Page 1 of 1

Old repositories

Posted: 2019/11/04 06:05:25
by lol_
I conducted vulnerability scans and everyone was talking about the old apache. The version in the repository is 2.4.37, and the new one is 2.4.41. Question: when will the update be? P.S. I downloaded the new version to compile, but it is impossible to fully replace the old version.

Re: Old repositories

Posted: 2019/11/04 12:09:36
by jlehtone
The httpd in CentOS 8 is same as is in RHEL-8.
The version is RHEL-8 is based on 2.4.37. Forked from upstream Apache 2.4.37.

However, Red Hat backports features into the RHEL httpd. See: https://access.redhat.com/security/updates/backporting

In other words, the "2.4.37" in CentOS is most likely different from upstream 2.4.37. Do not look what problems original 2.4.37 has.
Check how Red Hat comments new vulnerabilities in relation to their httpd in RHEL 8.


Red Hat does not rebase some components (like kernel and glibc) for the lifetime of a major release (10 years).
The httpd is in AppStream repository and thus possible to be rebased sooner.

Re: Old repositories

Posted: 2019/11/04 13:41:56
by TrevorH
And repoquery --changelog httpd reports the following changelog entries since the release of RHEL 8.0 in 2019-05

Code: Select all

Changelog for httpd-2.4.37-12.module_el8.0.0+185+5908b0db.x86_64
* Mon Oct 07 2019 bstinson@centosproject.org - 2.4.37-12.el8.centos
- Reapply debranding changes from areguera

* Tue Sep 24 2019 CentOS Sources <bugs@centos.org> - 2.4.37-12.el8.centos
- Apply debranding changes

* Thu Aug 29 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.4.37-12
- Resolves: #1744997 - CVE-2019-9511 httpd:2.4/mod_http2: HTTP/2: large amount
  of data request leads to denial of service
- Resolves: #1745084 - CVE-2019-9516 httpd:2.4/mod_http2: HTTP/2: 0-length
  headers leads to denial of service
- Resolves: #1745152 - CVE-2019-9517 httpd:2.4/mod_http2: HTTP/2: request
  for large response leads to denial of service

Re: Old repositories

Posted: 2019/11/04 16:39:50
by lol_
TrevorH wrote:
2019/11/04 13:41:56
And repoquery --changelog httpd reports the following changelog entries since the release of RHEL 8.0 in 2019-05

Code: Select all

Changelog for httpd-2.4.37-12.module_el8.0.0+185+5908b0db.x86_64
* Mon Oct 07 2019 bstinson@centosproject.org - 2.4.37-12.el8.centos
- Reapply debranding changes from areguera

* Tue Sep 24 2019 CentOS Sources <bugs@centos.org> - 2.4.37-12.el8.centos
- Apply debranding changes

* Thu Aug 29 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.4.37-12
- Resolves: #1744997 - CVE-2019-9511 httpd:2.4/mod_http2: HTTP/2: large amount
  of data request leads to denial of service
- Resolves: #1745084 - CVE-2019-9516 httpd:2.4/mod_http2: HTTP/2: 0-length
  headers leads to denial of service
- Resolves: #1745152 - CVE-2019-9517 httpd:2.4/mod_http2: HTTP/2: request
  for large response leads to denial of service
Thanks) I thought as much.