[thefreeman]

It also barely meets the definition of "a vulnerability report". He basically just nmap scanned the server and googled the apache version. The "critical" vulnerability he linked requires controlling a backend server being reverse proxied through apache... so completely irrelevant. I didn't read every CVE for the apache version but I am doubtful there is anything that actually allows taking over the server there.

[roywashere]

Also, Apache 2.4.57 is exactly the version of Apache you get when you'd run RHEL 9 / AlmaLinux / Rocky 9. In that case, the OS would provide backports of the CVE fixes for you and the banner still reads Apache 2.4.57!

[capitainenemo]

That was EXACTLY my first thought on skimming the article. There are commercial vulnerability tools that do this to me repeatedly with Debian and Ubuntu - reporting vulnerabilities in things that the Ubuntu and Debian CVE pages clearly state were patched in backports years prior. Often it is in Apache.

[hughw]

I need to see ICE Block's SOC 2 Type 1 audit of their processes for patching vulnerabilities along with their latest SOC 2 Type 2 audit.

[tptacek]

Their Type 2 attestation would have everything the Type 1 has. I mean obviously you're not being serious but I can't let that one sail by.

[hughw]

Right but the type 2 will prove they actually did what they promised. And yes I’m drawing it out to an absurdity.