Apache vulnerabilities

Similar Messages

• Apache Vulnerabilities in UCS 2.0(1w)

  I received notice from a security person in my organization that the current firmware we're running on our UCS environment, which is 2.0(1w), has a few Sev1 Apache vulnerabilities, all of which are fixed in Apache version 2.2.22 or later. Unfortunately, I have not been able to find any documentation that indicates what version of Apache is running on specific releases of firmware.
  Let's start with this - I would like to upgrade to 2.0(2q), since I've heard that version is somewhat stable and well-received by those that have installed it. How would I go about finding the version of Apache running in that level of firmware?

  Hi Matt,
  To see what
  Under General References, you will find documents detailing what open source software is used.
  http://www.cisco.com/en/US/products/ps10477/prod_technical_reference_list.html#anchor4
  In saying that, there are currently only two versions available:
  Open Source used in Cisco UCS 2.0(1) (PDF - 4 MB)
  Open Source Used In Cisco UCS 1.4(1) (PDF - 5 MB)
  I'll check with the product team if there is a version available for UCS 2.0(2).
  Thanks,
  Michael

• Apache httpd 2.x.x 2.2.12 vulnerabilities

  I had some problems with FMS 3.5.3 apache 2.2.9, after upgrade to apache 2.2.15 the system became stable.
  I detect with snort a lot of apache exploit attempts.
  Does anyone had problems with Apache 2.2.9?
  Best Regards,
  Sérgio Henrique

  I suppose you might have already done it but if you have not you can just check : http://httpd.apache.org/security/vulnerabilities_22.html to see list of vulnerabilities which were fixed from 2.2.9 to 2.2.15. See if problem you suspect or encountered is listed there

• Security vulnerabilities in apache that comes with oracle database.

  Hi,
  We are having a QA database in Oracle enterprise version 9.2.0.4 on OS : OSF1.
  Recently our security team ran a test and found that the apache1.3 that comes as component of Oracle database is prone to security vulnerabilities. Also they suggested to remove the apache or upgrade to latest as remedy.
  When contacted to Oracle support, Oracle team replied apache upgrade should not be done instead latest apache seprately can be installed as reverse proxy. But when asked for steps/document there is no reply. Anyone faced this problem can provide any help/suggestion in this regard.
  I am attaching some of the threads identified by our Security Team for reference.
  1. Apache 1.3 HTTP Server Expect Header Cross-Site Scripting XXXX and YYYYYY ports 7782, 4889, 3339.
  2. Apache HTTP Server 413 Error HTTP Request Method Cross-Site Scripting Weakness
  3. Keep-Alive: timeout=15, max=100
  Connection: Keep-Alive
  Transfer-Encoding: chunked
  Content-Type: text/html; charset=iso-8859-1
  <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <HTML><HEAD>
  <TITLE>417 Expectation Failed</TITLE>
  </HEAD><BODY>
  <H1>Expectation Failed</H1>
  The expectation given in the Expect request-header
  field could not be met by this server.<P>
  The client sent<PRE>
  Expect: <script>alert(document.domain)</script>
  </PRE>
  but we only allow the 100-continue expectation.
  -CR

  I dont know how to find which components are using the apache. Help me if there is any way to find it. Only information i can say you is there is no other software installed that in that server other than oracle Database.

• LMS 3.2 affected by multiple vulnerabilities in Apache?

  I am unable to find a definitive answer as to whether or not LMS 3.2 (or any version for that matter) is affected by the following vulnerabilities:
  CVE 2011-3368
  CVE 2011-3607
  CVE 2011-4317
  CVE 2012-0021
  CVE 2012-0031
  CVE 2012-0053
  Any clarification on this would be greatly appreciated.

  Post the output of the pdshow command, a screenshot of RME > Tools > Syslog > Collector Settings, a screenshot of RME > Tools > Syslog > Filter Settings, the SyslogCollector.log, and the AnalyzerDebug.log.

