On 6/30/2010 8:54 PM, John Jasen wrote:
m.r...@5-cent.us wrote:
John Jasen wrote:
m.r...@5-cent.us wrote:
Frank Cox wrote:
On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote:
Sorry, you lost me here. I turned off all access to the
John Hinton wrote:
On 6/30/2010 8:54 PM, John Jasen wrote:
Well, I'm a security admin, so of course protection is more important
than utility! :)
But seriously, the assessment tools provide information on your
environment, based on certain standard metrics. Its (HOPEFULLY! PCI
compliance
On 7/6/2010 4:49 PM, John Jasen wrote:
John Hinton wrote:
On 6/30/2010 8:54 PM, John Jasen wrote:
Well, I'm a security admin, so of course protection is more important
than utility! :)
But seriously, the assessment tools provide information on your
environment, based on certain
On Tue, Jul 06, 2010 at 05:21:36PM -0400, John Hinton wrote:
My point is these 'security metrics' businesses that are paid, generally
by credit card companies, to do these software scans and don't ever do
these most basic checks. Not that my quoted text is the name of one of
these
On 7/6/2010 5:34 PM, Whit Blauvelt wrote:
On Tue, Jul 06, 2010 at 05:21:36PM -0400, John Hinton wrote:
My point is these 'security metrics' businesses that are paid, generally
by credit card companies, to do these software scans and don't ever do
these most basic checks. Not that my
Les Mikesell wrote on Tue, 29 Jun 2010 17:52:37 -0500:
Apache Server 2.x Prior To 2.2.14 Multiple Vulnerabilities Apache
\'mod_proxy_ftp\' Wildcard Characters Cross-Site Scripting.
Remove that module from httpd.conf and try again. If it still gives that
warning you've proven the tool is
Kai Schaetzl wrote:
Les Mikesell wrote on Tue, 29 Jun 2010 17:52:37 -0500:
Apache Server 2.x Prior To 2.2.14 Multiple Vulnerabilities Apache
\'mod_proxy_ftp\' Wildcard Characters Cross-Site Scripting.
Remove that module from httpd.conf and try again. If it still gives that
warning
Les Mikesell wrote:
Kai Schaetzl wrote:
Les Mikesell wrote on Tue, 29 Jun 2010 17:52:37 -0500:
Apache Server 2.x Prior To 2.2.14 Multiple Vulnerabilities Apache
\'mod_proxy_ftp\' Wildcard Characters Cross-Site Scripting.
Remove that module from httpd.conf and try again. If it still gives
On Wed, 2010-06-30 at 10:10 -0400, m.r...@5-cent.us wrote:
I understand that. We had a scan a few months ago (and theyre about to
do
it again), and to satisfy it, I had to turn off the h/d/ramdisks in
our
laser printers
What is the point of doing a security scan under conditions that
Frank Cox wrote:
On Wed, 2010-06-30 at 10:10 -0400, m.r...@5-cent.us wrote:
I understand that. We had a scan a few months ago (and they're about to
do it again), and to satisfy it, I had to turn off the h/d/ramdisks in
our laser printers
What is the point of doing a security scan under
For most (large) organizations, security scans have NOTHING to do with
increasing security, and everything with being able to answer Yes
to a question like Do you regularly scan for known defects?,
probably for a VISA type compliance check.
If you don't already know, you really don't want to know
Jim Wildman wrote:
On Wed, 30 Jun 2010, Frank Cox wrote:
snip
What is the point of doing a security scan under conditions that are not
actually live?
It sounds like moving the flammable materials out before a fire
inspection, then moving them right back in when the inspector leaves.
What
On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote:
Sorry, you lost me here. I turned off all access to the h/d/ramdisk on
the
printers, and left it off. This, of course, slows things down a lot,
but
it's Secure.
The point is that the security scan is supposed to be verifying that
On Wed, Jun 30, 2010, Frank Cox wrote:
On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote:
Sorry, you lost me here. I turned off all access to the h/d/ramdisk on
the
printers, and left it off. This, of course, slows things down a lot,
but
it's Secure.
The point is that the security
Frank Cox wrote:
On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote:
Sorry, you lost me here. I turned off all access to the h/d/ramdisk on
the
printers, and left it off. This, of course, slows things down a lot,
but
it's Secure.
The point is that the security scan is supposed to
m.r...@5-cent.us wrote:
Frank Cox wrote:
On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote:
Sorry, you lost me here. I turned off all access to the h/d/ramdisk on
the
printers, and left it off. This, of course, slows things down a lot,
but
it's Secure.
The point is that the
John Jasen wrote:
m.r...@5-cent.us wrote:
Frank Cox wrote:
On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote:
Sorry, you lost me here. I turned off all access to the h/d/ramdisk on
the printers, and left it off. This, of course, slows things down a lot,
but it's Secure.
snip
Forgive
On 6/30/2010 4:02 PM, m.r...@5-cent.us wrote:
Frank, I'm not sure of the object of your part of the conversation, me, or
the security team that I have to deal with. I'm also feeling as though
we're talking past each other. They ran the scan. My manager handed the
response handling of it to
Les Mikesell wrote:
On 6/30/2010 4:02 PM, m.r...@5-cent.us wrote:
Frank, I'm not sure of the object of your part of the conversation, me,
or the security team that I have to deal with. I'm also feeling as though
we're talking past each other. They ran the scan. My manager handed the
response
But the point is that the original poster is NOT the one running the
scan. And the results of the scan (complaining about
vulnerabilities based on version numbers) indicates that it is not a
true 'security' scan anyway. For (almost) every CVE issued, there
is a way to mitigate the risk that does
On 6/30/2010 4:39 PM, m.r...@5-cent.us wrote:
companies/business units/administrators police themselves so you need
metrics for someone else to test with. And even internally you need to
document why the failure of any standard check should be overlooked.
No, the security people should have
On Jun 30, 2010, at 6:03 PM, Les Mikesell lesmikes...@gmail.com wrote:
On 6/30/2010 4:39 PM, m.r...@5-cent.us wrote:
companies/business units/administrators police themselves so you need
metrics for someone else to test with. And even internally you need to
document why the failure of any
On Wed, Jun 30, 2010 at 5:02 PM, m.r...@5-cent.us wrote:
Frank, I'm not sure of the object of your part of the conversation, me, or
the security team that I have to deal with. I'm also feeling as though
we're talking past each other. They ran the scan. My manager handed the
response handling
m.r...@5-cent.us wrote:
John Jasen wrote:
m.r...@5-cent.us wrote:
Frank Cox wrote:
On Wed, 2010-06-30 at 15:14 -0400, m.r...@5-cent.us wrote:
Sorry, you lost me here. I turned off all access to the h/d/ramdisk on
the printers, and left it off. This, of course, slows things down a lot,
but
What's the correct response to a security scan that points out that
apache versions below 2.2.14 have multiple known vulnerabilities? Is
there an official document about what known vulnerabilities have been
fixed in the RHEL/CentOS updates or do you have to wade through the
changelog to try
On Tue, Jun 29, 2010 at 5:11 PM, Les Mikesell lesmikes...@gmail.com wrote:
What's the correct response to a security scan that points out that
apache versions below 2.2.14 have multiple known vulnerabilities? Is
there an official document about what known vulnerabilities have been
fixed in
On 6/29/2010 5:11 PM, Les Mikesell wrote:
What's the correct response to a security scan that points out that
apache versions below 2.2.14 have multiple known vulnerabilities? Is
there an official document about what known vulnerabilities have been
fixed in the RHEL/CentOS updates or do you
On Tue, Jun 29, 2010 at 5:11 PM, Les Mikesell lesmikes...@gmail.com wrote:
What's the correct response to a security scan that points out that
apache versions below 2.2.14 have multiple known vulnerabilities? Is
there an official document about what known vulnerabilities have been
fixed in
On Tue, Jun 29, 2010, Brian Mathis wrote:
On Tue, Jun 29, 2010 at 5:11 PM, Les Mikesell lesmikes...@gmail.com wrote:
What's the correct response to a security scan that points out that
apache versions below 2.2.14 have multiple known vulnerabilities? Is
there an official document about what
On 6/29/2010 4:37 PM, Bill Campbell wrote:
On Tue, Jun 29, 2010, Brian Mathis wrote:
On Tue, Jun 29, 2010 at 5:11 PM, Les Mikeselllesmikes...@gmail.com wrote:
What's the correct response to a security scan that points out that
apache versions below 2.2.14 have multiple known vulnerabilities?
On 06/29/2010 03:52 PM, Les Mikesell wrote:
It's internal, but requires a formal response - or an application
update. The test tool says:
These are the reported vulnerabilities
Apache Server 2.x Prior To 2.2.14 Multiple Vulnerabilities Apache
\'mod_proxy_ftp\' Wildcard Characters
Kwan Lowe wrote:
On Tue, Jun 29, 2010 at 5:11 PM, Les Mikesell lesmikes...@gmail.com wrote:
What's the correct response to a security scan that points out that
apache versions below 2.2.14 have multiple known vulnerabilities? Is
there an official document about what known vulnerabilities have
On Tue, 29 Jun 2010, Les Mikesell wrote:
What's the correct response to a security scan that points out that
apache versions below 2.2.14 have multiple known vulnerabilities? Is
there an official document about what known vulnerabilities have been
fixed in the RHEL/CentOS updates or do you
On Tue, Jun 29, 2010 at 8:55 PM, John Jasen jja...@realityfailure.org wrote:
Googling the CVE # and the vendor will usually turn up the patched
version or disposition quickly.
An easy way to nail down CVE verifications is via
http://www.redhat.com/security/data/cve/
This url allows you to
34 matches
Mail list logo