CVE-2017-15715 - httpd
Posted: 2018/05/09 21:47:32
I'm having a problem with CVE-2017-15715, it's been flagged by our PCI compliance scanner. I believe and understand it to be a low priority but they go by NIST, which considers it to be a high priority - https://nvd.nist.gov/vuln/detail/CVE-2017-15715
Looking at the bug report here - https://bugzilla.redhat.com/show_bug.cgi?id=1560614
It would appear that Red Hat committed a patch for this on April 10 (unless I'm misunderstanding something about the language used). So my understanding is that this would be in the RHEL 7.5. I also understand that CentOS 7.5 isn't out yet, but I can enable the CR repo and get this package (I had to do this to update my openssl package for another CVE, and was successful).
However, the updated package's (httpd-2.4.6-80.el7.centos.x86_64.rpm) changelog doesn't show anything for CVE-2017-15715, it shows:
CVE-2017-9798
CVE-2017-3167
CVE-2017-3169
CVE-2017-7679
CVE-2017-7668
CVE-2017-9788
So it looks to me like this CVE doesn't get addressed at all, and I'm not understanding something. Can someone help me out here?
I am fully aware that the CentOS team can't wave a magic wand and get Red Hat to fix this. I'm somewhat hoping that this patch will still see the light of day when CentOS 7.5 releases, but this is perhaps in vain.
Looking at the bug report here - https://bugzilla.redhat.com/show_bug.cgi?id=1560614
It would appear that Red Hat committed a patch for this on April 10 (unless I'm misunderstanding something about the language used). So my understanding is that this would be in the RHEL 7.5. I also understand that CentOS 7.5 isn't out yet, but I can enable the CR repo and get this package (I had to do this to update my openssl package for another CVE, and was successful).
However, the updated package's (httpd-2.4.6-80.el7.centos.x86_64.rpm) changelog doesn't show anything for CVE-2017-15715, it shows:
CVE-2017-9798
CVE-2017-3167
CVE-2017-3169
CVE-2017-7679
CVE-2017-7668
CVE-2017-9788
So it looks to me like this CVE doesn't get addressed at all, and I'm not understanding something. Can someone help me out here?
I am fully aware that the CentOS team can't wave a magic wand and get Red Hat to fix this. I'm somewhat hoping that this patch will still see the light of day when CentOS 7.5 releases, but this is perhaps in vain.