Mailing List Archive: apache_2_2

apache_2_2_8.nasl

Mar 7, 2008, 5:09 AM

Post #1 of 4 (3172 views)

apache_2_2_8.nasl

The plugin apache_2_2_8.nasl checks the banner for version numbers 2.2.0-7.

However, a check of the quoted CVEs shows that these problems are also present in Apache versions upto 2.0.61.

A check of the Apache changes file indicates that only CVE-2007-6203, CVE-2007-6388 and CVE-2007-5000 are fixed in 2.0.63. But, the CVE descriptions imply that all the problems should be fixed in releases after 2.0.61. For example, CVE-2008-0005 says it is fixed in 2.0.62-dev but this problem is not included in the 2.0.63 changes file.

Should apache_2_2_8.nasl plugin be changed to also report on the 2.0.x tree or should there be an almost identical plugin (apache_2_0_63.nasl) ?

_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

Re: apache_2_2_8.nasl [ In reply to ]

theall at tenablesecurity

Mar 7, 2008, 7:30 AM

Post #2 of 4 (3002 views)

Permalink

On Mar 7, 2008, at 8:09 AM, Dennis Jackson wrote:

> The plugin apache_2_2_8.nasl checks the banner for version numbers
> 2.2.0-7.

Correct.

> A check of the Apache changes file indicates that only
> CVE-2007-6203, CVE-2007-6388 and CVE-2007-5000 are fixed in 2.0.63.
> But, the CVE descriptions imply that all the problems should be
> fixed in releases after 2.0.61. For example, CVE-2008-0005 says it
> is fixed in 2.0.62-dev but this problem is not included in the
> 2.0.63 changes file.

Have you asked either the folks at the Apache group or Mitre
(maintainers of CVEs) about the discrepancy?

Note that CVE-2008-0005 is listed on http://httpd/apache.org/security/vulnerabilities_20.html
as being addressed in 2.0.63.

> Should apache_2_2_8.nasl plugin be changed to also report on the
> 2.0.x tree or should there be an almost identical plugin
> (apache_2_0_63.nasl) ?

The latter, I think, given the differences in the issues. We've just
committed new plugins to check for versions before 2.0.63 and 1.3.41.

George
--
theall@tenablesecurity.com

_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

Re: apache_2_2_8.nasl [ In reply to ]

dennis.jackson at ndirect

Mar 7, 2008, 7:44 AM

Post #3 of 4 (3008 views)

Permalink

No, I haven't contacted either Apache or Mitre.

It looks like I need to prepare a comparison table and submit it as a bug to Apache Documentation.

At least Nessus will flag the old version. Though quite which CVEs are fixed in 2.0.63 will have to await an answer from Apache.

----- Original Message -----
From: "George A. Theall" <theall@tenablesecurity.com>
Sent: 07/03/2008 10:30:13
Subject: Re: [Plugins-writers] apache_2_2_8.nasl

> On Mar 7, 2008, at 8:09 AM, Dennis Jackson wrote:
>
> > The plugin apache_2_2_8.nasl checks the banner for version numbers
> > 2.2.0-7.
>
> Correct.
>
> > A check of the Apache changes file indicates that only
> > CVE-2007-6203, CVE-2007-6388 and CVE-2007-5000 are fixed in 2.0.63.
> > But, the CVE descriptions imply that all the problems should be
> > fixed in releases after 2.0.61. For example, CVE-2008-0005 says it
> > is fixed in 2.0.62-dev but this problem is not included in the
> > 2.0.63 changes file.
>
> Have you asked either the folks at the Apache group or Mitre
> (maintainers of CVEs) about the discrepancy?
>
> Note that CVE-2008-0005 is listed on http://httpd.apache.org/security/vulnerabilities_20.html
> as being addressed in 2.0.63.
>
> > Should apache_2_2_8.nasl plugin be changed to also report on the
> > 2.0.x tree or should there be an almost identical plugin
> > (apache_2_0_63.nasl) ?
>
>
> The latter, I think, given the differences in the issues. We've just
> committed new plugins to check for versions before 2.0.63 and 1.3.41.
>
> George
> --
> theall@tenablesecurity.com

_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

Re: apache_2_2_8.nasl [ In reply to ]

theall at tenablesecurity

Mar 7, 2008, 7:53 AM

Post #4 of 4 (3030 views)

Permalink

On Mar 7, 2008, at 10:44 AM, Dennis Jackson wrote:

> At least Nessus will flag the old version. Though quite which CVEs
> are fixed in 2.0.63 will have to await an answer from Apache.

When I wrote the new plugin, I assumed CVE-2008-0005 had just been
omitted from the changelog. Let me know if that's wrong please.

George
--
theall@tenablesecurity.com

_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers