Centos 8 httpd updates
Re: Centos 8 httpd updates
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Centos 8 httpd updates
Thank you for the link.
Unfortunately, I'm not sure about the way I should interpret it and how it replies to my previous statements.
According to me, this should match my case:
Platform: Red Hat Enterprise Linux 8
Package: httpd:2.4
State: Fixed
Errata: RHSA-2020:4751
Release Date: November 4, 2020
knowing that
CentOS version | RHEL base | Kernel | CentOS release date | RHEL release date | Delay (days)
8.3-2011 | 8.3 | 4.18.0-240 | 2020-12-07 | 2020-11-03 | 34
but I probably misunderstand something.
After updating my system to Centos 8.3, the latest available httpd package is still 2.4.37 and the related changelog hasn't changed either.
Unfortunately, I'm not sure about the way I should interpret it and how it replies to my previous statements.
According to me, this should match my case:
Platform: Red Hat Enterprise Linux 8
Package: httpd:2.4
State: Fixed
Errata: RHSA-2020:4751
Release Date: November 4, 2020
knowing that
CentOS version | RHEL base | Kernel | CentOS release date | RHEL release date | Delay (days)
8.3-2011 | 8.3 | 4.18.0-240 | 2020-12-07 | 2020-11-03 | 34
but I probably misunderstand something.
After updating my system to Centos 8.3, the latest available httpd package is still 2.4.37 and the related changelog hasn't changed either.
Re: Centos 8 httpd updates
https://access.redhat.com/errata/RHSA-2020:4751 says it's fixed in 2.4.37-30 and that is the current version listed by dnf list httpd on CentOS 8.3.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Centos 8 httpd updates
Thank you for your feedback.
Indeed the listed package is 2.4.37-30.module_el8.3.0+561+97fdbbcc linked to source httpd-2.4.37-30.module_el8.3.0+561+97fdbbcc.src.rpm, which seems to correspond to the one mentioned in the errata (httpd-2.4.37-30.module+el8.3.0+7001+0766b9e7.src.rpm).
I couldn't find the meaning of the bold numbers (561 & 7001) but I assume it makes the distinction between Red Hat and CentOS.
I'm still puzzling over the following: is it then a mistake/a lack that CVE-2018-17189 is not mentioned in the changelog of version 2.4.37-30?
Indeed the listed package is 2.4.37-30.module_el8.3.0+561+97fdbbcc linked to source httpd-2.4.37-30.module_el8.3.0+561+97fdbbcc.src.rpm, which seems to correspond to the one mentioned in the errata (httpd-2.4.37-30.module+el8.3.0+7001+0766b9e7.src.rpm).
I couldn't find the meaning of the bold numbers (561 & 7001) but I assume it makes the distinction between Red Hat and CentOS.
I'm still puzzling over the following: is it then a mistake/a lack that CVE-2018-17189 is not mentioned in the changelog of version 2.4.37-30?
Re: Centos 8 httpd updates
Look at the
Code: Select all
mod_http2 1.15.7-2.module_el8.3.0+477+498bb568
Re: Centos 8 httpd updates
Thanks for the hint.
Thank you to both of you for your insight and support.
Thank you to both of you for your insight and support.
Re: Centos 8 httpd updates
Anyone know how to fix this one ?
I can't seem to find a recent update for this bug in Centos8.
moderate: CVE-2019-10097 mod_remoteip: Stack buffer overflow and NULL pointer dereference (CVE-2019-10097)
When mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.
Acknowledgements: The issue was discovered by Daniel McCarney <cpu@letsencrypt.org> Let's Encrypt / Internet Security Research Group (ISRG)
Reported to security team 23rd July 2019
Issue public 14th August 2019
Update Released 14th August 2019
Affects 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33
[root@myserver ~]# httpd -v ; cat /etc/centos-release
Server version: Apache/2.4.37 (centos)
Server built: Nov 4 2020 03:20:37
CentOS Linux release 8.3.2011
I can't seem to find a recent update for this bug in Centos8.
moderate: CVE-2019-10097 mod_remoteip: Stack buffer overflow and NULL pointer dereference (CVE-2019-10097)
When mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.
Acknowledgements: The issue was discovered by Daniel McCarney <cpu@letsencrypt.org> Let's Encrypt / Internet Security Research Group (ISRG)
Reported to security team 23rd July 2019
Issue public 14th August 2019
Update Released 14th August 2019
Affects 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33
[root@myserver ~]# httpd -v ; cat /etc/centos-release
Server version: Apache/2.4.37 (centos)
Server built: Nov 4 2020 03:20:37
CentOS Linux release 8.3.2011
Re: Centos 8 httpd updates
Run yum update
It's listed in the rpm changelog for the latest version.
It's listed in the rpm changelog for the latest version.
Code: Select all
[root@centos8 ~]# rpm -q --changelog httpd | grep CVE-2019-10097
- Resolves: #1747291 - CVE-2019-10097 httpd:2.4/httpd: null-pointer dereference
[root@centos8 ~]# rpm -q httpd
httpd-2.4.37-30.module_el8.3.0+561+97fdbbcc.x86_64
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke