Hi I have ran openvas scanner on one of the client host. The report suggests Apache versions prior to 2.2.15-dev are affected. I had a word with Ubuntu Security Team, "Your OpenVAS scan is a false alert, as it's relying on the version number" Please suggest/guide.
Thanks and Regards Kaushal Overview: Apache is prone to multiple vulnerabilities. These issues may lead to information disclosure or other attacks. Apache versions prior to 2.2.15-dev are affected. Solution: These issues have been addressed in Apache 2.2.15-dev. Apache 2.2.15 including fixes will become available in the future as well. Please see the references for more information. References: http://www.securityfocus.com/bid/38494 http://httpd.apache.org/security/vulnerabilities_22.html http://httpd.apache.org/ https://issues.apache.org/bugzilla/show_bug.cgi?id=48359 http://svn.apache.org/viewvc?view=revision&revision=917870 Risk factor : Medium CVE : CVE-2010-0425, CVE-2010-0434, CVE-2010-0408 BID : 38494, 38491 OID : 1.3.6.1.4.1.25623.1.0.100514 Overview: Apache HTTP Server is prone to multiple remote denial-of-service vulnerabilities. An attacker can exploit these issues to deny service to legitimate users. Versions prior to Apache 2.2.16 are vulnerable. Solution: These issues have been fixed in Apache 2.2.16. Please see the references for more information. References: https://www.securityfocus.com/bid/41963 http://httpd.apache.org/download.cgi http://httpd.apache.org/ http://www.apache.org/dist/httpd/Announcement2.2.html http://www.apache.org/dist/httpd/CHANGES_2.2.16 CVE : CVE-2010-1452 BID : 41963 OID : 1.3.6.1.4.1.25623.1.0.100725 Overview: This host is running Apache HTTP Server and is prone to Denial of Service vulnerability. Vulnerability Insight: The flaw is due to error in 'stream_reqbody_cl' function in 'mod_proxy_http.c' in the mod_proxy module. When a reverse proxy is configured, it does not properly handle an amount of streamed data that exceeds the Content-Length value via crafted requests. Impact: Successful exploitation will allow remote attackers to cause Denial of Service to the legitimate user by CPU consumption. Impact Level: Application Affected Software/OS: Apache HTTP Server version prior to 2.3.3 Fix: Fixed in the SVN repository. http://svn.apache.org/viewvc?view=rev&revision=790587 References: http://secunia.com/advisories/35691 http://www.vupen.com/english/advisories/2009/1773 http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=790587&r2=790586&pathrev=790587 CVSS Score: CVSS Base Score : 5.0 (AV:N/AC:L/Au:NR/C:N/I:N/A:P) CVSS Temporal Score : 3.7 Risk factor : Medium CVE : CVE-2009-1890 BID : 35565 OID : 1.3.6.1.4.1.25623.1.0.800827 _______________________________________________ Openvas-discuss mailing list [email protected] http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
