PCI遵从性apache版本
我们正在使用Apache 2.4的当前版本。 6可在Centos 7回购协议中获得。与yum一起安装 我们正在处理PCI合规问题,报告说:PCI遵从性apache版本,apache,security,pci-compliance,Apache,Security,Pci Compliance,我们正在使用Apache 2.4的当前版本。 6可在Centos 7回购协议中获得。与yum一起安装 我们正在处理PCI合规问题,报告说: IP Address: x Host: x Path: THREAT REFERENCE Summary: vulnerable Apache version: 2.4.6 Risk: High (3) Port: 443/tcp Protocol: tcp Threat ID: web_server_apache_version Details
IP Address: x
Host: x
Path:
THREAT REFERENCE
Summary:
vulnerable Apache version: 2.4.6
Risk: High (3)
Port: 443/tcp
Protocol: tcp
Threat ID: web_server_apache_version
Details: Apache HTTP Server mod_proxy_fcgi Response Handling Vulnerability
11/21/14
CVE 2014-3583
Apache HTTP Server before 2.4.11 is prone to a vulnerability,
which can be exploited to cause a DoS (Denial of Service).
The vulnerability exists due to an overflow condition in mod_proxy_fcgi.
when handling responses from FastCGI servers. The vulnerability can be exploited by
sending a crafted response from a malicious FastCGI server, which could lead to a
crash when reading past the end of a heap memory.
Apache HTTP Server NULL Pointer Dereference Vulnerability
10/08/14
CVE 2014-3581
Apache HTTP Server 2.4.10 and earlier is prone to a vulnerability,
which can be exploited to cause a DoS (Denial of Service).
The vulnerability exists because the application contains flaw in
the cache_merge_headers_out() function which is
triggered when handling an empty 'Content-Type' header value.
Multiple Vulnerabilities Fixed in Apache HTTP Server 2.4.10
07/24/14
CVE 2014-0117
CVE 2014-0118
CVE 2014-0226
CVE 2014-0231
CVE 2014-3523
Apache HTTP Server before 2.4.10 is prone to multiple vulnerabilities,
which can be exploited to cause a DoS (Denial of Service).
The vulnerabilities exist because the application contains flaw in
mod_proxy, mod_deflate, mod_status, and mod_cgid modules and
in the winnt_accept function of WinNT MPM.
Note: the WinNT MPM denial of service vulnerability can only
be exploited when the default AcceptFilter is used.
Apache HTTP Server Two Denial of Service Vulnerabilities
03/19/14
CVE 2013-6438
CVE 2014-0098
Apache HTTP Server before 2.4.9 is prone to two vulnerabilities,
which can be exploited to cause a DoS (Denial of Service).
The first vulnerability exists due to an error in the mod_log_config module when logging
with truncated cookies. The second vulnerability is due to a boundary error in the mod_dav
module when removing leading spaces.
HTTP-Basic Authentication Bypass Vulnerability
08/14/09
Apache 2.2.2 and prior are prone to an authentication-bypass vulnerability
because it fails to properly enforce access restrictions on certain requests to a site that requires authentication.
An attacker can exploit this issue to gain access to protected resources,
which may allow the attacker to obtain sensitive information or launch further attacks.
Apache HTTP Server OS Fingerprinting Unspecified Security Vulnerability
11/03/08
Apache 2.2.9 and prior is prone an unspecified security vulnerability.
Information From Target:
Service: https
Received: Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.6.13
- 核心:修复区块头解析缺陷(CVE-2015-3183) 和ap_force_authn hook(CVE-2015-3185)
- 核心:修复通过分块请求绕过mod_头规则(CVE-2013-5704)
- mod_缓存:修复空内容类型上的空指针解引用(CVE-2014-3581)
- mod_cgid:为CVE-2014-0231(#1120608)添加安全修复程序
- mod#u代理:为CVE-2014-0117(#1120608)添加安全修复程序
- mod_deflate:为CVE-2014-0118(#1120608)添加安全补丁
- 模块状态:为CVE-2014-0226(1120608)添加安全修复程序
- mod_缓存:为CVE-2013-4352(1120608)添加安全修复程序
- mod_dav:为CVE-2013-6438(#1077907)添加安全修复程序
- 修改日志配置:为CVE-2014-0098(#1077907)添加安全修复程序
我找不到RPM来做这件事。删除他们的补丁,因此您可能已经修补了apache,但它仍然会显示旧版本。将变更日志作为假阳性的证据提交给QSA,QSA应该接受并关闭漏洞 询问服务器故障:或超级用户:是的,他们接受了changelog输出,但我仍然不明白为什么,因为他们要求的CVE并非都在changelog中。