On 4/2/2010 2:25 PM, Franklin, Meyer wrote: > Hello William, > Thanks so much for the prompt reply. This is exactly what I needed. I agree > that most scanners only look at version numbers, but we may be able to debate > with our customers using your official response. At this point, moving to > version 2.0.64-dev to get past the scanners tests may not be an option since > this version is NOT officially released by Apache.org. We are more > interested in moving to 2.3.x when it becomes an official release.
Just pay attention to the alert language. For example, "Subrequest handling of request headers (mod_headers) CVE-2010-0434" begins "A flaw in the core subrequest process code was fixed..." Whenever you a reference to 'core', the httpd itself was patched. Though mod_headers, in this case, exhibited incorrect behavior with the flaw, there are likely third party modules which similarly misbehave with the broken core logic.
