[CentOS] security compliance vs. old software versions
Les Mikesell
lesmikesell at gmail.com
Wed Jun 30 12:59:02 UTC 2010
Kai Schaetzl wrote:
> Les Mikesell wrote on Tue, 29 Jun 2010 17:52:37 -0500:
>
>> Apache Server 2.x Prior To 2.2.14 Multiple Vulnerabilities Apache
>> \'mod_proxy_ftp\' Wildcard Characters Cross-Site Scripting.
>
> Remove that module from httpd.conf and try again. If it still gives that
> warning you've proven the tool is braindead. You could also just tell
> Apache not to add a server signature. I wonder how the tool will react to
> that :-) Or is run locally and scans the rpm database?
The first probe is remote. The guy doing it also logged into the box and
checked something after I told him about the backported fixes but I haven't
caught up with him about the specifics yet. He will understand what RH does,
but we have to convincingly document the details for less technical folks - or
update to something without CVE's. I would expect this to be a fairly common
problem, though.
These boxes are running as reverse-proxies with some rewriterules but don't need
to handle ftp.
--
Les Mikesell
lesmikesell at gmail.com
More information about the CentOS
mailing list