Technology

75630 readers

2525 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

L4s@hackingne.ws

ICEBlock handled my vulnerability report in the worst possible way (micahflee.com)

submitted 3 weeks ago by Pro@programming.dev to c/technology@lemmy.world

30 comments fedilink hide all child comments

cross-posted from: https://programming.dev/post/37090037

Comments

Hacker News.

you are viewing a single comment's thread
view the rest of the comments

[–] rubin@lemmy.sdf.org 55 points 3 weeks ago (2 children)

This security researcher is just wrong. The version of apache running is likely in a 'stable' release where critical CVEs are fixed by back-porting patches to the same older version of software. Also, if I'm reading correctly, the vulnerability he cites is dependent on malicious behavior of apps hosted behind the vulnerable server. His would likely not meet this criteria, so the vulnerability does not affect his use case.

It is the blogger, IMO, who is participating in 'theater'. A little knowledge is a dangerous thing.

[–] Ulrich@feddit.org 5 points 3 weeks ago

Well the interesting thing here is that you took the time to type that out while he just blocked the person trying to report a security vulnerability.

[+] BlueBockser@programming.dev -3 points 3 weeks ago (3 children)

[deleted]

[–] corsicanguppy@lemmy.ca 9 points 3 weeks ago

The server was reportedly running 2.4.57 and the CVE was fixed in 2.4.60, so it’s definitely present in the software.

Overall, I don’t get your point about stable releases and backports.

Clearly. Hint: it's what Enterprise Linux has done for 20 years.

[–] eager_eagle@lemmy.world 6 points 3 weeks ago* (last edited 3 weeks ago)

Distros may not update software versions when backporting some things, meaning they add a suffix they control to the version e.g. 2.4.57-ubuntu1.2 whatever, but the version reported by the software itself might still be 2.4.57.

It depends on the release process. I was also confused once I was asking myself why the repo was reporting a CVE as fixed when it still showed the old version.

[–] knobbysideup@sh.itjust.works 0 points 3 weeks ago

Wrong.