What's the correct response to a security scan that points out that
apache versions below 2.2.14 have multiple known vulnerabilities? Is
there an official document about what known vulnerabilities have been
fixed in the RHEL/CentOS updates or do you have to wade through the
changelog to try to find each thing?
--
Les Mikesell
lesmikesell at gmail.com
On Tue, Jun 29, 2010 at 5:11 PM, Les Mikesell <lesmikesell at gmail.com> wrote:> What's the correct response to a security scan that points out that > apache versions below 2.2.14 have multiple known vulnerabilities? ?Is > there an official document about what known vulnerabilities have been > fixed in the RHEL/CentOS updates or do you have to wade through the > changelog to try to find each thing? >The upstream vendor backports many fixes. The best thing to do is reference the CVE number in the changelogs. It's still wading through a lot of changelogs, but with the CVE you can find it pretty quickly.
On 6/29/2010 5:11 PM, Les Mikesell wrote:> What's the correct response to a security scan that points out that > apache versions below 2.2.14 have multiple known vulnerabilities? Is > there an official document about what known vulnerabilities have been > fixed in the RHEL/CentOS updates or do you have to wade through the > changelog to try to find each thing? > >One of the things to do first is to find out if the client who needs the scan actually does any e-commerce on your server. Otherwise, I have found that the scans can be stopped by having your client contact their CC processing company. It seems that RHEL is in most of these scanner's systems, however CentOS is not, so they balk at the old versions. It's really all just a big pain. John Hinton
On Tue, Jun 29, 2010 at 5:11 PM, Les Mikesell <lesmikesell at gmail.com> wrote:> What's the correct response to a security scan that points out that > apache versions below 2.2.14 have multiple known vulnerabilities? ?Is > there an official document about what known vulnerabilities have been > fixed in the RHEL/CentOS updates or do you have to wade through the > changelog to try to find each thing? > > -- > ? Les Mikesell > ? ?lesmikesell at gmail.comHave them read this: http://www.redhat.com/security/updates/backporting/?sc_cid=3093 If you're dealing with an auditor, that should be all they need as at least they can write down that you've made a conscious decision based on that information.
On Tue, 29 Jun 2010, Les Mikesell wrote:> What's the correct response to a security scan that points out that > apache versions below 2.2.14 have multiple known vulnerabilities? Is > there an official document about what known vulnerabilities have been > fixed in the RHEL/CentOS updates or do you have to wade through the > changelog to try to find each thing?I've done one of 1) grep the changelogs 2) hit up my RHT account manager 3) sent the referenced page about backports 4) asked those questioning me to demonstrate the issue 5) complained about my employer spending money on broken tools Some combination of the above has always worked so far. ---------------------------------------------------------------------- Jim Wildman, CISSP, RHCE jim at rossberry.com http://www.rossberry.com "Society in every state is a blessing, but Government, even in its best state, is a necessary evil; in its worst state, an intolerable one." Thomas Paine