[CentOS] security compliance vs. old software versions

Wed Jun 30 12:59:02 UTC 2010
Les Mikesell <lesmikesell at gmail.com>

Kai Schaetzl wrote:
> Les Mikesell wrote on Tue, 29 Jun 2010 17:52:37 -0500:
> 
>> Apache Server 2.x Prior To 2.2.14 Multiple Vulnerabilities Apache 
>> \'mod_proxy_ftp\' Wildcard Characters Cross-Site Scripting.
> 
> Remove that module from httpd.conf and try again. If it still gives that 
> warning you've proven the tool is braindead. You could also just tell 
> Apache not to add a server signature. I wonder how the tool will react to 
> that :-) Or is run locally and scans the rpm database?

The first probe is remote.  The guy doing it also logged into the box and 
checked something after I told him about the backported fixes but I haven't 
caught up with him about the specifics yet.  He will understand what RH does, 
but we have to convincingly document the details for less technical folks - or 
update to something without CVE's.  I would expect this to be a fairly common 
problem, though.

These boxes are running as reverse-proxies with some rewriterules but don't need 
to handle ftp.

-- 
   Les Mikesell
    lesmikesell at gmail.com