Old CVE issues and security concern

[axvers]

Hi support,

After implemented a clean nagios xi ova (nxi 5.6.2) from official website,

our client scanned the packages version in this vm, and found many out-of-date version of packages.

They asked us to update these packages until pass the scan.


I checked these sites:
1. https://www.nagios.com/products/security/
2. https://access.redhat.com/security/updates/backporting

Part of issues scanned, mainly php and apache:
- php: (all issues are before 2017)
1. php-CVE-2013-4610
2. php-CVE-2014-3515
3. php-CVE-2014-3670
4. php-CVE-2015-4599
5. php-CVE-2015-4600
6. php-CVE-2015-4603
7. php-CVE-2016-2554
...
- httpd
1. apache-httpd-2017-3167
2. apache-httpd-2017-3169

------

Here are my questions:

1. It seems that after Nagios XI 5.5,
CVE-2019-xxxx vulnerabilities listed in https://www.nagios.com/products/security/ are solved.
So, can I claim that "we don't need to worry about those old issues listed in the report for our NXI 5.6.2,
because not only the old issues e.g. CVE-2013~CVE-2016, but also CVE-2019-xxxx are solved by the Nagios." to our customer?

2. According to the definition of Backporting by RedHat,
did you update old php and apache function to eliminate vulnerabilities without set them a new sub-version number?
In other words, we do have a secure (so far) php/apache version in the vm, shown in old version though.
Is this correct?

3. If these security flaws actually exist in the ova from official website, due to the compatibility concern,
how to update php and apache version to the latest in a correct way?

I can send the report to your email if you need.

Thanks for help!

[scottwilkerson]

1. It seems that after Nagios XI 5.5,
CVE-2019-xxxx vulnerabilities listed in https://www.nagios.com/products/security/ are solved.
So, can I claim that "we don't need to worry about those old issues listed in the report for our NXI 5.6.2,
because not only the old issues e.g. CVE-2013~CVE-2016, but also CVE-2019-xxxx are solved by the Nagios." to our customer?

Correct

2. According to the definition of Backporting by RedHat,
did you update old php and apache function to eliminate vulnerabilities without set them a new sub-version number?
In other words, we do have a secure (so far) php/apache version in the vm, shown in old version though.
Is this correct?

All backported packages are current as of the build date, you can also get any new updates by running

Code: Select all

yum update -y

[axvers]

Got it!

Thanks a lot!

[scottwilkerson]

Got it!

Thanks a lot!

Great!

Locking