CVE-2022-22720

Support for security such as Firewalls and securing linux
tmandel
Posts: 8
Joined: 2022/01/25 13:38:52

CVE-2022-22720

Post by tmandel » 2022/03/24 15:01:33

Dear team,

RH just released corrected package for httpd on RH7 ( https://access.redhat.com/errata/RHSA-2022:1045 ), could you please confirm that it's going to be in your pipe for recompilation and will be distributed on your security repository?

Many thanks for your support.

Regards,
Thelvaen

User avatar
TrevorH
Forum Moderator
Posts: 32151
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2022-22720

Post by TrevorH » 2022/03/24 16:34:54

CentOS 7 is supported until the EOL of RHEL 7 in 2024. Anything released for RHEL will be rebuilt for CentOS. The package you mention is in the build queue.
CentOS 8 died a premature death at the end of 2021 - migrate to Rocky/Alma/OEL/Springdale ASAP.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are dead, do not use them.
Use the FAQ Luke

tmandel
Posts: 8
Joined: 2022/01/25 13:38:52

Re: CVE-2022-22720

Post by tmandel » 2022/03/25 00:46:07

Many thanks for your feedback.

Regards,
Thelvaen

beattodeath
Posts: 1
Joined: 2022/04/15 06:41:20

Re: CVE-2022-22720

Post by beattodeath » 2022/04/15 06:49:49

Hi
Does anyone know if this vulnerability has been fixed in this httpd version v2.4.6-97 ?

User avatar
TrevorH
Forum Moderator
Posts: 32151
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2022-22720

Post by TrevorH » 2022/04/15 11:10:51

It's fixed in httpd-2.4.6-97.el7.centos.5.x86_64. The .centos.5 is important.
CentOS 8 died a premature death at the end of 2021 - migrate to Rocky/Alma/OEL/Springdale ASAP.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are dead, do not use them.
Use the FAQ Luke

akyadav
Posts: 4
Joined: 2022/08/05 15:56:17

Re: CVE-2022-22720

Post by akyadav » 2022/08/05 15:57:52

Any idea, when the new centos build with this httpd update would be available ?

User avatar
TrevorH
Forum Moderator
Posts: 32151
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2022-22720

Post by TrevorH » 2022/08/05 16:44:30

akyadav wrote:
2022/08/05 15:57:52
Any idea, when the new centos build with this httpd update would be available ?
About 4 months ago.
CentOS 8 died a premature death at the end of 2021 - migrate to Rocky/Alma/OEL/Springdale ASAP.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are dead, do not use them.
Use the FAQ Luke

akyadav
Posts: 4
Joined: 2022/08/05 15:56:17

Re: CVE-2022-22720

Post by akyadav » 2022/08/10 10:25:13

Is there a guide to patching the 2.4.37 version or any ways to fix the issue on CentOS Linux release 8.3.2011?

User avatar
TrevorH
Forum Moderator
Posts: 32151
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2022-22720

Post by TrevorH » 2022/08/10 14:09:52

CentOS Linux 8 is dead. You need to move to something supported. Pick one of the alternative RHEL rebuilds listed in my sig below and use one of them. They all have scripts to convert from CentOS Linux to themselves so use one of those. Or if you don't value stability, use Stream.
CentOS 8 died a premature death at the end of 2021 - migrate to Rocky/Alma/OEL/Springdale ASAP.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are dead, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4098
Joined: 2007/12/11 08:17:33
Location: Finland

Re: CVE-2022-22720

Post by jlehtone » 2022/08/10 16:04:26

Furthermore, while CentOS Linux 8 did die completely 2021-12-31, the CentOS Linux 8.3-2011 did die already 2021-05-18 when 8.4-2105 was released.
If you have not installed available updates since 8.4 was released, then you have at least 15 months worth of vulnerabilities.
If you simply did install 8.3 and never have installed any updates, then you have up to 21 months worth of vulnerabilities.

Both in CentOS Linux and the other alternative RHEL rebuilds one has to simply run "dnf up" regularly.
The rebuilds (that are alive) do have currently "8.6". When they release "8.7" after RHEL 8.7 has been released,
the "dnf up" will make your system have 8.7 content -- it will no longer be "8.6".


The CentOS Linux 7 is already in maintenance phase; an installed system should contain content based on RHEL 7.9.
One should run "yum update" regularly to get all updates that still do become available.

Post Reply