Anyway, I am more wondering if 2.2.22 is even on track to address
these issues. Or if there are patches for 2.2.X (I found trunk
patches but they only dealt with some of the CVE and didn't address
the 2.2 branch). The amount of information available for these CVEs
since sparse compared to my past experience but perhaps I'm searching
incorrectly.
Following up my previous post in case anyone else has the same issue
with PCI Scans, I actually came across what I needed via a RedHat CVE
response. In short, RedHat reiterated and agreed with the Apache server
project consensus was they don't consider CVE-2011-4415 as a valid
security concern:
https://bugzilla.redhat.com/show_bug.cgi?id=750935
"Upstream consensus is that any resource consumption issues triggered by bad
.htaccess configuration are not considered security:
http://thread.gmane.org/gmane.comp.apache.devel/46339/focus=46768"
This same statement also covers CVE-2011-3607.
This explains why I couldn't find anything out about the issues through
normal channels and why nothing is tagged for a 2.2.22 release, etc.
Hopefully, we'll see the PCI scanners drop these CVEs from their
compliance scans but wanted to keep you all in the loop. I'll bcc one
of the security contacts I have at our scanner so they know more about
the false positive.
Regards,
KAM
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org