• Apache POST flex2gateway never closes or times out, reaches max child processes

  We have been trying to pass an external PCI scan, and noticed some server lockups after starting a scan.  We are scanning a couple hundred IP addresses, which all resolve to the same servers.  The scans are actively looking for vulnerabilities on the box, and one of which is flash remoting.  When we look at the apache /server-status page, it shows a ton of long running flex2gateway processes.  For instance:
  22-4
  4466
  0/3817/3817
  W
  4.07
  163840
  0
  0.0
  57.76
  57.76
  x.x.x.101
  WebNode2.ambassador.int
  POST /flex2gateway/http HTTP/1.1
  As you can see, this POST request has been running for 163840 seconds, or nearly two days.  Since it seems these POST requests never complete, even though the client has long since disconnected, they simply stack up until the server's max number of child processes has been reached, effectively killing our webserver.
  When I try to restart the clustered coldfusion instances one at a time, these POST requests do not die off.
  If I stop both clustered CF instances, the requests complete (or get killed).
  If I reload or restart apache, the requests are gone as well.
  strace gives me nothing useful:
  [root@WebNode1 ~]# strace -p 34025
  Process 34025 attached - interrupt to quit
  read(185,
  pstack gives a little more, but nothing that looks obvious to me:
  [root@WebNode1 ~]# pstack -p 34025     
  Usage: pstack <process-id>
  [root@WebNode1 ~]# pstack 34025  
  #0  0x00007fdd40444740 in __read_nocancel () from /lib64/libpthread.so.0
  #1  0x00007fdd33efe2e6 in jk_tcp_socket_recvfull () from /opt/coldfusion10/config/wsconfig/1/mod_jk.so
  #2  0x00007fdd33f1b68d in ajp_connection_tcp_get_message () from /opt/coldfusion10/config/wsconfig/1/mod_jk.so
  #3  0x00007fdd33f1ceea in ajp_get_reply () from /opt/coldfusion10/config/wsconfig/1/mod_jk.so
  #4  0x00007fdd33f20308 in ajp_service () from /opt/coldfusion10/config/wsconfig/1/mod_jk.so
  #5  0x00007fdd33ef8f5d in jk_handler () from /opt/coldfusion10/config/wsconfig/1/mod_jk.so
  #6  0x00007fdd41b92cd0 in ap_run_handler ()
  #7  0x00007fdd41b9658e in ap_invoke_handler ()
  #8  0x00007fdd41ba1c50 in ap_process_request ()
  #9  0x00007fdd41b9eac8 in ?? ()
  #10 0x00007fdd41b9a7d8 in ap_run_process_connection ()
  #11 0x00007fdd41ba6ad7 in ?? ()
  #12 0x00007fdd41ba6dea in ?? ()
  #13 0x00007fdd41ba7a6c in ap_mpm_run ()
  #14 0x00007fdd41b7e9b0 in main ()
  I dont know what that tells us exactly, but I'm leaning toward the hangup between apache and tomcat. 
  Any suggestions on where how to troubleshoot this issue?

  On a test server, I have removed the wildcard from the uriworkermap.properties file, so it now only matches "/flex2gateway" and "/flex2gateway/".  Unfortunately I'm still seeing the occasional hung apache worker. 
  Anyone have any leads on this issue?  I don't mind doing the research, I'v just exhausted the limits of my Google Fu.
  Apache Server Status for 10.10.10.205
  Server Version: Apache/2.2.15 (Unix) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips mod_wsgi/3.2 Python/2.6.6 mod_jk/1.2.32 mod_perl/2.0.4 Perl/v5.10.1
  Server Built: Oct 16 2014 14:48:21
  Current Time: Monday, 10-Nov-2014 16:49:22 EST
  Restart Time: Monday, 10-Nov-2014 15:25:16 EST
  Parent Server Generation: 0
  Server uptime: 1 hour 24 minutes 6 seconds
  Total accesses: 5313 - Total Traffic: 98.4 MB
  CPU Usage: u3.97 s1.26 cu0 cs0 - .104% CPU load
  1.05 requests/sec - 20.0 kB/second - 19.0 kB/request
  15 requests currently being processed, 11 idle workers
  WWWWWWW_W_W_W__W__W__WW_W_...................................... ................................................................ ................................................................ ................................................................
  Scoreboard Key:
  "_" Waiting for Connection, "S" Starting up, "R" Reading Request,
  "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
  "C" Closing connection, "L" Logging, "G" Gracefully finishing,
  "I" Idle cleanup of worker, "." Open slot with no current process
  Srv
  PID
  Acc
  M
  CPU
  SS
  Req
  Conn
  Child
  Slot
  Client
  VHost
  Request
  0-0
  8727
  0/12/12
  W
  0.03
  4572
  0
  0.0
  0.05
  0.05
  10.10.2.201
  qc.company.int
  POST /flex2gateway HTTP/1.1
  1-0
  8728
  0/11/11
  W
  0.03
  4358
  0
  0.0
  0.18
  0.18
  10.10.2.201
  qc.company.int
  POST /flex2gateway HTTP/1.1
  2-0
  8729
  0/38/38
  W
  0.04
  3910
  0
  0.0
  1.11
  1.11
  10.10.2.201
  qc.company.int
  POST /flex2gateway HTTP/1.1
  3-0
  8730
  0/27/27
  W
  0.03
  4064
  0
  0.0
  0.79
  0.79
  10.10.2.201
  qc.company.int
  POST /flex2gateway HTTP/1.1
  4-0
  8731
  0/16/16
  W
  0.03
  4354
  0
  0.0
  0.12
  0.12
  10.10.2.201
  qc.company.int
  POST /flex2gateway HTTP/1.1
  5-0
  8732
  0/7/7
  W
  0.02
  4564
  0
  0.0
  0.02
  0.02
  10.10.2.201
  qc.company.int
  POST /flex2gateway HTTP/1.1
  6-0
  8733
  0/8/8
  W
  0.02
  4673
  0
  0.0
  0.01
  0.01
  10.10.2.201
  qc.company.int
  POST /flex2gateway HTTP/1.1
  7-0
  8734
  0/386/386
  0.37
  4
  0
  0.0
  6.49
  6.49
  10.10.2.212
  www.company.qc
  GET /marketingpages/images/login_over.jpg HTTP/1.1
  8-0
  9422
  0/10/10
  W
  0.02
  4564
  0
  0.0
  0.04
  0.04
  10.10.2.201
  qc.company.int
  POST /flex2gateway HTTP/1.1
  9-0
  10112
  0/393/393
  0.37
  6
  0
  0.0
  14.59
  14.59
  10.10.2.212
  www.company.qc
  GET /marketingpages/images/box_onesource.jpg HTTP/1.1
  10-0
  10468
  0/321/321
  W
  0.32
  846
  0
  0.0
  4.42
  4.42
  10.10.2.212
  qc.company.int
  POST /flex2gateway HTTP/1.1
  11-0
  10470
  0/398/398
  0.38
  6
  0
  0.0
  12.80
  12.80
  10.10.2.212
  www.company.qc
  GET /marketingpages/images/home_eco.jpg HTTP/1.1
  12-0
  10471
  0/340/340
  W
  0.32
  837
  0
  0.0
  4.99
  4.99
  10.10.2.212
  qc.company.int
  POST /flex2gateway/ HTTP/1.1
  13-0
  10544
  0/404/404
  0.34
  6
  0
  0.0
  5.21
  5.21
  10.10.2.212
  www.company.qc
  GET /marketingpages/images/box_top.jpg HTTP/1.1
  14-0
  10592
  0/353/353
  0.40
  6
  12
  0.0
  14.10
  14.10
  10.10.2.212
  www.company.qc
  GET /?login HTTP/1.1
  15-0
  10648
  0/296/296
  W
  0.31
  800
  0
  0.0
  3.82
  3.82
  10.10.2.212
  qc.company.int
  POST /flex2gateway/ HTTP/1.1
  16-0
  12382
  0/339/339
  0.33
  6
  0
  0.0
  2.85
  2.85
  10.10.2.212
  www.company.qc
  GET /marketingpages/images/logo_sourceone.jpg HTTP/1.1
  17-0
  12387
  0/336/336
  0.34
  6
  0
  0.0
  5.06
  5.06
  10.10.2.212
  www.company.qc
  GET /marketingpages/images/logo_onesource.jpg HTTP/1.1
  18-0
  12388
  0/265/265
  W
  0.25
  839
  0
  0.0
  2.87
  2.87
  10.10.2.212
  qc.company.int
  POST /flex2gateway/ HTTP/1.1
  19-0
  12389
  0/323/323
  0.31
  0
  0
  0.0
  4.82
  4.82
  10.10.2.212
  www.company.qc
  GET /marketingpages/lib/dimming.js HTTP/1.1
  20-0
  12390
  0/336/336
  0.31
  4
  0
  0.0
  5.24
  5.24
  10.10.2.212
  www.company.qc
  GET /marketingpages/lib/superfish.js HTTP/1.1
  21-0
  12391
  0/289/289
  W
  0.27
  805
  0
  0.0
  2.49
  2.49
  10.10.2.212
  qc.company.int
  POST /flex2gateway/ HTTP/1.1
  22-0
  12392
  0/281/281
  W
  0.27
  831
  0
  0.0
  3.17
  3.17
  10.10.2.212
  qc.company.int
  POST /flex2gateway HTTP/1.1
  23-0
  14750
  0/41/41
  0.04
  6
  0
  0.0
  0.92
  0.92
  10.10.2.212
  www.company.qc
  GET /marketingpages/images/close.jpg HTTP/1.1
  24-0
  14751
  0/43/43
  W
  0.04
  0
  0
  0.0
  1.21
  1.21
  10.10.2.36
  qc.company.int
  GET /server-status HTTP/1.1
  25-0
  14752
  0/40/40
  0.04
  6
  0
  0.0
  0.96
  0.96
  10.10.2.212
  www.company.qc
  GET /marketingpages/images/box_sourceone.jpg HTTP/1.1

