On Fri, Aug 14, 2020 at 11:49 AM Nic P <[email protected]> wrote: > > Hi > > I am struggling through an audit with explaining CVE's listed on NIST that do > not appear on the Apache site with any fixes. > > CVE-1999-0070 is an example showing in nist site as impacting Apache, but no > reference to this on the Apache security pages > > https://nvd.nist.gov/vuln/detail/CVE-1999-0070 > > Can anyone help with this sufficiently to explain to audit?
It's a 20+ year old bug misclassified as affecting all Apache releases on the NIST site but it seems to be a match for a bug fixed fixed before 1.3.0 was released (1.2b2 in 1998). It predates the CVE system and the CVE doesn't contain anything actionable/identifiable other than resembling this old bug about the test-cgi sample script. -- Eric Covener [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
