CentOS

I'm having a problem with CVE-2017-15715, it's been flagged by our PCI compliance scanner. I believe and understand it to be a low priority but they go by NIST, which considers it to be a high priority - https://nvd.nist.gov/vuln/detail/CVE-2017-15715

Looking at the bug report here - https://bugzilla.redhat.com/show_bug.cgi?id=1560614
It would appear that Red Hat committed a patch for this on April 10 (unless I'm misunderstanding something about the language used). So my understanding is that this would be in the RHEL 7.5. I also understand that CentOS 7.5 isn't out yet, but I can enable the CR repo and get this package (I had to do this to update my openssl package for another CVE, and was successful).

However, the updated package's (httpd-2.4.6-80.el7.centos.x86_64.rpm) changelog doesn't show anything for CVE-2017-15715, it shows:

CVE-2017-9798
CVE-2017-3167
CVE-2017-3169
CVE-2017-7679
CVE-2017-7668
CVE-2017-9788

So it looks to me like this CVE doesn't get addressed at all, and I'm not understanding something. Can someone help me out here?

I am fully aware that the CentOS team can't wave a magic wand and get Red Hat to fix this. I'm somewhat hoping that this patch will still see the light of day when CentOS 7.5 releases, but this is perhaps in vain.

Unfortunately that fix isn't included in the httpd that is included in 7.5.

Is there a manual method that can be used to apply the patch? I really don't want to install httpd from source.

If you look at the nist site, it has a banner on top of that entry saying that it's being reevaluated. Perhaps you should ask them why their evaluation of this bug is so radically different from the RH one who don't think it's severe at all.

TrevorH wrote:If you look at the nist site, it has a banner on top of that entry saying that it's being reevaluated. Perhaps you should ask them why their evaluation of this bug is so radically different from the RH one who don't think it's severe at all.

Saw that. We've been hitting our scanner over this because, frankly, I think their litmus test for PCI compliance has gotten way too strict. I mean, a CVE that's still being evaluated is a sticking point for compliance? Why? Frustrating. They only got this strict very recently so I'm hoping they're willing to reflect on this honestly, but I'm also hoping our owners switch to a different processor and scanner because I'm already very tired of them.

I'll hit NIST on this but my guess is they're going to ignore me. We'll see.

But, in case there's no hope in sight, does anyone have any insight on how to apply this fix manually if I am forced to choose between doing that or installing httpd from source?

I see several ways to proceed. One is to grab the CentOS httpd SRPM and rebuild that with the patch (I presume there's diff file around somewhere for it) and work that way. Use rpmbuild to recreate the SRPM with your patch then use mock to rebuild that.

Or, you should be able to find something like this in the IUS repo:

httpd24u.x86_64 2.4.33-3.ius.centos7 ius

Thank you, the IUS repo is the solution we're going with for now.

I did contact NIST but their response could be summarized as: "If you think the score should be lower, prove it." Which I suppose from their POV is a reasonable take, but how are we all supposed to succeed when RH and NIST don't agree, and see no need to communicate with each other at all? Frustrating.

Anyways, thanks again for your time.