Re: Information about security
steph b wrote:
> I recently audit my company and see in the server response the http server
> version (eg for debian buster : apache v2.4.38).
>
> 1st I know that : this response must not contain this information.
ServerSignature Off
ServerTokens Prod
> 2nd When i search CVE about this version, i have a list of them here : https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-278546/Apache-Http-Server-2.4.38.html
>
> Because i'm just a student, when i saw all this CVE, i wrote in my report
> "Update this apache version" but i was surprised to learn that the version
> was already uptodate !
>
> So that is my question :
>
> How to know exactly if this package is already update ?
>
> I have seen in you FAQ: https://www.debian.org/security/faq#version
>
> But for apache2, the command i know are :
>
> > apache2 -v or httpd -v
>
> Who return: Server version: Apache/2.4.38 (Debian)
>
>
> But how to compare exactly the version, or how to know which security patch
> are applied or missed for this package ?
zless "/usr/share/doc/apache2/changelog.Debian.gz"
The changelog will include appropriate CVEs.
-dsr-
Reply to: