Old repositories
Old repositories
I conducted vulnerability scans and everyone was talking about the old apache. The version in the repository is 2.4.37, and the new one is 2.4.41. Question: when will the update be? P.S. I downloaded the new version to compile, but it is impossible to fully replace the old version.
Re: Old repositories
The httpd in CentOS 8 is same as is in RHEL-8.
The version is RHEL-8 is based on 2.4.37. Forked from upstream Apache 2.4.37.
However, Red Hat backports features into the RHEL httpd. See: https://access.redhat.com/security/updates/backporting
In other words, the "2.4.37" in CentOS is most likely different from upstream 2.4.37. Do not look what problems original 2.4.37 has.
Check how Red Hat comments new vulnerabilities in relation to their httpd in RHEL 8.
Red Hat does not rebase some components (like kernel and glibc) for the lifetime of a major release (10 years).
The httpd is in AppStream repository and thus possible to be rebased sooner.
The version is RHEL-8 is based on 2.4.37. Forked from upstream Apache 2.4.37.
However, Red Hat backports features into the RHEL httpd. See: https://access.redhat.com/security/updates/backporting
In other words, the "2.4.37" in CentOS is most likely different from upstream 2.4.37. Do not look what problems original 2.4.37 has.
Check how Red Hat comments new vulnerabilities in relation to their httpd in RHEL 8.
Red Hat does not rebase some components (like kernel and glibc) for the lifetime of a major release (10 years).
The httpd is in AppStream repository and thus possible to be rebased sooner.
Re: Old repositories
And repoquery --changelog httpd reports the following changelog entries since the release of RHEL 8.0 in 2019-05
Code: Select all
Changelog for httpd-2.4.37-12.module_el8.0.0+185+5908b0db.x86_64
* Mon Oct 07 2019 bstinson@centosproject.org - 2.4.37-12.el8.centos
- Reapply debranding changes from areguera
* Tue Sep 24 2019 CentOS Sources <bugs@centos.org> - 2.4.37-12.el8.centos
- Apply debranding changes
* Thu Aug 29 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.4.37-12
- Resolves: #1744997 - CVE-2019-9511 httpd:2.4/mod_http2: HTTP/2: large amount
of data request leads to denial of service
- Resolves: #1745084 - CVE-2019-9516 httpd:2.4/mod_http2: HTTP/2: 0-length
headers leads to denial of service
- Resolves: #1745152 - CVE-2019-9517 httpd:2.4/mod_http2: HTTP/2: request
for large response leads to denial of service
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Old repositories
Thanks) I thought as much.TrevorH wrote: ↑2019/11/04 13:41:56And repoquery --changelog httpd reports the following changelog entries since the release of RHEL 8.0 in 2019-05
Code: Select all
Changelog for httpd-2.4.37-12.module_el8.0.0+185+5908b0db.x86_64 * Mon Oct 07 2019 bstinson@centosproject.org - 2.4.37-12.el8.centos - Reapply debranding changes from areguera * Tue Sep 24 2019 CentOS Sources <bugs@centos.org> - 2.4.37-12.el8.centos - Apply debranding changes * Thu Aug 29 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.4.37-12 - Resolves: #1744997 - CVE-2019-9511 httpd:2.4/mod_http2: HTTP/2: large amount of data request leads to denial of service - Resolves: #1745084 - CVE-2019-9516 httpd:2.4/mod_http2: HTTP/2: 0-length headers leads to denial of service - Resolves: #1745152 - CVE-2019-9517 httpd:2.4/mod_http2: HTTP/2: request for large response leads to denial of service