to
help you.  Please consider this the next time you have a problem.

The appropriate forum for this type of question is the
users@xxxxxxxxxxxxxxxx mailing list, to which I am now replying.

To start, you can get information on apache 1.3 security vulnerabilities here:
http://httpd.apache.org/security/vulnerabilities_13.html
You'll notice this lines up quite closely with the list you quote. 
All of these problems could be fixed simply by upgrading your server
to the most recent 1.3 release: 1.3.33.

Are these important security vulnerabilities?  Not really, but it
depends on the context.  If you are running on a 64-bit big-endian
platform, then CVE-2003-0993 could be a problem.  If you let untrusted
users run ssi, then CVE-2004-0940 could be a problem.  If you are a
frequent target of Denial of Service attacks, then several of them
might be important.

The PUT and DELETE warnings are probably a false positive, but I don't
know how Nessus is doing its testing, so I can't tell for sure.  Do
you run mod_dav?  Do you run a CGI script that doesn't check its
methods?

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux