Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It also barely meets the definition of "a vulnerability report". He basically just nmap scanned the server and googled the apache version. The "critical" vulnerability he linked requires controlling a backend server being reverse proxied through apache... so completely irrelevant. I didn't read every CVE for the apache version but I am doubtful there is anything that actually allows taking over the server there.


Also, Apache 2.4.57 is exactly the version of Apache you get when you'd run RHEL 9 / AlmaLinux / Rocky 9. In that case, the OS would provide backports of the CVE fixes for you and the banner still reads Apache 2.4.57!


That was EXACTLY my first thought on skimming the article. There are commercial vulnerability tools that do this to me repeatedly with Debian and Ubuntu - reporting vulnerabilities in things that the Ubuntu and Debian CVE pages clearly state were patched in backports years prior. Often it is in Apache.


I need to see ICE Block's SOC 2 Type 1 audit of their processes for patching vulnerabilities along with their latest SOC 2 Type 2 audit.


Their Type 2 attestation would have everything the Type 1 has. I mean obviously you're not being serious but I can't let that one sail by.


Right but the type 2 will prove they actually did what they promised. And yes I’m drawing it out to an absurdity.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: