Good morning,
we have performed last month an External Penetration Testing and the supplier
found more vulnerabilities.
The most of them are false-positive because they used a vanilla version as
reference and our apache of univention version is below but the vulnerabilities
are fixed.
So, in any case we seen that there are real vulnerabilities that are not fixed
with apache version and are:
CVE-2023-31122, CVE-2023-45802, CVE-2019-17567
Do you know if whether indeed Univention is vulnerable?
Thanks
Status in UCS 5.0-7 is the same as upstream (Debian Buster):
The vulnerabilities are not affecting default configuration and product focus of UCS. Thus, we would ship an update if Debian releases one, but addressing them ourselves has no priority for us unless customers communicate with us, pointing out that it has an critical significance for their security posture.