• Help: Tutorial  to upgrade Apache 1.33 to Apache to 1.3.41

  Server got hacked. (I'm running 10.3.9)
  It was a quick fix, but after running Nikto to see what my biggest vulnerabilities were, PHP & Apache appeared to be the biggest culprits.
  I've already upgraded to the latest available version of PHP for 10.3.9, (V5.1.2)
  Unless I upgrade to 10.4 or 10.5 I'm stuck with it.
  But Apache.... I could upgrade to 1.3.41 from 1.3.33.
  Is there a step-by-step tutorial for this anywhere? (I don't want to switch to the 2.x Apache. I like the Server Admin GUI that comes with 10.3.9, and heard that breaks when you go to the 2.x version.)

  Not staying (relatively) current is a recipe to getting hacked, yes. How much time and effort do you want to spend on this particular project, too?
  Panther and Panther Server are falling off of the software support listings all over the place; the next release of Vienna RSS reader, for instance, reportedly drops Panther. You're probably going to find yourself spending more and more time staying on Panther, whether it is with Apache or otherwise.
  [MAMP|http://mamp.info] is among the easiest approaches around, but that's not necessarily hardened for Internet access, and you're far enough back that you'll need to use MAMP 1.4.1. And no Server Admin GUI for MAMP, AFAIK.
  As for your stated question, you're likely wanting to building Apache off to the side and not in the Apple directories. Raw build directions are available from apache.org, among other places. There are other [related topics and discussions|http://www.stepwise.com/Articles/Workbench/2000-01-29.01.html] around; Google is your friend here. All of what I've seen indicates this build is not exactly entirely easy on Mac OS X Server, and you could (will?) have trouble with the integration -- with the GUI, with php, and other pieces.
  The other approach here is to move to Linux, if you don't want to move to Leopard Server.
  And FWIW, if you're not serving files and storage to numbers of clients via AFS or CIFS/SMB (eg: this is a web server and performs limited or no disk services), then you can upgrade and use the 10-client server license.

• Update apache of lms 3.1

  Hi,
  According to this link (https://issues.apache.org/bugzilla/show_bug.cgi?id=48359) Apache has some vulnerabilities which we need to address. Is it possible to upgrade apache on the lms server?
  Regards Marco Kerklaan

  It turns out this vulnerablity does not affect LMS.
  This issue is not affecting the LMS.
  Please have a look at the following bug ID.
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtf54872
  as you can see as I suspected we are not using This module in the LMS.
  So as a workaround you can safely comment the line
  LoadModule isapi_module modules/mod_isapi.so
  From httpd.conf file.
  Regards Marco.

• CSCuq79267 - UCS Apache 2.2 Vulnerability CVE-2014-0118

  I too am seeing this same behavior. Nessus has found this, and 3 other, vulnerabilities with the Apache version provided by the UCS platform.
  Any fixes in the works? We are currently running firmware 2.2(3c). The release notes for 2.2(3d) and 2.2(3e) do not address CVE-2014-0118.
  EDIT:
  2.2(3f) also does not address these vulnerabilities. Does the UCS version of Apache use the modules that are found faulty according to Nessus?
  Nessus is also reporting the following CVEs related to this one: CVE-2013-6438, CVE-2014-0098, CVE-2013-5704, CVE-2014-0226, and CVE-2014-0231.

  Hi,
  Please refer this links,
  Linux GHOST vulnerability (CVE-2015-0235) is not as scary as it looks | Symantec Connect
  https://rhn.redhat.com/errata/RHSA-2015-0090.html
  Regards,
  S27

• Oracle Security Vulnerabilities?

  Hi all,
  We're running many PHP 5.x applications in a distributed environment that use the OCI client to access Oracle 10g databases.
  Our server administration group is migrating to a new server and is refusing to install or support the OCI Instant client under Linux saying it's a security problem. Specifically, they say that the OCI Instant Client is exposed to buffer overflows and stack smashing. Their recommendation? Rewrite all our apps to use another database. Yeah, right.
  They provided me with two sources to explain the issues:
  http://www.dummies.com/WileyCDA/DummiesArticle/id-2900.html
  and
  Re: Problems with libclntsh.so.10.1 and PHP/Apache HTTPD
  Is this really a security problem? If so, what can be done to mitigate the risk?
  Thanks,
  John

  Hi all,
  I thought I’d jump in this thread with a few thoughts.
  Security flaws unfortunately affect software, both commercial and open source. I believe that what sets Oracle apart from many other vendors is the company’s commitment to security. Oracle Software Security Assurance (http://www.oracle.com/security/software-security-assurance.html) includes the most transparent vulnerability remediation policy in the industry. Furthermore, the Critical Patch Update (CPU) process (http://www.oracle.com/technology/deploy/security/alerts.htm) provides a predictable mechanism for the remediation of security vulnerabilities in Oracle software. By comparison, open source involves unpredictable releases of security fixes.
  Now, getting back to the discussion in this thread: as much as we try to prevent vulnerabilities during development, as is the case with all large software products, some make their way into released code. As vulnerabilities are discovered, Oracle fixes them in order of severity and release fixes for them through the Critical Patch Update.
  An attacker could attempt to exploit the unpatched vulnerabilities through OCI or other protocols providing access to the database (This is not specific to OCI). Oracle’s recommendation is therefore to remain current on the Critical Patch Update (the last one was issued on July 17, 2007). Keep in mind that the CPU is cumulative for the database, and applying the most recent CPU will bring you at current security patch level, and this will significantly contribute to improving your organization’s security posture.
  Do not hesitate to contact me if you have questions at [email protected]
  Sincerely
  Eric Maurice
  Manager – Oracle Software Security Assurance

• Patching vulnerabilities for PCI compliance

  Hi
  My Apple Profile Manager server has failed a PCI compliance scan, due to the vulnerabilities listed below. The OS and the software are patched to the highest level, but its still failing
  What do i need to do to be able to resolve these? If i can't patch them by Thursday, i'll have to shut down the server
  SSL/TLS use of weak RC4 cipher                                                            CVE-2013-2566         
  OpenSSL Multiple Vulnerabilities (OpenSSL Security Advisory 20140806)    CVE-2014-3512         
                                                                                                                 CVE-2014-3511
                                                                                                                 CVE-2014-3510
                                                                                                                 CVE-2014-3507
                                                                                                                 CVE-2014-3508:
                                                                                                                 CVE-2014-5139:
                                                                                                                 CVE-2014-3509:
                                                                                                                 CVE-2014-3505:
                                                                                                                 CVE-2014-3506
  Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day     CVE-2007-6750

  If your running OS X 10.9.2 as your message indicates then you are not patched to the highest level. (By a long way.)
  OS X 10.9.5 plus Security Update 2014-005 would give you all the current patches for Mavericks. If you upgraded to Yosemite and Server.app 4.0 you would get some further updates. (Server 4.0 would have to be purchased although Yosemite aka. OS X 10.10 itself is free.)
  Even with all of those I suspect some of the issues you list will not be patched. In theory you could manually compile and install patches but this is generally a very bad idea as you will then break compatibility with Apple's own software such as the server configuration tool Server.app and likely break Profile Manager completely and if you use it the Wiki module.
  If you want complete control over patching the software then OS X is not going to let you do this with out as mentioned above severe consequences. Only Linux gives you that level of control. Arguably Windows gives you even less control than OS X as in Windows it is all closed source (Microsoft) software.

• Upgrade Apache Tomcat 7.52 to 7.63

  We have a Windows 2008R2 server with Tomcat 7.52 installed. I installed the O/S and our vendor installed their software, Tomcat and Java. I have never touched Tomcat, but due to vulnerabilities, I need to update Tomcat and Java. Java should be straightforward. I have downloaded their recommended version and can just uninstall the old version and run the installer for the new version. The vendor will provide no support or documentation for the Tomcat upgrade. All they will tell me is to stay within the same major version. I have been to apache.org and many other websites, but can't find step by step instructions to update Tomcat in place without losing configuration files/settings.
  I would appreciate any info to point me in the right direction.
  Thanks for reading.
  This topic first appeared in the Spiceworks Community

  Hi Donna,
  You can refer SAP KBA 1769495. The KBA contains steps to upgrade to Tomcat 7.0.29, however the steps will remain same for Tomcat 7.0.50 except you will need to download Tomcat 7 from
  http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.50/bin/apache-tomcat-7.0.50-windows-x64.zip
  The remaining steps will remain same for this version of Tomcat as well.
  Regards,
  Hrishikesh

• Security Vulnerabilities on CPUCMS

  Hi All
  Could someone assist me please?
  We running a demo version of CPUCMS at a customer and the System administrator has advised that there are
  security vulnerabilities on the server that runs CPUCMS and he would like to do the following:
  1) Locate file C:\PROGRA~1\CSCOpx\MDC\Apache\conf\httpd.conf
  Remove      -    SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:!LOW:RC4+RSA:+HIGH:+MEDIUM:!SSLv2:!EXP:!eNULL
  Add below:-
  SSLHonorCipherOrder On
        SSLCipherSuite RC4-SHA:HIGH:!ADH
  2.)    Disable remote service rexec  , rlogin and rsh
  Please advise if anyone has done this and also the impact it might cause on the application?
  Many thanks
  Shabeer

  Hi All
  Could someone assist me please?
  We running a demo version of CPUCMS at a customer and the System administrator has advised that there are
  security vulnerabilities on the server that runs CPUCMS and he would like to do the following:
  1) Locate file C:\PROGRA~1\CSCOpx\MDC\Apache\conf\httpd.conf
  Remove      -    SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:!LOW:RC4+RSA:+HIGH:+MEDIUM:!SSLv2:!EXP:!eNULL
  Add below:-
  SSLHonorCipherOrder On
        SSLCipherSuite RC4-SHA:HIGH:!ADH
  2.)    Disable remote service rexec  , rlogin and rsh
  Please advise if anyone has done this and also the impact it might cause on the application?
  Many thanks
  Shabeer

• Apache/Tomcat/OpenSSL Version Diffs between 4.50.907 &  4.50.933 releases?

  Was there any revisions made to the versions of Apache, Tomcat and/or OpenSSL utilities between 4.50.907 and 4.50.933? If so what are the new versions?

  see the release notes
  Bug Fixes in Version 4.50
  The following table lists the additional bugs that are fixed in the 4.50.933 release.
  Reference Description
  6893011 Apache web server security vulnerabilities.
  I guess, this fix will change some things you asking for, but I have not installed it so far, so I don't know what changed.
  kind regards, thomas

• Apache versions

  Our security team is asking that I update Apache from 2.2.3 to 2.2.16. Has anyone tried updating Apache higher than what comes with SLES10 and/or do we know of a limitation with Webaccess?
  Thanks

  Thats a good idea.
  >>> On 9/16/2012 at 5:21 AM, Simon Flood<[email protected]> wrote:
  On 11/09/2012 19:41, "Kirk White" wrote:
  > Our security team is asking that I update Apache from 2.2.3 to 2.2.16.
  > Has anyone tried updating Apache higher than what comes with SLES10
  > and/or do we know of a limitation with Webaccess?
  Which version of SLES10? Latest version of SLES10 is SLES10 SP4.
  As Massimo has already said, Novell/SUSE back port security-related fixes
  to earlier versions of Apache for stability reasons.
  If you are that worried about security perhaps you should upgrade your
  servers to SLES11 (SP2 is latest release)?
  In the meantime you could change your Apache configuration so that Apache
  doesn't disclose so much information that could've used to determine
  version and (possible) vulnerabilities - edit /etc/sysconfig/apache2 and
  change APACHE_SERVERTOKENS and/or APACHE_SERVERSIGNATURE.
  HTH.
  Simon
  Novell/SUSE/NetIQ Knowledge Partner