Re: security compliance vs. old software versions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Kai Schaetzl wrote:
> Les Mikesell wrote on Tue, 29 Jun 2010 17:52:37 -0500:
> 
>> Apache Server 2.x Prior To 2.2.14 Multiple Vulnerabilities Apache 
>> \'mod_proxy_ftp\' Wildcard Characters Cross-Site Scripting.
> 
> Remove that module from httpd.conf and try again. If it still gives that 
> warning you've proven the tool is braindead. You could also just tell 
> Apache not to add a server signature. I wonder how the tool will react to 
> that :-) Or is run locally and scans the rpm database?

The first probe is remote.  The guy doing it also logged into the box and 
checked something after I told him about the backported fixes but I haven't 
caught up with him about the specifics yet.  He will understand what RH does, 
but we have to convincingly document the details for less technical folks - or 
update to something without CVE's.  I would expect this to be a fairly common 
problem, though.

These boxes are running as reverse-proxies with some rewriterules but don't need 
to handle ftp.

-- 
   Les Mikesell
    lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux