CVE-2019-10092 and other vulnerabilities

Support for security such as Firewalls and securing linux
Post Reply
x0rsw1tch
Posts: 2
Joined: 2020/11/13 21:11:32

CVE-2019-10092 and other vulnerabilities

Post by x0rsw1tch » 2020/11/13 21:33:50

Good day!

I am going through some PCI compliance related issues and have noticed that there are several unpatched vulnerabilities that I'd like to call attention to:

1. CVE-2019-10092: https://access.redhat.com/security/cve/CVE-2019-10092

I am going through the rpm changelog and am not seeing that this has been patched on 8.2.2004 with latest updates. Our provider wants us to apply this patch, or disable proxy directives. Disabling proxy directives would be impossible as our Apache is a proxy for our tomcat application. Is there something I am missing? Will I have to compile Apache from source and not use the rpm version, or is there an update forthcoming?

2. CVE-2020-11984, CVE-2020-1934, CVE-2018-17199
Didn't see these referenced in the changelog, but I have the appropriate modules disabled, or are not installed.

User avatar
TrevorH
Forum Moderator
Posts: 29902
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2019-10092 and other vulnerabilities

Post by TrevorH » 2020/11/13 22:12:20

The fix for the first one you point to says it was released on 2020/11/04 which is the day that RHEL 8.3 was released. That means it's partof 8.3 and will be fixed once CentOS 8.3 comes out - that might be soon or it might be a while depending on how the rebuild goes. It's already in progress but there is never an ETA given - it arrives when it's ready and not before. I would suspect that the others will also be in the same category but unless you can find RHSA's for those too, it's not possible to check. If they also have a 4th Nov release date then it'll be the same story.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

x0rsw1tch
Posts: 2
Joined: 2020/11/13 21:11:32

Re: CVE-2019-10092 and other vulnerabilities

Post by x0rsw1tch » 2020/11/13 23:33:37

Good to know, thank you! Hope our current compliance doesn't expire before then!

Post Reply

Return to “CentOS 8 - Security Support”