[CentOS] security compliance vs. old software versions
Les Mikesell
lesmikesell at gmail.com
Tue Jun 29 22:52:37 UTC 2010
On 6/29/2010 4:37 PM, Bill Campbell wrote:
> On Tue, Jun 29, 2010, Brian Mathis wrote:
>> On Tue, Jun 29, 2010 at 5:11 PM, Les Mikesell<lesmikesell at gmail.com> wrote:
>>> What's the correct response to a security scan that points out that
>>> apache versions below 2.2.14 have multiple known vulnerabilities? Is
>>> there an official document about what known vulnerabilities have been
>>> fixed in the RHEL/CentOS updates or do you have to wade through the
>>> changelog to try to find each thing?
>>>
>>
>> Have them read this:
>> http://www.redhat.com/security/updates/backporting/?sc_cid=3093
>>
>> If you're dealing with an auditor, that should be all they need as at
>> least they can write down that you've made a conscious decision based
>> on that information.
>
> That's assuming the auditor can read, which seems doubtful
> considering what I've found with Securityfocus and similar PCI
> testing outfits.
It's internal, but requires a formal response - or an application
update. The test tool says:
These are the reported vulnerabilities
Apache Server 2.x Prior To 2.2.14 Multiple Vulnerabilities Apache
\'mod_proxy_ftp\' Wildcard Characters Cross-Site Scripting.
Apache 2.2 prior to 2.2.15 Multiple Vulnerabilities Apache Prior to
Version 2.2.8 Multiple Vulnerabilities Apache Prior to Version 2.2.9
Multiple Vulnerabilities Apache Server 2.x Prior To 2.2.12 Multiple
Vulnerabilities
--
Les Mikesell
lesmikesell at gmail.com
More information about the CentOS
mailing list