Hi
I'm using CentOS 3, and it's fully patched using yum. Apache reports version 2.0.46 (CentOS)
A colleague ran a copy of Nikto, a scripted vuln. finder, against my server, and reported the following problems. The only one I've tested is the directory traversal, and it seems to be an issue. Will the upstream vendor patch these issues in Apache 2.0.46, or not? If not, does anyone know why not?
# Apache/2.0.46 (CentOS) - Apache 2.0 to 2.0.49 may allow unescaped data into logfiles, which could pose a threat when logs are viewed/parsed. CAN-2003-0020. OSVDB-4382. # Apache/2.0.46 (CentOS) - Apache 2.0 to 2.0.50 contains a DoS with certain input data. CAN-2004-0493. OSVDB-7269. # Apache/2.0.46 (CentOS) - Apache 2.0 to 2.0.51 contains a potential infinite loop. CAN-2004-0748. OSVDB-9523. # 2.0.46 (CentOS) - TelCondex Simpleserver 2.13.31027 Build 3289 and below allow directory traversal with '/.../' entries. # Apache/2.0.46 - "Apache 2.0 up 2.0.46 are vulnerable to multiple remote problems. CAN-2003-0192. CAN-2003-0253. CAN-2003-0254. CERT VU # Apache/2.0.46 - Apache 2.0 up 2.0.47 are vulnerable to multiple remote problems in mod_rewrite and mod_cgi. CAN-2003-0789. CAN-2003-0542. # Apache/2.0.46 (CentOS) - Apache 2.0 to 2.0.53 contains a memory exhaustion DoS through MIME folded requests. CAN-2004-0942. OSVDB-11391. # Apache/2.0.46 (CentOS) - Apache 2.0 to 2.0.52 could allow bypassing of authentication via the Satisfy directive. CAN-2004-0811. OSVDB-10218.