Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 86252BD18 for ; Fri, 6 Jan 2012 17:14:03 +0000 (UTC) Received: (qmail 65824 invoked by uid 500); 6 Jan 2012 17:14:00 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 65731 invoked by uid 500); 6 Jan 2012 17:13:59 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 65723 invoked by uid 99); 6 Jan 2012 17:13:58 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Jan 2012 17:13:58 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of KMcGrail@pccc.com designates 38.124.232.10 as permitted sender) Received: from [38.124.232.10] (HELO intel1.peregrinehw.com) (38.124.232.10) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Jan 2012 17:13:50 +0000 Received: from [10.10.10.124] (firewall.pccc.com [71.163.15.130]) by intel1.peregrinehw.com (8.14.5/8.14.5) with ESMTP id q06HDTUA014356 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 6 Jan 2012 12:13:30 -0500 Message-ID: <4F072BB9.8060100@PCCC.com> Date: Fri, 06 Jan 2012 12:13:29 -0500 From: "Kevin A. McGrail" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: users@httpd.apache.org CC: Pete Houston References: <4EF21A6A.4090005@PCCC.com> <20111221181839.GL2156@palma.openstrike.co.uk> <4EF231D7.9090809@PCCC.com> In-Reply-To: <4EF231D7.9090809@PCCC.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Authorized-User: 71.163.15.130 X-KAM-Reverse-AUTH: Exempt - 71.163.15.130 is an Authorized Sender X-Scanned-By: MIMEDefang 2.72 on 38.124.232.10 X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] Update on mod_setenvif exploit CVE-2011-3607 and CVE-2011-4415 > Anyway, I am more wondering if 2.2.22 is even on track to address > these issues. Or if there are patches for 2.2.X (I found trunk > patches but they only dealt with some of the CVE and didn't address > the 2.2 branch). The amount of information available for these CVEs > since sparse compared to my past experience but perhaps I'm searching > incorrectly. Following up my previous post in case anyone else has the same issue with PCI Scans, I actually came across what I needed via a RedHat CVE response. In short, RedHat reiterated and agreed with the Apache server project consensus was they don't consider CVE-2011-4415 as a valid security concern: https://bugzilla.redhat.com/show_bug.cgi?id=750935 "Upstream consensus is that any resource consumption issues triggered by bad .htaccess configuration are not considered security: http://thread.gmane.org/gmane.comp.apache.devel/46339/focus=46768" This same statement also covers CVE-2011-3607. This explains why I couldn't find anything out about the issues through normal channels and why nothing is tagged for a 2.2.22 release, etc. Hopefully, we'll see the PCI scanners drop these CVEs from their compliance scans but wanted to keep you all in the loop. I'll bcc one of the security contacts I have at our scanner so they know more about the false positive. Regards, KAM --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org