CVE-2014-0098 Question on version updates

[phoenixx33]

This CVE-2014-0098 is coming up in a vulnerability report. I am currently running Apache 2.4.6 -97. When I look up the CVE it says it isn't fixed until 2.4.9.

My question is, when I do an update on 2.4.6 will that only patch the security holes outlined in the changelog? But to fix something like this particular CVE I would have to do a full version upgrade to 2.4.9. Just updating 2.4.6 would not be good enough correct?

[TrevorH]

[root@centos7 ~]# rpm -q --changelog httpd | grep -i cve-2014-0098
- mod_log_config: add security fix for CVE-2014-0098 (#1077907)

[jlehtone]

Code: Select all

[root@centos7 ~]# rpm -q httpd
httpd-2.4.6-97.el7.centos.5.x86_64
[root@centos7 ~]# rpm -q --changelog httpd | grep -B3 -A1 -i cve-2014-0098

* Thu Mar 20 2014 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-17
- mod_dav: add security fix for CVE-2013-6438 (#1077907)
- mod_log_config: add security fix for CVE-2014-0098 (#1077907)

Looking more closely, the fix was added as version 2.4.6-17 in March 2014 and now the version is 2.4.6-97.

Red Hat writes in https://access.redhat.com/solutions/57665

some security scanning and auditing tools make decisions about vulnerabilities based solely on the version number of components they find. This results in false positives as the tools do not take into account backported security fixes.

[phoenixx33]

Thanks! that's what I was looking for. Didn't know how to look that far into the changelog.

[TrevorH]

And that number in brackets at the end of the line is the bugzilla.redhat.com entry where you can find even more discussion about the issue and how it was fixed.