Apache HTTP httpd-2.4.6-90.el7.centos.x86_64 Vulnerable CVE-2019-10092

Support for security such as Firewalls and securing linux
Post Reply
somaraz
Posts: 6
Joined: 2018/01/04 02:23:41

Apache HTTP httpd-2.4.6-90.el7.centos.x86_64 Vulnerable CVE-2019-10092

Post by somaraz » 2020/03/03 08:10:02

Hi All,

There're several security issue in apache for CVE : CVE-2019-10092, CVE-2019-10091, CVE-2019-10098 and CVE-2019-10082.
Latest Apache is 2.4.41 according to https://httpd.apache.org/security/vulne ... es_24.html. Meanwhile I can find latest of httpd in Centos-7 is httpd-2.4.6-90.el7.centos.x86_64.

How can I know what Apache version I'm running compare to Apache website ?

Thanks,

User avatar
TrevorH
Forum Moderator
Posts: 28026
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Apache HTTP httpd-2.4.6-90.el7.centos.x86_64 Vulnerable CVE-2019-10092

Post by TrevorH » 2020/03/03 08:22:04

https://access.redhat.com/security/cve/CVE-2019-10092
https://access.redhat.com/security/cve/CVE-2019-10082
https://access.redhat.com/security/cve/CVE-2019-10098

The page for 10091 fails to load and using google to search for it also returns no useful results. That one either doesn't appear to exist or it's not public yet - are you sure of the number?

Also please see the page on how RHEL and Red Hat's backporting policy works: https://access.redhat.com/security/updates/backporting

oh, and to find out the current status of what's installed, use rpm -q --changelog httpd | less
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

somaraz
Posts: 6
Joined: 2018/01/04 02:23:41

Re: Apache HTTP httpd-2.4.6-90.el7.centos.x86_64 Vulnerable CVE-2019-10092

Post by somaraz » 2020/03/03 08:33:47

Hi TrevorH,

By default CentOS come with HTTP 2.4.6-x. Nessus always recommend to update to 2.4.41.
Do I need to install httpd24 instead of default HTTP ?

Here's my current HTTP Version :
rpm -q --changelog httpd | more
* Tue Aug 06 2019 CentOS Sources <bugs@centos.org> - 2.4.6-90.el7.centos
- Remove index.html, add centos-noindex.tar.gz
- change vstring
- change symlink for poweredby.png
- update welcome.conf with proper aliases

* Sat Jun 08 2019 Lubos Uhliarik <luhliari@redhat.com>
- Resolves: #1566317 - CVE-2018-1312 httpd: Weak Digest auth nonce generation
in mod_auth_digest
- Resolves: #1696141 - CVE-2019-0217 httpd: mod_auth_digest: access control
bypass due to race condition
- Resolves: #1696096 - CVE-2019-0220 httpd: URL normalization inconsistency

* Fri Mar 15 2019 Joe Orton <jorton@redhat.com> - 2.4.6-89
- fix per-request leak of bucket brigade structure (#1583218)

Thanks,

User avatar
TrevorH
Forum Moderator
Posts: 28026
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Apache HTTP httpd-2.4.6-90.el7.centos.x86_64 Vulnerable CVE-2019-10092

Post by TrevorH » 2020/03/03 08:50:48

By default CentOS come with HTTP 2.4.6-x. Nessus always recommend to update to 2.4.41.
Also please see the page on how RHEL and Red Hat's backporting policy works: https://access.redhat.com/security/updates/backporting

Also read the circumstances listed in those RHSA announcements about when you are vulnerable or not. If you do not use those particular directives then you are not vulnerable.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 7 - Security Support”