[CentOS] security compliance vs. old software versions

Wed Jun 30 14:10:44 UTC 2010
m.roth at 5-cent.us <m.roth at 5-cent.us>

Les Mikesell wrote:
> Kai Schaetzl wrote:
>> Les Mikesell wrote on Tue, 29 Jun 2010 17:52:37 -0500:
>>
>>> Apache Server 2.x Prior To 2.2.14 Multiple Vulnerabilities Apache
>>> \'mod_proxy_ftp\' Wildcard Characters Cross-Site Scripting.
>>
>> Remove that module from httpd.conf and try again. If it still gives that
>> warning you've proven the tool is braindead. You could also just tell
>> Apache not to add a server signature. I wonder how the tool will react
>> to that :-) Or is run locally and scans the rpm database?
>
> The first probe is remote.  The guy doing it also logged into the box and
> checked something after I told him about the backported fixes but I
> haven't caught up with him about the specifics yet.  He will understand
what RH
> does, but we have to convincingly document the details for less
technical folks
> - or update to something without CVE's.  I would expect this to be a fairly
> common problem, though.
<snip>
I understand that. We had a scan a few months ago (and theyre about to do
it again), and to satisfy it, I had to turn off the h/d/ramdisks in our
laser printers....

           mark