Old repositories

Issues related to applications and software problems and general support
Post Reply
lol_
Posts: 2
Joined: 2019/11/04 05:58:26

Old repositories

Post by lol_ » 2019/11/04 06:05:25

I conducted vulnerability scans and everyone was talking about the old apache. The version in the repository is 2.4.37, and the new one is 2.4.41. Question: when will the update be? P.S. I downloaded the new version to compile, but it is impossible to fully replace the old version.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Old repositories

Post by jlehtone » 2019/11/04 12:09:36

The httpd in CentOS 8 is same as is in RHEL-8.
The version is RHEL-8 is based on 2.4.37. Forked from upstream Apache 2.4.37.

However, Red Hat backports features into the RHEL httpd. See: https://access.redhat.com/security/updates/backporting

In other words, the "2.4.37" in CentOS is most likely different from upstream 2.4.37. Do not look what problems original 2.4.37 has.
Check how Red Hat comments new vulnerabilities in relation to their httpd in RHEL 8.


Red Hat does not rebase some components (like kernel and glibc) for the lifetime of a major release (10 years).
The httpd is in AppStream repository and thus possible to be rebased sooner.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Old repositories

Post by TrevorH » 2019/11/04 13:41:56

And repoquery --changelog httpd reports the following changelog entries since the release of RHEL 8.0 in 2019-05

Code: Select all

Changelog for httpd-2.4.37-12.module_el8.0.0+185+5908b0db.x86_64
* Mon Oct 07 2019 bstinson@centosproject.org - 2.4.37-12.el8.centos
- Reapply debranding changes from areguera

* Tue Sep 24 2019 CentOS Sources <bugs@centos.org> - 2.4.37-12.el8.centos
- Apply debranding changes

* Thu Aug 29 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.4.37-12
- Resolves: #1744997 - CVE-2019-9511 httpd:2.4/mod_http2: HTTP/2: large amount
  of data request leads to denial of service
- Resolves: #1745084 - CVE-2019-9516 httpd:2.4/mod_http2: HTTP/2: 0-length
  headers leads to denial of service
- Resolves: #1745152 - CVE-2019-9517 httpd:2.4/mod_http2: HTTP/2: request
  for large response leads to denial of service
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

lol_
Posts: 2
Joined: 2019/11/04 05:58:26

Re: Old repositories

Post by lol_ » 2019/11/04 16:39:50

TrevorH wrote:
2019/11/04 13:41:56
And repoquery --changelog httpd reports the following changelog entries since the release of RHEL 8.0 in 2019-05

Code: Select all

Changelog for httpd-2.4.37-12.module_el8.0.0+185+5908b0db.x86_64
* Mon Oct 07 2019 bstinson@centosproject.org - 2.4.37-12.el8.centos
- Reapply debranding changes from areguera

* Tue Sep 24 2019 CentOS Sources <bugs@centos.org> - 2.4.37-12.el8.centos
- Apply debranding changes

* Thu Aug 29 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.4.37-12
- Resolves: #1744997 - CVE-2019-9511 httpd:2.4/mod_http2: HTTP/2: large amount
  of data request leads to denial of service
- Resolves: #1745084 - CVE-2019-9516 httpd:2.4/mod_http2: HTTP/2: 0-length
  headers leads to denial of service
- Resolves: #1745152 - CVE-2019-9517 httpd:2.4/mod_http2: HTTP/2: request
  for large response leads to denial of service
Thanks) I thought as much.

Post Reply