summaryrefslogtreecommitdiffstats
path: root/meta-webserver
diff options
context:
space:
mode:
authorPeter Marko <peter.marko@siemens.com>2024-12-19 21:48:58 +0100
committerKhem Raj <raj.khem@gmail.com>2024-12-19 13:00:33 -0800
commitda2b5e8b93c248363581b1bd4ff67ff1d8357c41 (patch)
treef6d0716929dc21f98fc688fe21b6c66b9d42e5b9 /meta-webserver
parent7e17f8cec02d20813fb8368ccc1c5ae27b291383 (diff)
downloadmeta-openembedded-da2b5e8b93c248363581b1bd4ff67ff1d8357c41.tar.gz
apache2: ignore disputed CVE CVE-2007-0086
This CVE is officially disputed by Redhat with official statement in https://nvd.nist.gov/vuln/detail/CVE-2007-0086 Red Hat does not consider this issue to be a security vulnerability. The pottential attacker has to send acknowledgement packets periodically to make server generate traffic. Exactly the same effect could be achieved by simply downloading the file. The statement that setting the TCP window size to arbitrarily high value would permit the attacker to disconnect and stop sending ACKs is false, because Red Hat Enterprise Linux limits the size of the TCP send buffer to 4MB by default. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-webserver')
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb1
1 files changed, 1 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb
index 3a988f2494..bba00fb95c 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb
@@ -40,6 +40,7 @@ CVE_PRODUCT = "apache:http_server"
40CVE_STATUS[CVE-1999-0289] = "not-applicable-platform: The current version is not affected. It only applies for Windows" 40CVE_STATUS[CVE-1999-0289] = "not-applicable-platform: The current version is not affected. It only applies for Windows"
41CVE_STATUS[CVE-1999-0678] = "not-applicable-platform: this CVE is for Debian packaging configuration" 41CVE_STATUS[CVE-1999-0678] = "not-applicable-platform: this CVE is for Debian packaging configuration"
42CVE_STATUS[CVE-1999-1412] = "not-applicable-platform: this CVE is for MAC OS X specific problem" 42CVE_STATUS[CVE-1999-1412] = "not-applicable-platform: this CVE is for MAC OS X specific problem"
43CVE_STATUS[CVE-2007-0086] = "disputed: this CVE is officially disputed by Redhat"
43CVE_STATUS[CVE-2007-0450] = "not-applicable-platform: The current version is not affected. It only applies for Windows." 44CVE_STATUS[CVE-2007-0450] = "not-applicable-platform: The current version is not affected. It only applies for Windows."
44CVE_STATUS[CVE-2007-6421] = "cpe-incorrect: The current version is not affected by the CVE which affects versions from 2.2 (incl.) to 2.2.8 (excl.)" 45CVE_STATUS[CVE-2007-6421] = "cpe-incorrect: The current version is not affected by the CVE which affects versions from 2.2 (incl.) to 2.2.8 (excl.)"
45CVE_STATUS[CVE-2007-6422] = "cpe-incorrect: The current version is not affected by the CVE which affects versions from 2.2 (incl.) to 2.2.8 (excl.)" 46CVE_STATUS[CVE-2007-6422] = "cpe-incorrect: The current version is not affected by the CVE which affects versions from 2.2 (incl.) to 2.2.8 (excl.)"