<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hello, as you mentioned, all of the
CVEs are quite old (older than RHEL-6). For instance, the last
one CVE-2009-1956 was fixed in apr-util-1.2.7-7.el5_3.1. As long
as you use RHEL-6, the CVEs you listed are all fixed. Also,
please note that the CVEs are all httpd related, not 389-ds.<br>
<br>
<div>CVE:<span class="" style="white-space:pre"> </span><br>
CVE-2008-0005<br>
CVE-2007-6388<br>
CVE-2007-6422<br>
CVE-2007-6420<br>
CVE-2007-5000<br>
CVE-2007-6421<br>
CVE-2008-1678</div>
<br>
<div>CVE-2007-1862<br>
CVE-2007-3847<br>
CVE-2007-3304<br>
CVE-2006-5752<br>
CVE-2007-1863<br>
</div>
<br>
<div>CVE-2009-1891<br>
CVE-2009-1955<br>
CVE-2009-1191<br>
CVE-2009-0023<br>
CVE-2009-1956<br>
CVE-2009-1195<br>
CVE-2009-1890<br>
</div>
<br>
John Trump wrote:<br>
</div>
<blockquote
cite="mid:CANd=zChCb8hmsbhGhZP16MJgCMRDOavu-Eu4S4_R7j63krQ-uA@mail.gmail.com"
type="cite">
<div dir="ltr">I have a system running 389-ds that was scanned
using retna. Retna showed vulnerabilities which are fairly old.
Can anyone confirm that these were fixed. Only thing using port
9830 is the admin-serv. Below are the rpm versions I have
installed and the CVE's retna supposidly detected.
<div>
<br>
</div>
<div>
<div>389-adminutil-1.1.19-1.el6.x86_64</div>
<div>389-ds-console-doc-1.2.6-1.el6.noarch</div>
<div>389-admin-1.1.35-1.el6.x86_64</div>
<div>389-admin-console-1.1.8-5.fc19.noarch</div>
<div>389-console-1.1.7-1.el6.noarch</div>
<div>389-ds-1.2.2-1.el6.noarch</div>
<div>389-ds-base-libs-1.2.11.25-1.el6.x86_64</div>
<div>389-ds-base-1.2.11.25-1.el6.x86_64</div>
<div>389-dsgw-1.1.11-1.el6.x86_64</div>
<div>389-ds-console-1.2.6-1.el6.noarch</div>
<div>389-admin-console-doc-1.1.8-5.fc19.noarch</div>
</div>
<div><br>
</div>
<div>Audit ID:<span class="" style="white-space:pre"> </span>6310<span
class="" style="white-space:pre"> </span>Vul ID:<span
class="" style="white-space:pre"> </span>N/A<br>
</div>
<div>
<div>Risk Level:<span class="" style="white-space:pre"> </span>Medium</div>
<div>Sev Code:<span class="" style="white-space:pre"> </span>Category
II</div>
<div>PCI Level:<span class="" style="white-space:pre"> </span>Medium
(Fail) - CVSS Score</div>
<div>CVSS Score:<span class="" style="white-space:pre"> </span>5
[AV:N/AC:L/Au:N/C:N/I:N/A:P]</div>
<div>BugTraq ID<span class="" style="white-space:pre"> </span>27234,26838,27236,27237</div>
<div>CVE:<span class="" style="white-space:pre"> </span>CVE-2008-0005,CVE-2007-6388,CVE-2007-6422,CVE-2007-64</div>
<div>20,CVE-2007-5000,CVE-2007-6421,CVE-2008-1678</div>
<div>CCE:<span class="" style="white-space:pre"> </span>N/A</div>
<div>Exploit:<span class="" style="white-space:pre"> </span>No</div>
<div>IAV:<span class="" style="white-space:pre"> </span>N/A</div>
<div>STIG:</div>
<div>Context:<span class="" style="white-space:pre"> </span>TCP:9830</div>
<div>Result:<span class="" style="white-space:pre"> </span>Success</div>
<div>Tested Value:<span class="" style="white-space:pre"> </span>BR
T WB Server:</div>
<div>(Apache(\([[]^)]*\))?/((2\.((2(\.[[]0-7])?)|(0(\.([[]1-5]?[[]0-9]|6[[]0-2]))</div>
<div>?)|(1(\..*)?)))|(1\.((3(\.([[]1-3]?[[]0-9]|40))?)|([[]0-2](\..*)?)))|(0+\..*))</div>
<div>($|[[]^0-9.]([[]^(]*\([[]^R][[]^)]*\))*[[]^()]*$))</div>
<div>Found Value:<span class="" style="white-space:pre"> </span>Server:
