httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin A. McGrail" <KMcGr...@PCCC.com>
Subject Re: [users@httpd] Update on mod_setenvif exploit CVE-2011-3607 and CVE-2011-4415
Date Fri, 06 Jan 2012 17:13:29 GMT

> Anyway, I am more wondering if 2.2.22 is even on track to address 
> these issues.  Or if there are patches for 2.2.X (I found trunk 
> patches but they only dealt with some of the CVE and didn't address 
> the 2.2 branch).  The amount of information available for these CVEs 
> since sparse compared to my past experience but perhaps I'm searching 
> incorrectly. 

Following up my previous post in case anyone else has the same issue 
with PCI Scans, I actually came across what I needed via a RedHat CVE 
response.  In short, RedHat reiterated and agreed with the Apache server 
project consensus was they don't consider CVE-2011-4415 as a valid 
security concern:

https://bugzilla.redhat.com/show_bug.cgi?id=750935

"Upstream consensus is that any resource consumption issues triggered by bad
.htaccess configuration are not considered security:
   http://thread.gmane.org/gmane.comp.apache.devel/46339/focus=46768"

This same statement also covers CVE-2011-3607.

This explains why I couldn't find anything out about the issues through 
normal channels and why nothing is tagged for a 2.2.22 release, etc.  
Hopefully, we'll see the PCI scanners drop these CVEs from their 
compliance scans but wanted to keep you all in the loop.  I'll bcc one 
of the security contacts I have at our scanner so they know more about 
the false positive.

Regards,
KAM

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message