On 12/21/2011 1:18 PM, Pete Houston wrote:
On Wed, Dec 21, 2011 at 12:42:02PM -0500, Kevin A. McGrail wrote:
Our server is being flagged for PCI non-compliance because of these
CVE's but there doesn't appear to be a fix, a workaround or any
information I can find.
There seem to be 2 obvious workarounds:
1. Don't load mod_setenvif. That's where the problem lies - if the
vulnerable code isn't loaded then your application isn't vulnerable.
I'm unfortunately using the setenvif to block bad useragents.
2. Don't use .htaccess files. Neither vulnerability can be triggered
if you AllowOverride None. This is good for security anyway and if you
are dealing with PCI related data I'd recommend this regardless of any
issues in the code. It'll also be more efficient.
Good points but hard to convince the PCI scanners of these type of
workarounds in my experience and we have a decent amount of software
that uses .htaccess files for things like apache DBI in mod_perl.
Plus, they are also flagging us for having +Indexes on /icons (literally
the default Apache icons). Like that's a security issue ;-)
Anyway, I am more wondering if 2.2.22 is even on track to address these
issues. Or if there are patches for 2.2.X (I found trunk patches but
they only dealt with some of the CVE and didn't address the 2.2
branch). The amount of information available for these CVEs since
sparse compared to my past experience but perhaps I'm searching incorrectly.
regards,
KAM
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org