I see that Afterdawn is using Apache 2.2.3. Shouldn't it be updated to 2.2.10? 2.2.3 has quite a number of vulnerabilities.... especially exploited by those who break the rules and get banned...lol
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed. Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing. To be or not to be; thats a dumb question.
Originally posted by cdavfrew: I see that Afterdawn is using Apache 2.2.3. Shouldn't it be updated to 2.2.10? 2.2.3 has quite a number of vulnerabilities.... especially exploited by those who break the rules and get banned...lol
Best Regards :D
Thanks for the tip! =) We live by the CentOS update schedule, and 2.2.3 is the latest version of Apache available for the time being.
Apache versions between 2.2.3 and 2.2.10 have patched only minor vulnerabilities - all of them in modules not used by us. Or am I mistaken?
I was actually more concerned about these updates found in 2.2.6:
Quote:A bug was found in the mod_cache module. On sites where caching is enabled, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module.
Quote:The recall_headers function in mod_mem_cache in Apache 2.2.4 did not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously used data, which could be used by remote attackers to obtain potentially sensitive information.
Quote:The Apache HTTP server did not verify that a process was an Apache child process before sending it signals. A local attacker with the ability to run scripts on the HTTP server could manipulate the scoreboard and cause arbitrary processes to be terminated which could lead to a denial of service.
The other updates in 2.2.8 and higher don't really concern AfterDawn's active modules (at least those I know about...), unless there is a FTP server within AfterDawn as well.
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed. Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing. To be or not to be; thats a dumb question.
This message has been edited since posting. Last time this message was edited on 12. November 2008 @ 08:13
Actually we don't use mod_cache (or mod_mem_cache for that matter) at AfterDawn. Local attacks aren't a concern either since no-one outside the company has access to the servers.
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed. Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing. To be or not to be; thats a dumb question.
