[CentOS] Apache patching questions

Tue Feb 21 23:13:59 UTC 2006
U n d e r a c h i e v e r <takeme2your at rocketmail.com>


I'm using CentOS 3, and it's fully patched using yum. Apache reports version
2.0.46 (CentOS)

A colleague ran a copy of Nikto, a scripted vuln. finder, against my server,
and reported the following problems. The only one I've tested is the
directory traversal, and it seems to be an issue. Will the upstream vendor
patch these issues in Apache 2.0.46, or not? If not, does anyone know why

# Apache/2.0.46 (CentOS) - Apache 2.0 to 2.0.49 may allow unescaped data
into logfiles, which could pose a threat when logs are viewed/parsed.
CAN-2003-0020. OSVDB-4382.
# Apache/2.0.46 (CentOS) - Apache 2.0 to 2.0.50 contains a DoS with certain
input data. CAN-2004-0493. OSVDB-7269.
# Apache/2.0.46 (CentOS) - Apache 2.0 to 2.0.51 contains a potential
infinite loop. CAN-2004-0748. OSVDB-9523.
# 2.0.46 (CentOS) - TelCondex Simpleserver 2.13.31027 Build 3289 and below
allow directory traversal with '/.../' entries.
# Apache/2.0.46 - "Apache 2.0 up 2.0.46 are vulnerable to multiple remote
problems. CAN-2003-0192. CAN-2003-0253. CAN-2003-0254. CERT VU
# Apache/2.0.46 - Apache 2.0 up 2.0.47 are vulnerable to multiple remote
problems in mod_rewrite and mod_cgi. CAN-2003-0789. CAN-2003-0542.
# Apache/2.0.46 (CentOS) - Apache 2.0 to 2.0.53 contains a memory exhaustion
DoS through MIME folded requests. CAN-2004-0942. OSVDB-11391.
# Apache/2.0.46 (CentOS) - Apache 2.0 to 2.0.52 could allow bypassing of
authentication via the Satisfy directive. CAN-2004-0811. OSVDB-10218.

takeme2your at rocketmail.com
U n d e r a c h i e v e r