Re: Information about security

To: steph b <be.us@live.fr>
Cc: debian-user@lists.debian.org
Subject: Re: Information about security
From: Dan Ritter <dsr@randomstring.org>
Date: Wed, 4 Nov 2020 13:15:22 -0500
Message-id: <[🔎] 20201104181522.GJ10564@randomstring.org>
In-reply-to: <[🔎] AM6PR02MB4295F2D8DBCEBD3EA4D2D170F9EF0@AM6PR02MB4295.eurprd02.prod.outlook.com>
References: <[🔎] AM6PR02MB4295F2D8DBCEBD3EA4D2D170F9EF0@AM6PR02MB4295.eurprd02.prod.outlook.com>

steph b wrote: 
> I recently audit my company and see in the server response the http server
> version (eg for debian buster : apache v2.4.38).
> 
> 1st I know that : this response must not contain this information.

ServerSignature Off
ServerTokens Prod


> 2nd When i search CVE about this version, i have a list of them here : https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-278546/Apache-Http-Server-2.4.38.html
> 
> Because i'm just a student, when i saw all this CVE, i wrote in my report
> "Update this apache version" but i was surprised to learn that the version
> was already uptodate !
> 
> So that is my question :
> 
> How to know exactly if this package is already update ?
> 
> I have seen in you FAQ: https://www.debian.org/security/faq#version
> 
> But for apache2, the command i know are :
> 
> > apache2 -v or httpd -v
> 
> Who return: Server version: Apache/2.4.38 (Debian)
> 
> 
> But how to compare exactly the version, or how to know which security patch
> are applied or missed for this package ?

zless "/usr/share/doc/apache2/changelog.Debian.gz"

The changelog will include appropriate CVEs.

-dsr-

Reply to:

Follow-Ups:
- Re: Information about security
  - From: l0f4r0@tuta.io

References:
- Information about security
  - From: steph b <be.us@live.fr>

Prev by Date: Information about security
Next by Date: Re: Information about security
Previous by thread: Information about security
Next by thread: Re: Information about security
Index(es):
- Date
- Thread