Hello Security Support Team,
I've a question regarding CVE-2023-25690. Are updates already available or will updates for the httpd package be offered soon to close the gap? I administer several CentOS 7.9 servers with the package version "httpd.x86_64 2.4.6-98.el7.centos.6 @updates".
I was not successful with the google search and via "yum update httpd" was no further updates are available.
Thank you in advance for feedback
Kind Regards,
Pete
CVE-2023-25690 - Security Update for httpd
Re: CVE-2023-25690 - Security Update for httpd
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: CVE-2023-25690 - Security Update for httpd
Thanks for your fast feedback.TrevorH wrote: ↑2023/03/20 12:22:16Fix is not even available for RHEL 7 yet.
https://access.redhat.com/security/cve/CVE-2023-25690
Then I will keep an eye on the RHEL CVE website in the future.
Re: CVE-2023-25690 - Security Update for httpd
RHEL has now provided the fix for the CVE.
I have just downloaded and installed the patch for CentOS 7 systems.
Many thanks
I have just downloaded and installed the patch for CentOS 7 systems.
Many thanks
Re: CVE-2023-25690 - Security Update for httpd
Hi Wargbang,
I am completely new to CentOS, and I do notice that RH has updated the package to address the CVE, yet the CentOS update repository still has the old version. Am I looking in the wrong place for these centOS patches? I even went and search for multiple mirrors and all of them still have 2.4.6-98.el7.centos.7
Please help!
Re: CVE-2023-25690 - Security Update for httpd
That is the fixed version.I even went and search for multiple mirrors and all of them still have 2.4.6-98.el7.centos.7
Code: Select all
[root@centos7 ~]# rpm -q --changelog httpd | less
* Wed Apr 05 2023 Johnny Hughes <johnny@centos.org>
- Manual CentOS Debranding
* Tue Mar 21 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-97.7
- Resolves: #2177742 - CVE-2023-25690 httpd: HTTP request splitting with
mod_rewrite and mod_proxy
...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke