Hi,
I've been reported about CVE-2021-40438 vulnerability in one of my servers. We have centos-sclo-rh/x86_64 on the server, and the package httpd24-httpd.x86_64 2.4.34-22.el7 @centos-sclo-rh
installed.
The Red Hat advisory says the CVE is fixed in this version of httpd package, but the security team was able to exploit the vulnerability.
Is the vulnerability really fixed or another update should be issued?
CVE-2021-40438 and centos-sclo-rh/x86_64
Re: CVE-2021-40438 and centos-sclo-rh/x86_64
Your security team should report that to Red Hat.
Re: CVE-2021-40438 and centos-sclo-rh/x86_64
On RHEL 7, the httpd24-httpd.x86_64 is at version 2.4.34-22.el7.1 which is a whole .1 newer than the one on CentOS. And after much mucking around I finally managed to query the changelog without actually being forced to install the package and the top entry is:
* Thu Sep 30 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.34-22.1
- Resolves: #2007237 - CVE-2021-40438 httpd24-httpd: httpd: mod_proxy: SSRF via
a crafted request uri-path
I also enabled the centos-sclo-sclo-testing repo to check if it had been built but not yet promoted but it's not there either.
I'd suggest looking up on the CentOS wiki when the next SCL SIG meeting is due to take place and join #centos-meeting (or meeting2, not sure which) on Libera.chat IRC and asking there.
* Thu Sep 30 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.34-22.1
- Resolves: #2007237 - CVE-2021-40438 httpd24-httpd: httpd: mod_proxy: SSRF via
a crafted request uri-path
I also enabled the centos-sclo-sclo-testing repo to check if it had been built but not yet promoted but it's not there either.
I'd suggest looking up on the CentOS wiki when the next SCL SIG meeting is due to take place and join #centos-meeting (or meeting2, not sure which) on Libera.chat IRC and asking there.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 2
- Joined: 2021/10/22 20:41:11
Re: CVE-2021-40438 and centos-sclo-rh/x86_64
Hi, Trevor,
thanks for the answer. That was what I needed.
Best Regards,
Enrique.
thanks for the answer. That was what I needed.
Best Regards,
Enrique.