Centos 6.8 and apache-2.2.15 Vulnarability

General support questions
Post Reply
Dipu
Posts: 1
Joined: 2017/12/05 07:24:22

Centos 6.8 and apache-2.2.15 Vulnarability

Post by Dipu » 2017/12/05 07:33:31

Hi,

Recently our security team has found vulnerabilities with the current version of apache(2.2.15) I use on centos-6.8.

Below is the concern from the security team:

Apache HTTP Server Project released version 2.2.34 of the Apache HTTP Server (Apache), the final maintenance release of the 2.2 series. No further 2.2 releases are anticipated. This version of Apache is principally a security and bug fix maintenance release. Apache Web Server Project will provide no future release of the 2.2.x series, although some security patches may be published through December of 2017.

Below are the last updates in my current version.

rpm -q --changelog httpd | head -10
* Tue May 10 2016 Johnny Hughes <johnny@centos.org> - 2.2.15-53
- Roll in CentOS Branding

* Thu Feb 04 2016 Jan Kaluza <jkaluza@redhat.com> - 2.2.15-53
- core: fix possible long graceful restart caused by race condition between
httpd children processes (#1301758)

* Thu Jan 21 2016 Jan Kaluza <jkaluza@redhat.com> - 2.2.15-52
- core: fix crash when handling interim response from backend (#1298866)

Please advice, if I need to update apache to another version. If so, how can I proceed with that? yum update is not bringing any more changes :(

Any help appreciated.

Thanks,
Dipu H

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Centos 6.8 and apache-2.2.15 Vulnarability

Post by TrevorH » 2017/12/05 11:01:59

You should read the upstream backporting policy https://access.redhat.com/security/updates/backporting which describes how Redhat maintain their packages and backport fixes to their supported version.

However, from your rpm changelog I can see that your system is out of date and you need to yum update. For a start 6.8 is out of support since 6.9 was released about 6 months ago. The current httpd package on CentOS 6.9 is 2.2.15-60.6 and the changelog from that looks like
* Thu Oct 19 2017 Johnny Hughes <johnny@centos.org> - 2.2.15-60.6
- Roll in CentOS Branding

* Tue Sep 19 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.2.15-60.6
- Resolves: #1493061 - CVE-2017-9798 httpd: various flaws

* Wed Jul 26 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.2.15-60.5
- Resolves: #1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw()
authentication bypass
- Resolves: #1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference
- Resolves: #1463207 - CVE-2017-7679 httpd: mod_mime buffer overread
- Resolves: #1470748 - CVE-2017-9788 httpd: Uninitialized memory reflection
in mod_auth_digest

* Fri Jul 07 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.2.15-60.4
- Related: #1427675 - CVE-2016-8743 httpd: Apache HTTP Request Parsing
Whitespace Defects

* Thu Jun 29 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.2.15-60.3
- Resolves: #1463205 - CVE-2017-7668 httpd: ap_find_token() buffer overread

* Tue Jun 20 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.2.15-60.2
- Resolves: #1463354 - segfault in ap_proxy_set_scoreboard_lb

* Tue Jun 13 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.2.15-60.1
- Resolves: #1427675 - CVE-2016-8743 httpd: Apache HTTP Request Parsing
Whitespace Defects

* Fri Dec 09 2016 Luboš Uhliarik <luhliari@redhat.com> - 2.2.15-59
- Resolves: #1401694 - rotatelogs: creation of zombie processes when -p is used

* Mon Nov 07 2016 Luboš Uhliarik <luhliari@redhat.com> - 2.2.15-58
- Resolves: #1349546 - comments no longer allowed at the end of Allow
from statements and maybe other statements from mod_authz*

* Mon Nov 07 2016 Luboš Uhliarik <luhliari@redhat.com> - 2.2.15-57
- Resolves: #1356938 - mod_ssl install fails with a long hostname

* Thu Nov 03 2016 Luboš Uhliarik <luhliari@redhat.com> - 2.2.15-56
- Resolves: #1310582 - when ProxyErrorOverride is On, modcluster return
503 status code on subsequent requests

* Thu Sep 08 2016 Luboš Uhliarik <luhliari@redhat.com> - 2.2.15-55
- Resolves: #1372315 - ProxyRemote with HTTPS backend sends requests
with absoluteURI instead of abs_path

* Tue Jul 12 2016 Joe Orton <jorton@redhat.com> - 2.2.15-54
- add security fix for CVE-2016-5387

* Thu Feb 04 2016 Jan Kaluza <jkaluza@redhat.com> - 2.2.15-53
- core: fix possible long graceful restart caused by race condition between
httpd children processes (#1301758)
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply