Comment on ICEBlock handled my vulnerability report in the worst possible way
rubin@lemmy.sdf.org 3 weeks ago
This security researcher is just wrong. The version of apache running is likely in a ‘stable’ release where critical CVEs are fixed by back-porting patches to the same older version of software. Also, if I’m reading correctly, the vulnerability he cites is dependent on malicious behavior of apps hosted behind the vulnerable server. His would likely not meet this criteria, so the vulnerability does not affect his use case.
It is the blogger, IMO, who is participating in ‘theater’. A little knowledge is a dangerous thing.
BlueBockser@programming.dev 3 weeks ago
[deleted]corsicanguppy@lemmy.ca 3 weeks ago
The server was reportedly running 2.4.57 and the CVE was fixed in 2.4.60, so it’s definitely present in the software.
Overall, I don’t get your point about stable releases and backports.
Clearly. Hint: it’s what Enterprise Linux has done for 20 years.
eager_eagle@lemmy.world 3 weeks ago
Distros don’t update software versions when backporting some things, meaning they add a suffix they control to the version e.g. 2.4.57-ubuntu1.2 whatever, but the version reported by the software itself might still be 2.4.57.
knobbysideup@sh.itjust.works 3 weeks ago
Wrong.
Ulrich@feddit.org 3 weeks ago
Well the interesting thing here is that you took the time to type that out while he just blocked the person trying to report a security vulnerability.