[SOLVED] Apache 2.4.6 to 2.4.46 upgrade

Issues related to applications and software problems
Post Reply
kdpatil
Posts: 31
Joined: 2020/10/20 07:19:31

[SOLVED] Apache 2.4.6 to 2.4.46 upgrade

Post by kdpatil » 2020/11/16 08:49:02

Hi,

I am running CentOS 7 , latest patch with kernel - 3.10.0-1160.2.2.el7.x86_64

The apache shows running at 2.4.6

Per apache website 2.4.46 is latest

It is little confusing , as 2.4.6 is actually lower than 2.4.46...

That said the 2 vulnerabilities which i need to fix are CVE-2020-1927 & CVE-2020-1934

rpm -q --changelog httpd |grep -i 1934 shows "- Resolves:..."


Does that mean all i need to then address CVE-2020-1927 ?

If yes, any suggestion on the fix, does it need patch or build from source code ?


#######################################
Supporting data :
#######################################


Apache HTTP Server 2.4.46 (httpd): 2.4.46 is the latest available version

#######################################

httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built: Oct 1 2020 16:52:05

#######################################

rpm -q --changelog httpd |grep -i 1934
- Resolves: #1823262 - CVE-2020-1934 httpd: mod_proxy_ftp use of uninitialized
#######################################



It was identified that the Apache web server version 2.4.6 currently deployed in ####


CVE-2020-1927: The vulnerability exists due to improper sanitization of user-supplied data in some "mod_rewrite" configurations. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
CVE-2020-1934: The vulnerability exists due to the fact that the "mod_proxy_ftp" may use uninitialized memory when proxying to a malicious FTP server. A remote attacker can gain unauthorized access to sensitive information on the target system.

#######################################


thanks
Last edited by kdpatil on 2020/11/19 03:03:22, edited 1 time in total.

User avatar
jlehtone
Posts: 3180
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Apache 2.4.6 to 2.4.46 upgrade

Post by jlehtone » 2020/11/16 10:13:44

kdpatil wrote:
2020/11/16 08:49:02
The apache shows running at 2.4.6
Per apache website 2.4.46 is latest
It is little confusing , as 2.4.6 is actually lower than 2.4.46...
When Red Hat includes a package into RHEL, they create fork and backport changes to that fork.
They did fork the httpd of RHEL 7 from upstream 2.4.6. Even though the package still has "2.4.6" in its name, it is something different than the original 2.4.6.

Red Hat has pages about CVE's. For example: https://access.redhat.com/security/cve/cve-2020-1927
That states that CVE-2020-1927 has been fixed for httpd of RHEL 7 in RHSA-2020:3958, which
lists both 1927 and 1934: https://access.redhat.com/errata/RHSA-2020:3958

The RHSA-2020:3958 provides httpd-2.4.6-95.el7 for RHEL 7.
CentOS 7 has package httpd-2.4.6-95.el7.centos, a rebuild of RHEL's httpd.

kdpatil
Posts: 31
Joined: 2020/10/20 07:19:31

Re: Apache 2.4.6 to 2.4.46 upgrade

Post by kdpatil » 2020/11/18 05:01:53

thanks @jlehtone

So does that mean i am good & no action is needed ?

User avatar
jlehtone
Posts: 3180
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Apache 2.4.6 to 2.4.46 upgrade

Post by jlehtone » 2020/11/18 07:01:07

You are concerned about CVE-2020-1927 & CVE-2020-1934.
Red Hat claims to have fixed those.
If you already have httpd-2.4.6-95.el7, then you should be ok.

kdpatil
Posts: 31
Joined: 2020/10/20 07:19:31

Re: Apache 2.4.6 to 2.4.46 upgrade

Post by kdpatil » 2020/11/19 03:03:41

jlehtone wrote:
2020/11/18 07:01:07
You are concerned about CVE-2020-1927 & CVE-2020-1934.
Red Hat claims to have fixed those.
If you already have httpd-2.4.6-95.el7, then you should be ok.

thanks again @jlehtone

Post Reply

Return to “CentOS 7 - Software Support”