Our campus IT has raised a couple of concerns about CVE vulnerabilities related to running Omeka on Apache. Does anyone know if these CVEs are actual concerns for Omeka?
Specifically, these vulnerabilities are only problems if the server or things on it are using mod_lua, mod_proxy and “forward proxy functionality.”
Omeka doesn’t use or depend on any of those features. Whether or not any of them are used by something else would depend on your particular server configuration, independent of Omeka.
Also note that for all of those that you’ve listed, the issues were already fixed with updates to the distribution’s Apache packages, so if your server is using the up-to-date httpd package none of these apply anyway.
We are on Red Hat Enterprise, which apparently uses a different numbering schema than official Apache (for reasons that are unclear to me) but it’s good to know Omeka, at least, doesn’t use those.