Upgrading our Apache Server
Locked
 
|
Due to a CPI Scan,
we are being instructed to update our Apache software. We are worried
about how this will affect our OFBiz environment; what "gotcha's" should we look
out for? I am attaching a the scan report which explains the exposures the
upgrade would address.
Any help will be
appreciated. Thanks in advance.
Drew Stephens Visit us at: www.rippe.com 1077 Celestial Street, Cincinnati, Ohio 45202-1696 =============================================================================== |
Re: Upgrading our Apache Server
|
|
Stephens, Drew wrote:
> Due to a CPI Scan, we are being instructed to update our Apache > software. We are worried about how this will affect our OFBiz > environment; what "gotcha's" should we look out for? I am attaching a > the scan report which explains the exposures the upgrade would address. > > Any help will be appreciated. Thanks in advance. First, what is a CPI scan? Second, what OS are you running ofBiz on? Third, what version of Apache http are you on now, and what version does it this mythical CPI recommend, or does it just say upgrade? Forth, are you sure you are running ofBiz inside Apache http? -- Walter |
RE: Upgrading our Apache Server
|
|
In reply to this post by Stephens, Drew
Sorry, I should have said PCI Scan (must have dyslexia between the seat
and the keyboard). This stands for "Payment Card Industry", the major credit card companies (VISA, MC, etc.) got together and established some security standards that their members must meet relative to credit card security. Once of the standards are quarterly system scans where they test the various ports of an ecommerce website. See http://www.pcicomplianceguide.org for more info. The errors are below. Our system was scanned last night and we received 5 errors, 2 severe. All were related to our level of Apache. 1. Apache mod_proxy DoS-Apache versions between 1.3.25 and 1.3.31 may allow aremote attacker to crash the web server via manipulation of the HTTP ContentLength header. 2. Apache Buffer Overflow-Apache versions prior to 1.3.27 or 2.0.42 can result in a denial of service, and possibly, arbitoary code execution on your server. 3. Apache Rotate Logs DoS-Apache versions prio to 1.3.28 ar vulnerable to a remote denial of service attach, this on only known on windows servers. 4. Apache mod_alia and mod_rewrite Buffer Overflow-If the user has access to the Apache configuration, it's possible to take advantage of the buffer overlow vulnerability in mod_alias and mod_rewrite. 5. Apache Socket Starvation DoS-Apache versions prior to 1.3.31 and 2.0.49 are vulnerable to a denial of serivce attack. Our application is running on Windows Server 2003 Now for your questionss. I think our IBM HTTP server is 1.3.26 and the error messages references any version of Apache between 1.3.25 and 1.3.31 are vulnerable to the potential exposures (tried to attach the report but it's an image file). As for the version of OFBiz, I can never remember where to find this. When I look at the General Properties file, it references 1.7. We installed OFBiz in 2003 and due to our modifications, haven't upgraded it. If you can guide me where to find the release level I could provide it. Drew Stephens Rippe & Kingston Systems, Inc. [hidden email] Phone: (513) 977-4573 Visit us at: www.rippe.com 1077 Celestial Street, Cincinnati, Ohio 45202-1696 ======================================================================== ======= -----Original Message----- From: Walter Vaughan [mailto:[hidden email]] Sent: Tuesday, March 06, 2007 3:48 PM To: [hidden email] Subject: Re: Upgrading our Apache Server Stephens, Drew wrote: > Due to a CPI Scan, we are being instructed to update our Apache > software. We are worried about how this will affect our OFBiz > environment; what "gotcha's" should we look out for? I am attaching a > the scan report which explains the exposures the upgrade would address. > > Any help will be appreciated. Thanks in advance. First, what is a CPI scan? Second, what OS are you running ofBiz on? Third, what version of Apache http are you on now, and what version does it this mythical CPI recommend, or does it just say upgrade? Forth, are you sure you are running ofBiz inside Apache http? -- Walter |
|
|
You can find the version by going to your root ofbiz directory and
typing "svn info". admin@raptor:/ofbiz$ svn info Path: . URL: http://svn.apache.org/repos/asf/ofbiz/trunk Repository Root: http://svn.apache.org/repos/asf Repository UUID: 13f79535-47bb-0310-9956-ffa450edef68 Revision: 515279 Node Kind: directory Schedule: normal Last Changed Author: jonesde Last Changed Rev: 515235 Last Changed Date: 2007-03-06 13:10:41 -0500 (Tue, 06 Mar 2007) Properties Last Updated: 2007-02-13 14:05:46 -0500 (Tue, 13 Feb 2007) Stephens, Drew wrote: > As for the version of OFBiz, I can never remember where to find this. |
RE: Re: Upgrading our Apache Server
|
|
In reply to this post by Stephens, Drew
The command you gave didn't work.
Drew Stephens Rippe & Kingston Systems, Inc. [hidden email] Phone: (513) 977-4573 Visit us at: www.rippe.com 1077 Celestial Street, Cincinnati, Ohio 45202-1696 ======================================================================== ======= -----Original Message----- From: news [mailto:[hidden email]] On Behalf Of David Shere Sent: Wednesday, March 07, 2007 6:41 AM To: [hidden email] Subject: Re: Upgrading our Apache Server You can find the version by going to your root ofbiz directory and typing "svn info". admin@raptor:/ofbiz$ svn info Path: . URL: http://svn.apache.org/repos/asf/ofbiz/trunk Repository Root: http://svn.apache.org/repos/asf Repository UUID: 13f79535-47bb-0310-9956-ffa450edef68 Revision: 515279 Node Kind: directory Schedule: normal Last Changed Author: jonesde Last Changed Rev: 515235 Last Changed Date: 2007-03-06 13:10:41 -0500 (Tue, 06 Mar 2007) Properties Last Updated: 2007-02-13 14:05:46 -0500 (Tue, 13 Feb 2007) Stephens, Drew wrote: > As for the version of OFBiz, I can never remember where to find this. |
|
|
What error did you receive?
--- "Stephens, Drew" <[hidden email]> wrote: > The command you gave didn't work. > > Drew Stephens > Rippe & Kingston Systems, Inc. > [hidden email] > Phone: (513) 977-4573 > > Visit us at: www.rippe.com > > 1077 Celestial Street, Cincinnati, Ohio 45202-1696 > > > ======= > > > > -----Original Message----- > From: news [mailto:[hidden email]] On Behalf Of David Shere > Sent: Wednesday, March 07, 2007 6:41 AM > To: [hidden email] > Subject: Re: Upgrading our Apache Server > > > You can find the version by going to your root ofbiz directory and > typing "svn info". > > admin@raptor:/ofbiz$ svn info > Path: . > URL: http://svn.apache.org/repos/asf/ofbiz/trunk > Repository Root: http://svn.apache.org/repos/asf > Repository UUID: 13f79535-47bb-0310-9956-ffa450edef68 > Revision: 515279 > Node Kind: directory > Schedule: normal > Last Changed Author: jonesde > Last Changed Rev: 515235 > Last Changed Date: 2007-03-06 13:10:41 -0500 (Tue, 06 Mar 2007) > Properties Last Updated: 2007-02-13 14:05:46 -0500 (Tue, 13 Feb 2007) > > > Stephens, Drew wrote: > > As for the version of OFBiz, I can never remember where to find > this. > > |
Re: Re: Upgrading our Apache Server
Administrator
|
Chris,
I suppose they do not use svn. Then I'm not sure how to retrieve version ... Any ideas ? Jacques > What error did you receive? > > --- "Stephens, Drew" <[hidden email]> wrote: > > > The command you gave didn't work. > > > ======================================================================== > > ======= > > > > > > > > -----Original Message----- > > From: news [mailto:[hidden email]] On Behalf Of David Shere > > Sent: Wednesday, March 07, 2007 6:41 AM > > To: [hidden email] > > Subject: Re: Upgrading our Apache Server > > > > > > You can find the version by going to your root ofbiz directory and > > typing "svn info". > > > > admin@raptor:/ofbiz$ svn info > > Path: . > > URL: http://svn.apache.org/repos/asf/ofbiz/trunk > > Repository Root: http://svn.apache.org/repos/asf > > Repository UUID: 13f79535-47bb-0310-9956-ffa450edef68 > > Revision: 515279 > > Node Kind: directory > > Schedule: normal > > Last Changed Author: jonesde > > Last Changed Rev: 515235 > > Last Changed Date: 2007-03-06 13:10:41 -0500 (Tue, 06 Mar 2007) > > Properties Last Updated: 2007-02-13 14:05:46 -0500 (Tue, 13 Feb > > > > > > Stephens, Drew wrote: > > > As for the version of OFBiz, I can never remember where to find > > this. > > > > |
