Thanks Eric - there are unfortunately a long list of similar CVE's so this has created an audit nightmare
1999-0070 1999-0236 1999-0289 2001-0131 2001-1556 2007-0086 2007-1349 2007-4723 2007-5156 2008-2579 2009-0796 2009-2299 2011-1176 2011-1752 2011-1783 2011-2688 2012-3526 2012-4001 2012-4360 2013-0941 2013-0942 2013-2765 2013-4365 Is there any Apache official statement to the bug in NIST that I can refer the auditors to? On Fri, Aug 14, 2020 at 2:30 PM Eric Covener <cove...@gmail.com> wrote: > On Fri, Aug 14, 2020 at 11:49 AM Nic P <webninja...@gmail.com> wrote: > > > > Hi > > > > I am struggling through an audit with explaining CVE's listed on NIST > that do not appear on the Apache site with any fixes. > > > > CVE-1999-0070 is an example showing in nist site as impacting Apache, > but no reference to this on the Apache security pages > > > > https://nvd.nist.gov/vuln/detail/CVE-1999-0070 > > > > Can anyone help with this sufficiently to explain to audit? > > It's a 20+ year old bug misclassified as affecting all Apache releases > on the NIST site but it seems to be a match for a bug fixed > fixed before 1.3.0 was released (1.2b2 in 1998). It predates the CVE > system and the CVE doesn't contain anything actionable/identifiable > other than resembling this old bug about the test-cgi sample script. > > -- > Eric Covener > cove...@gmail.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
