httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin A. McGrail" <>
Subject Re: [users@httpd] Update on mod_setenvif exploit CVE-2011-3607 and CVE-2011-4415
Date Fri, 06 Jan 2012 17:13:29 GMT

> Anyway, I am more wondering if 2.2.22 is even on track to address 
> these issues.  Or if there are patches for 2.2.X (I found trunk 
> patches but they only dealt with some of the CVE and didn't address 
> the 2.2 branch).  The amount of information available for these CVEs 
> since sparse compared to my past experience but perhaps I'm searching 
> incorrectly. 

Following up my previous post in case anyone else has the same issue 
with PCI Scans, I actually came across what I needed via a RedHat CVE 
response.  In short, RedHat reiterated and agreed with the Apache server 
project consensus was they don't consider CVE-2011-4415 as a valid 
security concern:

"Upstream consensus is that any resource consumption issues triggered by bad
.htaccess configuration are not considered security:"

This same statement also covers CVE-2011-3607.

This explains why I couldn't find anything out about the issues through 
normal channels and why nothing is tagged for a 2.2.22 release, etc.  
Hopefully, we'll see the PCI scanners drop these CVEs from their 
compliance scans but wanted to keep you all in the loop.  I'll bcc one 
of the security contacts I have at our scanner so they know more about 
the false positive.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message