httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@apache.org>
Subject Re: Basic question about vulnerability if a specific module is NOT loaded
Date Fri, 02 Apr 2010 23:33:46 GMT
On 4/2/2010 2:25 PM, Franklin, Meyer wrote:
> Hello William,
> Thanks so much for the prompt reply.  This is exactly what I needed.  I agree that most
scanners only look at version numbers, but we may be able to debate with our customers using
your official response.  At this point, moving to version 2.0.64-dev to get past the scanners
tests may not be an option since this version is NOT officially released by Apache.org.  We
are more interested in moving to 2.3.x when it becomes an official release.

Just pay attention to the alert language.  For example, "Subrequest handling of request
headers (mod_headers) CVE-2010-0434" begins "A flaw in the core subrequest process code
was fixed..."  Whenever you a reference to 'core', the httpd itself was patched.  Though
mod_headers, in this case, exhibited incorrect behavior with the flaw, there are likely
third party modules which similarly misbehave with the broken core logic.

Mime
View raw message