|
|
It can be researched by the modified date property of a build file or
the latest date of anything he hasn't modified...and then cross referenced to either an open taps build or svn point. --- Jacques Le Roux <[hidden email]> wrote: > Chris, > > I suppose they do not use svn. Then I'm not sure how to retrieve > version > ... Any ideas ? > > Jacques > > > > What error did you receive? > > > > --- "Stephens, Drew" <[hidden email]> wrote: > > > > > The command you gave didn't work. > > > > > > > > > ======= > > > > > > > > > > > > -----Original Message----- > > > From: news [mailto:[hidden email]] On Behalf Of David Shere > > > Sent: Wednesday, March 07, 2007 6:41 AM > > > To: [hidden email] > > > Subject: Re: Upgrading our Apache Server > > > > > > > > > You can find the version by going to your root ofbiz directory > and > > > typing "svn info". > > > > > > admin@raptor:/ofbiz$ svn info > > > Path: . > > > URL: http://svn.apache.org/repos/asf/ofbiz/trunk > > > Repository Root: http://svn.apache.org/repos/asf > > > Repository UUID: 13f79535-47bb-0310-9956-ffa450edef68 > > > Revision: 515279 > > > Node Kind: directory > > > Schedule: normal > > > Last Changed Author: jonesde > > > Last Changed Rev: 515235 > > > Last Changed Date: 2007-03-06 13:10:41 -0500 (Tue, 06 Mar 2007) > > > Properties Last Updated: 2007-02-13 14:05:46 -0500 (Tue, 13 Feb > 2007) > > > > > > > > > Stephens, Drew wrote: > > > > As for the version of OFBiz, I can never remember where to find > > > this. > > > > > > > > |
RE: Re: Upgrading our Apache Server
|
|
In reply to this post by Stephens, Drew
The error is "'SVN' is not a recognize internal or external command".
I tried this command from both the server running the real website as well as my local development environment, neither worked. Drew Stephens Rippe & Kingston Systems, Inc. [hidden email] Phone: (513) 977-4573 Visit us at: www.rippe.com 1077 Celestial Street, Cincinnati, Ohio 45202-1696 ======================================================================== ======= -----Original Message----- From: Chris Howe [mailto:[hidden email]] Sent: Wednesday, March 07, 2007 9:15 AM To: [hidden email] Subject: RE: Re: Upgrading our Apache Server What error did you receive? --- "Stephens, Drew" <[hidden email]> wrote: > The command you gave didn't work. > > Drew Stephens > Rippe & Kingston Systems, Inc. > [hidden email] > Phone: (513) 977-4573 > > Visit us at: www.rippe.com > > 1077 Celestial Street, Cincinnati, Ohio 45202-1696 > > > ======= > > > > -----Original Message----- > From: news [mailto:[hidden email]] On Behalf Of David Shere > Sent: Wednesday, March 07, 2007 6:41 AM > To: [hidden email] > Subject: Re: Upgrading our Apache Server > > > You can find the version by going to your root ofbiz directory and > typing "svn info". > > admin@raptor:/ofbiz$ svn info > Path: . > URL: http://svn.apache.org/repos/asf/ofbiz/trunk > Repository Root: http://svn.apache.org/repos/asf > Repository UUID: 13f79535-47bb-0310-9956-ffa450edef68 > Revision: 515279 > Node Kind: directory > Schedule: normal > Last Changed Author: jonesde > Last Changed Rev: 515235 > Last Changed Date: 2007-03-06 13:10:41 -0500 (Tue, 06 Mar 2007) > Properties Last Updated: 2007-02-13 14:05:46 -0500 (Tue, 13 Feb 2007) > > > Stephens, Drew wrote: > > As for the version of OFBiz, I can never remember where to find > this. > > |
«
Return to OFBiz - User
|
1 view|%1 views
| Free forum by Nabble | Edit this page |