Yeah it's a bit of a reach. PCI's been a bit bad at sensing problem avoidance through intelligence versus all the listed bug if let unconfigured things.
I got a bit more data on it. I need to recompile apache with rewrite enabled and tweak the httpd.conf. Another PCI checkbox conquered! lol John ----- Original Message ---- From: Joshua Slive <[EMAIL PROTECTED]> To: users@httpd.apache.org Sent: Wednesday, January 9, 2008 2:53:48 PM Subject: Re: [EMAIL PROTECTED] CVE-2007-3008 On Jan 9, 2008 3:05 PM, John T. Mills <[EMAIL PROTECTED]> wrote: > > > I'm running 2.2.4 and I've been told I need to manually tweak mod_rewrite.c > to fix CVE-2007-3008. I can't find any mention of this bug in the bug list. I love the "I've been told" stuff. Who told you this, and do they know what they are talking about? You won't find CVE-2007-3008 listed anywhere because it is not related to apache. It is for the Mbedthis AppWeb: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3008 It also doesn't look to be a serious problem in the first place. The "TRACE" method is not really a security vulnerability. It can be turned off in apache with the TraceEnable off directive. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
