CVE-2019-10092 and other vulnerabilities

Support for security such as Firewalls and securing linux
Post Reply
x0rsw1tch
Posts: 2
Joined: 2020/11/13 21:11:32

CVE-2019-10092 and other vulnerabilities

Post by x0rsw1tch » 2020/11/13 21:33:50

Good day!

I am going through some PCI compliance related issues and have noticed that there are several unpatched vulnerabilities that I'd like to call attention to:

1. CVE-2019-10092: https://access.redhat.com/security/cve/CVE-2019-10092

I am going through the rpm changelog and am not seeing that this has been patched on 8.2.2004 with latest updates. Our provider wants us to apply this patch, or disable proxy directives. Disabling proxy directives would be impossible as our Apache is a proxy for our tomcat application. Is there something I am missing? Will I have to compile Apache from source and not use the rpm version, or is there an update forthcoming?

2. CVE-2020-11984, CVE-2020-1934, CVE-2018-17199
Didn't see these referenced in the changelog, but I have the appropriate modules disabled, or are not installed.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2019-10092 and other vulnerabilities

Post by TrevorH » 2020/11/13 22:12:20

The fix for the first one you point to says it was released on 2020/11/04 which is the day that RHEL 8.3 was released. That means it's partof 8.3 and will be fixed once CentOS 8.3 comes out - that might be soon or it might be a while depending on how the rebuild goes. It's already in progress but there is never an ETA given - it arrives when it's ready and not before. I would suspect that the others will also be in the same category but unless you can find RHSA's for those too, it's not possible to check. If they also have a 4th Nov release date then it'll be the same story.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

x0rsw1tch
Posts: 2
Joined: 2020/11/13 21:11:32

Re: CVE-2019-10092 and other vulnerabilities

Post by x0rsw1tch » 2020/11/13 23:33:37

Good to know, thank you! Hope our current compliance doesn't expire before then!

Post Reply