CVE-2023-25690 - Security Update for httpd

Support for security such as Firewalls and securing linux
Post Reply
wargbang
Posts: 3
Joined: 2023/03/20 12:06:08

CVE-2023-25690 - Security Update for httpd

Post by wargbang » 2023/03/20 12:15:49

Hello Security Support Team,

I've a question regarding CVE-2023-25690. Are updates already available or will updates for the httpd package be offered soon to close the gap? I administer several CentOS 7.9 servers with the package version "httpd.x86_64 2.4.6-98.el7.centos.6 @updates".

I was not successful with the google search and via "yum update httpd" was no further updates are available.

Thank you in advance for feedback :)

Kind Regards,
Pete
Top
User avatar
TrevorH
Site Admin
Posts: 32758
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2023-25690 - Security Update for httpd

Post by TrevorH » 2023/03/20 12:22:16

Fix is not even available for RHEL 7 yet.

https://access.redhat.com/security/cve/CVE-2023-25690
CentOS 8 died a premature death at the end of 2021 - migrate to Rocky/Alma/OEL/Springdale ASAP.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are dead, do not use them.
Use the FAQ Luke
Top
wargbang
Posts: 3
Joined: 2023/03/20 12:06:08

Re: CVE-2023-25690 - Security Update for httpd

Post by wargbang » 2023/03/20 12:30:11

TrevorH wrote:
2023/03/20 12:22:16
 Fix is not even available for RHEL 7 yet.

https://access.redhat.com/security/cve/CVE-2023-25690
Thanks for your fast feedback. :)
Then I will keep an eye on the RHEL CVE website in the future.
Top
wargbang
Posts: 3
Joined: 2023/03/20 12:06:08

Re: CVE-2023-25690 - Security Update for httpd

Post by wargbang » 2023/04/06 09:02:54

RHEL has now provided the fix for the CVE.
I have just downloaded and installed the patch for CentOS 7 systems.

Many thanks
Top
ArMartEs
Posts: 1
Joined: 2023/04/28 12:49:53

Re: CVE-2023-25690 - Security Update for httpd

Post by ArMartEs » 2023/04/28 12:53:53

wargbang wrote:
2023/04/06 09:02:54
 RHEL has now provided the fix for the CVE.
I have just downloaded and installed the patch for CentOS 7 systems.

Many thanks
Hi Wargbang,

I am completely new to CentOS, and I do notice that RH has updated the package to address the CVE, yet the CentOS update repository still has the old version. Am I looking in the wrong place for these centOS patches? I even went and search for multiple mirrors and all of them still have 2.4.6-98.el7.centos.7

Please help!
Top
User avatar
TrevorH
Site Admin
Posts: 32758
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2023-25690 - Security Update for httpd

Post by TrevorH » 2023/04/28 13:19:55

I even went and search for multiple mirrors and all of them still have 2.4.6-98.el7.centos.7
That is the fixed version.

Code: Select all

[root@centos7 ~]# rpm -q --changelog httpd  | less
* Wed Apr 05 2023 Johnny Hughes <johnny@centos.org>
- Manual CentOS Debranding

* Tue Mar 21 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-97.7
- Resolves: #2177742 - CVE-2023-25690 httpd: HTTP request splitting with
  mod_rewrite and mod_proxy
...
(it does appear that the RH package maintainer has not caught up with the fact that the RHEL package is 2.4.6-98* and is still creating changelog entries for 2.4.6.-97 but that is a different issue).
CentOS 8 died a premature death at the end of 2021 - migrate to Rocky/Alma/OEL/Springdale ASAP.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are dead, do not use them.
Use the FAQ Luke
Top
Post Reply

Return to “CentOS 7 - Security Support”