Apache/2.2##Content-Length: 301##Connection:</div>
<div>close##Content-Type: text/html;</div>
<div>charset[=]iso-8859-1####<!DOCTYPE HTML PUBLIC</div>
<div>"-//IETF//DTD HTML
2.0//EN">#<html><head>#<title>404 Not</div>
<div>Found</title>#</head><body>#<h1>Not
Found</h1> </div>
<div>(truncated...)</div>
</div>
<div><br>
</div>
<div>
<div>Audit ID:<span class="" style="white-space:pre"> </span>6059<span
class="" style="white-space:pre"> </span>Vul ID:<span
class="" style="white-space:pre"> </span>N/A</div>
<div>Risk Level:<span class="" style="white-space:pre"> </span>Medium</div>
<div>Sev Code:<span class="" style="white-space:pre"> </span>Category
II</div>
<div>PCI Level:<span class="" style="white-space:pre"> </span>Medium
(Fail) - CVSS Score</div>
<div>CVSS Score:<span class="" style="white-space:pre"> </span>5
[AV:N/AC:L/Au:N/C:P/I:N/A:N]</div>
<div>BugTraq ID<span class="" style="white-space:pre"> </span>24215,24645,25489,24649,24553</div>
<div>CVE:<span class="" style="white-space:pre"> </span>CVE-2007-1862,CVE-2007-3847,CVE-2007-3304,CVE-2006-57</div>
<div>52,CVE-2007-1863</div>
<div>CCE:<span class="" style="white-space:pre"> </span>N/A</div>
<div>Exploit:<span class="" style="white-space:pre"> </span>No</div>
<div>IAV:<span class="" style="white-space:pre"> </span>N/A</div>
<div>STIG:</div>
<div>Context:<span class="" style="white-space:pre"> </span>TCP:9830</div>
<div>Result:<span class="" style="white-space:pre"> </span>Success</div>
<div>Tested Value:<span class="" style="white-space:pre"> </span>RR
T WB</div>
<div>(Apache(\([[]^)]*\))?/(2\.2(\.[[]0-5])?)($|[[]^0-9.]([[]^(]*\([[]^R][[]^)]*\)</div>
<div>)*[[]^()]*$))</div>
<div>Found Value:<span class="" style="white-space:pre"> </span>Apache/2.2</div>
</div>
<div><br>
</div>
<div>
<div>
Audit ID:<span class="" style="white-space:pre"> </span>9820<span
class="" style="white-space:pre"> </span>Vul ID:<span
class="" style="white-space:pre"> </span>N/A</div>
<div>Risk Level:<span class="" style="white-space:pre"> </span>Medium</div>
<div>Sev Code:<span class="" style="white-space:pre"> </span>Category
II</div>
<div>PCI Level:<span class="" style="white-space:pre"> </span>High
(Fail) - CVSS Score</div>
<div>CVSS Score:<span class="" style="white-space:pre"> </span>7.8
[AV:N/AC:L/Au:N/C:N/I:N/A:C]</div>
<div>BugTraq ID<span class="" style="white-space:pre"> </span>35565,35253,35623,35251,34663,35221,35115</div>
<div>CVE:<span class="" style="white-space:pre"> </span>CVE-2009-1891,CVE-2009-1955,CVE-2009-1191,CVE-2009-00</div>
<div>23,CVE-2009-1956,CVE-2009-1195,CVE-2009-1890</div>
<div>CCE:<span class="" style="white-space:pre"> </span>N/A</div>
<div>Exploit:<span class="" style="white-space:pre"> </span>Yes</div>
<div>IAV:<span class="" style="white-space:pre"> </span>N/A</div>
<div>STIG:</div>
<div>Context:<span class="" style="white-space:pre"> </span>TCP:9830</div>
<div>Result:<span class="" style="white-space:pre"> </span>Success</div>
<div>Tested Value:<span class="" style="white-space:pre"> </span>APACHE(-ADVANCEDEXTRANETSERVER)?/2\.2(\.(1[[]01]|[[]0</div>
<div>-9])(\.[[]0-9]+)*)?($|[[]^0-9.])</div>
<div>Found Value:<span class="" style="white-space:pre"> </span>APACHE/2.2</div>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
389 users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</body>
</html>