Kwan Lowe wrote:
> On Tue, Jun 29, 2010 at 5:11 PM, Les Mikesell <lesmikesell@xxxxxxxxx> wrote:
>> What's the correct response to a security scan that points out that
>> apache versions below 2.2.14 have multiple known vulnerabilities? Is
>> there an official document about what known vulnerabilities have been
>> fixed in the RHEL/CentOS updates or do you have to wade through the
>> changelog to try to find each thing?
>>
>
> The upstream vendor backports many fixes. The best thing to do is
> reference the CVE number in the changelogs. It's still wading through
> a lot of changelogs, but with the CVE you can find it pretty quickly.
Googling the CVE # and the vendor will usually turn up the patched
version or disposition quickly.
Depending on the assessment tool and how bright it is, you can adjust
the settings for a more thorough scan that may reduce false positives.
Others can actually be set up to ssh into the box and verify patches.
--
-- John E. Jasen (jjasen@xxxxxxxxxxxxxxxxxx)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
