Page 2 of 2

Re: Centos 8 httpd updates

Posted: 2020/12/12 02:55:35
by TrevorH

Re: Centos 8 httpd updates

Posted: 2020/12/14 10:34:02
by Tiraflo
Thank you for the link.

Unfortunately, I'm not sure about the way I should interpret it and how it replies to my previous statements.

According to me, this should match my case:

Platform: Red Hat Enterprise Linux 8
Package: httpd:2.4
State: Fixed
Errata: RHSA-2020:4751
Release Date: November 4, 2020

Image

knowing that

CentOS version | RHEL base | Kernel | CentOS release date | RHEL release date | Delay (days)
8.3-2011 | 8.3 | 4.18.0-240 | 2020-12-07 | 2020-11-03 | 34

Image

but I probably misunderstand something.

After updating my system to Centos 8.3, the latest available httpd package is still 2.4.37 and the related changelog hasn't changed either.

Re: Centos 8 httpd updates

Posted: 2020/12/14 11:13:40
by TrevorH
https://access.redhat.com/errata/RHSA-2020:4751 says it's fixed in 2.4.37-30 and that is the current version listed by dnf list httpd on CentOS 8.3.

Re: Centos 8 httpd updates

Posted: 2020/12/15 11:53:36
by Tiraflo
Thank you for your feedback.

Indeed the listed package is 2.4.37-30.module_el8.3.0+561+97fdbbcc linked to source httpd-2.4.37-30.module_el8.3.0+561+97fdbbcc.src.rpm, which seems to correspond to the one mentioned in the errata (httpd-2.4.37-30.module+el8.3.0+7001+0766b9e7.src.rpm).

I couldn't find the meaning of the bold numbers (561 & 7001) but I assume it makes the distinction between Red Hat and CentOS.

I'm still puzzling over the following: is it then a mistake/a lack that CVE-2018-17189 is not mentioned in the changelog of version 2.4.37-30?

Re: Centos 8 httpd updates

Posted: 2020/12/15 15:36:24
by jlehtone
Look at the

Code: Select all

mod_http2    1.15.7-2.module_el8.3.0+477+498bb568 

Re: Centos 8 httpd updates

Posted: 2020/12/16 14:57:18
by Tiraflo
Thanks for the hint.

Thank you to both of you for your insight and support.

Re: Centos 8 httpd updates

Posted: 2021/02/01 20:21:02
by zeekus
Anyone know how to fix this one ?

I can't seem to find a recent update for this bug in Centos8.

moderate: CVE-2019-10097 mod_remoteip: Stack buffer overflow and NULL pointer dereference (CVE-2019-10097)
When mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.

Acknowledgements: The issue was discovered by Daniel McCarney <cpu@letsencrypt.org> Let's Encrypt / Internet Security Research Group (ISRG)

Reported to security team 23rd July 2019
Issue public 14th August 2019
Update Released 14th August 2019
Affects 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33

[root@myserver ~]# httpd -v ; cat /etc/centos-release
Server version: Apache/2.4.37 (centos)
Server built: Nov 4 2020 03:20:37

CentOS Linux release 8.3.2011

Re: Centos 8 httpd updates

Posted: 2021/02/01 21:13:23
by TrevorH
Run yum update

It's listed in the rpm changelog for the latest version.

Code: Select all

[root@centos8 ~]# rpm -q --changelog httpd | grep CVE-2019-10097
- Resolves: #1747291 - CVE-2019-10097 httpd:2.4/httpd: null-pointer dereference
[root@centos8 ~]# rpm -q httpd 
httpd-2.4.37-30.module_el8.3.0+561+97fdbbcc.x86_64