Hi All,
There're several security issue in apache for CVE : CVE-2019-10092, CVE-2019-10091, CVE-2019-10098 and CVE-2019-10082.
Latest Apache is 2.4.41 according to https://httpd.apache.org/security/vulne ... es_24.html. Meanwhile I can find latest of httpd in Centos-7 is httpd-2.4.6-90.el7.centos.x86_64.
How can I know what Apache version I'm running compare to Apache website ?
Thanks,
Apache HTTP httpd-2.4.6-90.el7.centos.x86_64 Vulnerable CVE-2019-10092
Re: Apache HTTP httpd-2.4.6-90.el7.centos.x86_64 Vulnerable CVE-2019-10092
https://access.redhat.com/security/cve/CVE-2019-10092
https://access.redhat.com/security/cve/CVE-2019-10082
https://access.redhat.com/security/cve/CVE-2019-10098
The page for 10091 fails to load and using google to search for it also returns no useful results. That one either doesn't appear to exist or it's not public yet - are you sure of the number?
Also please see the page on how RHEL and Red Hat's backporting policy works: https://access.redhat.com/security/updates/backporting
oh, and to find out the current status of what's installed, use rpm -q --changelog httpd | less
https://access.redhat.com/security/cve/CVE-2019-10082
https://access.redhat.com/security/cve/CVE-2019-10098
The page for 10091 fails to load and using google to search for it also returns no useful results. That one either doesn't appear to exist or it's not public yet - are you sure of the number?
Also please see the page on how RHEL and Red Hat's backporting policy works: https://access.redhat.com/security/updates/backporting
oh, and to find out the current status of what's installed, use rpm -q --changelog httpd | less
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Apache HTTP httpd-2.4.6-90.el7.centos.x86_64 Vulnerable CVE-2019-10092
Hi TrevorH,
By default CentOS come with HTTP 2.4.6-x. Nessus always recommend to update to 2.4.41.
Do I need to install httpd24 instead of default HTTP ?
Here's my current HTTP Version :
rpm -q --changelog httpd | more
* Tue Aug 06 2019 CentOS Sources <bugs@centos.org> - 2.4.6-90.el7.centos
- Remove index.html, add centos-noindex.tar.gz
- change vstring
- change symlink for poweredby.png
- update welcome.conf with proper aliases
* Sat Jun 08 2019 Lubos Uhliarik <luhliari@redhat.com>
- Resolves: #1566317 - CVE-2018-1312 httpd: Weak Digest auth nonce generation
in mod_auth_digest
- Resolves: #1696141 - CVE-2019-0217 httpd: mod_auth_digest: access control
bypass due to race condition
- Resolves: #1696096 - CVE-2019-0220 httpd: URL normalization inconsistency
* Fri Mar 15 2019 Joe Orton <jorton@redhat.com> - 2.4.6-89
- fix per-request leak of bucket brigade structure (#1583218)
Thanks,
By default CentOS come with HTTP 2.4.6-x. Nessus always recommend to update to 2.4.41.
Do I need to install httpd24 instead of default HTTP ?
Here's my current HTTP Version :
rpm -q --changelog httpd | more
* Tue Aug 06 2019 CentOS Sources <bugs@centos.org> - 2.4.6-90.el7.centos
- Remove index.html, add centos-noindex.tar.gz
- change vstring
- change symlink for poweredby.png
- update welcome.conf with proper aliases
* Sat Jun 08 2019 Lubos Uhliarik <luhliari@redhat.com>
- Resolves: #1566317 - CVE-2018-1312 httpd: Weak Digest auth nonce generation
in mod_auth_digest
- Resolves: #1696141 - CVE-2019-0217 httpd: mod_auth_digest: access control
bypass due to race condition
- Resolves: #1696096 - CVE-2019-0220 httpd: URL normalization inconsistency
* Fri Mar 15 2019 Joe Orton <jorton@redhat.com> - 2.4.6-89
- fix per-request leak of bucket brigade structure (#1583218)
Thanks,
Re: Apache HTTP httpd-2.4.6-90.el7.centos.x86_64 Vulnerable CVE-2019-10092
Also please see the page on how RHEL and Red Hat's backporting policy works: https://access.redhat.com/security/updates/backportingBy default CentOS come with HTTP 2.4.6-x. Nessus always recommend to update to 2.4.41.
Also read the circumstances listed in those RHSA announcements about when you are vulnerable or not. If you do not use those particular directives then you are not vulnerable.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke