Hi,
I'm a french student in security, and i have a question :
I recently audit my company and see in the server response the http
server version (eg for debian buster : apache v2.4.38).
1st I know that : this response must not contain this information.
2nd When i search CVE about this version, i have a list of them here :
https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-278546/Apache-Http-Server-2.4.38.html
Because i'm just a student, when i saw all this CVE, i wrote in my
report "Update this apache version" but i was surprised to learn that
the version was already uptodate !
So that is my question :
How to know exactly if this package is already update ?
I have seen in you FAQ: https://www.debian.org/security/faq#version
But for apache2, the command i know are :
> apache2 -v or httpd -v
Who return: Server version: Apache/2.4.38 (Debian)
But how to compare exactly the version, or how to know which security
patch are applied or missed for this package ?
Is there a local automatic tool to do that ? (eg Nessus / OpenVas for
remote vulnerability scann, but some vulnerabilities are accessible only
localy)
Thanks in advance for your answer, and really thanks for your work on
debian :)
Have a good day :)
Steph
