Fix for CVE-2021-44790 and CVE-2021-44224 in centos7

[Jcenos7]

Please suggest how do I apply fix for the reported vulnerability in CVE-2021-44790 and CVE-2021-44224 to CentOS 7 ?

when I sync repo also not getting the latest package of httpd-2.4.6-97.el7_9.6.x86_64 which reported in CVE and currently my centos7 has following httpd package version ie httpd-2.4.6-97.el7.centos.2.x86_64 and after sync the repo I see " httpd-2.4.6-97.el7.centos.4 " package available to update, will this resolve those reported CVEs ?

[jlehtone]

Look at:

Code: Select all

rpm -qi httpd
rpm -q --changelog httpd | less

[Jcenos7]

rpm -qi httpd output:
=================
[root@prod ~]# rpm -qi httpd
Name : httpd
Version : 2.4.6
Release : 97.el7.centos.2
Architecture: x86_64
Install Date: Fri 14 Jan 2022 15:07:30 AEDT
Group : System Environment/Daemons
Size : 9821080
License : ASL 2.0
Signature : RSA/SHA256, Fri 12 Nov 2021 06:12:58 AEDT, Key ID 24c6a8a7f4a80eb5
Source RPM : httpd-2.4.6-97.el7.centos.2.src.rpm
Build Date : Thu 11 Nov 2021 01:28:16 AEDT
Build Host : x86-02.bsys.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem <http://bugs.centos.org>
Vendor : CentOS
URL : http://httpd.apache.org/
Summary : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.
[root@prod ~]#

=====================================================

rpm -q --changelog httpd | less output
-------------------------------------

* Wed Nov 10 2021 CentOS Sources <bugs@centos.org> - 2.4.6-97.el7.centos.2
- Remove index.html, add centos-noindex.tar.gz
- change vstring
- change symlink for poweredby.png
- update welcome.conf with proper aliases

* Mon Oct 25 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-97.2
- Resolves: #2015694 - proxy rewrite to unix socket fails with CVE-2021-40438 fix

* Thu Oct 07 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-97.1
- Resolves: #2011729 - CVE-2021-40438 httpd: mod_proxy: SSRF via a crafted
request uri-path containing "unix:"

* Wed Oct 07 2020 Lubos Uhliarik <luhliari@redhat.com> - 2.4.6-97
- Resolves: #1852350 - httpd/mod_proxy_http/mod_ssl aborted when sending
a client cert to backend server
- Resolves: #1785100 - mod_cgid takes CGIDScriptTimeout x 2 seconds for timeout
- Resolves: #1862499 - Intermittent Segfault in Apache httpd due to pool
concurrency issues

* Fri Apr 17 2020 Lubos Uhliarik <luhliari@redhat.com> - 2.4.6-95
- Resolves: #1823262 - CVE-2020-1934 httpd: mod_proxy_ftp use of uninitialized
value

* Thu Mar 26 2020 Lubos Uhliarik <luhliari@redhat.com> - 2.4.6-94
- Resolves: #1565491 - CVE-2017-15715 httpd: <FilesMatch> bypass with a trailing
newline in the file name
- Resolves: #1747283 - CVE-2019-10098 httpd: mod_rewrite potential open redirect
- Resolves: #1724879 - httpd terminates all SSL connections using an abortive
shutdown
- Resolves: #1715981 - Backport of SessionExpiryUpdateInterval directive
- Resolves: #1565457 - CVE-2018-1303 httpd: Out of bounds read in
mod_cache_socache can allow a remote attacker to cause a denial of service
- Resolves: #1566531 - CVE-2018-1283 httpd: Improper handling of headers in
mod_session can allow a remote user to modify session data for CGI applications

* Tue Oct 08 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.4.6-93
- Resolves: #1677496 - CVE-2018-17199 httpd: mod_session_cookie does not respect
expiry time

* Thu Aug 22 2019 Joe Orton <jorton@redhat.com> - 2.4.6-92
- htpasswd: add SHA-2 crypt() support (#1486889)

[jlehtone]

You have httpd-2.4.6-97.el7.centos.2 installed. The rpm commands query the installed package.
I assumed that you had run 'yum update' and have the httpd-2.4.6-97.el7.centos.4 already installed.

Output of repoquery --changelog httpd starts:

Code: Select all

* Mon Jan 17 2022 CentOS Sources <bugs@centos.org> - 2.4.6-97.el7.centos.4
- Remove index.html, add centos-noindex.tar.gz
- change vstring
- change symlink for poweredby.png
- update welcome.conf with proper aliases

* Mon Jan 10 2022 Luboš Uhliarik <luhliari@redhat.com>
- Resolves: #2031072 - CVE-2021-34798 httpd: NULL pointer dereference via
  malformed requests
- Resolves: #2031074 - CVE-2021-39275 httpd: out-of-bounds write in
  ap_escape_quotes() via malicious input
- Resolves: #1969226 - CVE-2021-26691 httpd: Heap overflow in mod_session

* Mon Jan 10 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-97.3
- Resolves: #2035058 - CVE-2021-44790 httpd: mod_lua: possible buffer overflow
  when parsing multipart content

* Mon Oct 25 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-97.2
- Resolves: #2015694 - proxy rewrite to unix socket fails with CVE-2021-40438 fix

[Jcenos7]

Its "2.4.6-97.el7.centos.4" not installed, still shows available.

[root@prod ~]# yum list httpd
Loaded plugins: fastestmirror, langpacks
Repository base is listed more than once in the configuration
Loading mirror speeds from cached hostfile
* base: ftp.swin.edu.au
* epel: d2lzkl7pfhq30w.cloudfront.net
* extras: ftp.swin.edu.au
* updates: ftp.swin.edu.au
Installed Packages
httpd.x86_64 2.4.6-97.el7.centos.2 @CentOS_7-3
Available Packages
httpd.x86_64 2.4.6-97.el7.centos.4 CentOS_7-3
[root@prod ~]#

[TrevorH]

You don't get bugs fixed unless you install the newer updated packages...

[Jcenos7]

Thank you!