top | item 45168057

(no title)

thefreeman | 5 months ago

It also barely meets the definition of "a vulnerability report". He basically just nmap scanned the server and googled the apache version. The "critical" vulnerability he linked requires controlling a backend server being reverse proxied through apache... so completely irrelevant. I didn't read every CVE for the apache version but I am doubtful there is anything that actually allows taking over the server there.

discuss

roywashere|5 months ago

Also, Apache 2.4.57 is exactly the version of Apache you get when you'd run RHEL 9 / AlmaLinux / Rocky 9. In that case, the OS would provide backports of the CVE fixes for you and the banner still reads Apache 2.4.57!

capitainenemo|5 months ago

That was EXACTLY my first thought on skimming the article. There are commercial vulnerability tools that do this to me repeatedly with Debian and Ubuntu - reporting vulnerabilities in things that the Ubuntu and Debian CVE pages clearly state were patched in backports years prior. Often it is in Apache.

hughw|5 months ago

I need to see ICE Block's SOC 2 Type 1 audit of their processes for patching vulnerabilities along with their latest SOC 2 Type 2 audit.

tptacek|5 months ago

Their Type 2 attestation would have everything the Type 1 has. I mean obviously you're not being serious but I can't let that one sail by.