Centos 8 httpd updates

Support for security such as Firewalls and securing linux
User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Centos 8 httpd updates

Post by TrevorH » 2020/12/12 02:55:35

The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Tiraflo
Posts: 4
Joined: 2020/12/08 16:51:05

Re: Centos 8 httpd updates

Post by Tiraflo » 2020/12/14 10:34:02

Thank you for the link.

Unfortunately, I'm not sure about the way I should interpret it and how it replies to my previous statements.

According to me, this should match my case:

Platform: Red Hat Enterprise Linux 8
Package: httpd:2.4
State: Fixed
Errata: RHSA-2020:4751
Release Date: November 4, 2020

Image

knowing that

CentOS version | RHEL base | Kernel | CentOS release date | RHEL release date | Delay (days)
8.3-2011 | 8.3 | 4.18.0-240 | 2020-12-07 | 2020-11-03 | 34

Image

but I probably misunderstand something.

After updating my system to Centos 8.3, the latest available httpd package is still 2.4.37 and the related changelog hasn't changed either.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Centos 8 httpd updates

Post by TrevorH » 2020/12/14 11:13:40

https://access.redhat.com/errata/RHSA-2020:4751 says it's fixed in 2.4.37-30 and that is the current version listed by dnf list httpd on CentOS 8.3.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Tiraflo
Posts: 4
Joined: 2020/12/08 16:51:05

Re: Centos 8 httpd updates

Post by Tiraflo » 2020/12/15 11:53:36

Thank you for your feedback.

Indeed the listed package is 2.4.37-30.module_el8.3.0+561+97fdbbcc linked to source httpd-2.4.37-30.module_el8.3.0+561+97fdbbcc.src.rpm, which seems to correspond to the one mentioned in the errata (httpd-2.4.37-30.module+el8.3.0+7001+0766b9e7.src.rpm).

I couldn't find the meaning of the bold numbers (561 & 7001) but I assume it makes the distinction between Red Hat and CentOS.

I'm still puzzling over the following: is it then a mistake/a lack that CVE-2018-17189 is not mentioned in the changelog of version 2.4.37-30?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Centos 8 httpd updates

Post by jlehtone » 2020/12/15 15:36:24

Look at the

Code: Select all

mod_http2    1.15.7-2.module_el8.3.0+477+498bb568 

Tiraflo
Posts: 4
Joined: 2020/12/08 16:51:05

Re: Centos 8 httpd updates

Post by Tiraflo » 2020/12/16 14:57:18

Thanks for the hint.

Thank you to both of you for your insight and support.

zeekus
Posts: 1
Joined: 2020/12/02 14:24:02

Re: Centos 8 httpd updates

Post by zeekus » 2021/02/01 20:21:02

Anyone know how to fix this one ?

I can't seem to find a recent update for this bug in Centos8.

moderate: CVE-2019-10097 mod_remoteip: Stack buffer overflow and NULL pointer dereference (CVE-2019-10097)
When mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.

Acknowledgements: The issue was discovered by Daniel McCarney <cpu@letsencrypt.org> Let's Encrypt / Internet Security Research Group (ISRG)

Reported to security team 23rd July 2019
Issue public 14th August 2019
Update Released 14th August 2019
Affects 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33

[root@myserver ~]# httpd -v ; cat /etc/centos-release
Server version: Apache/2.4.37 (centos)
Server built: Nov 4 2020 03:20:37

CentOS Linux release 8.3.2011

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Centos 8 httpd updates

Post by TrevorH » 2021/02/01 21:13:23

Run yum update

It's listed in the rpm changelog for the latest version.

Code: Select all

[root@centos8 ~]# rpm -q --changelog httpd | grep CVE-2019-10097
- Resolves: #1747291 - CVE-2019-10097 httpd:2.4/httpd: null-pointer dereference
[root@centos8 ~]# rpm -q httpd 
httpd-2.4.37-30.module_el8.3.0+561+97fdbbcc.x86_64
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply