Missing CentOS security fixes

Hi guys, I dont see security fixes for the following CVEs. Can you please add them?

CVE-2019-10092 CVE-2019-10098 CVE-2019-0220 CVE-2019-0217 CVE-2018-17199

Status: 
Closed (fixed)

Comments

Assigned: Unassigned »

Thanks for passing the info! I'm passing this to Joe.

Note that to improve the lag we sometimes see with things like that, in CentOS 8 we came up with an alternative way of handling Apache so that it wouldn't actually need to be modified by us, so it uses the default package as provided by CentOS.

I appreciate that doesn't help you now, but just a note for the future!

Great thanks - that sounds much better. Are we talking days weeks or months for a CentOS 7 update?

Is there any update here? This was flagged again in our most recent vulnerability scan as an urgent issue.

Ilia's picture
Submitted by Ilia on Mon, 12/07/2020 - 12:03

Version 2.4.6-95 is something CentOS 7 has upstream, right? We re-build httpd package based on upstream versions with suexec being the only difference.

Having a look at the package changelog it seems that it does resolves those CVEs :

# yum changelog httpd
1:httpd-2.4.6-93.el7.vm.x86_64           installed
* Tue Mar 31 15:00:00 2020 CentOS Sources <bugs@centos.org> - 2.4.6-93.el7.centos
- Remove index.html, add centos-noindex.tar.gz
- change vstring
- change symlink for poweredby.png
- update welcome.conf with proper aliases

* Tue Oct  8 15:00:00 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.4.6-93
- Resolves: #1677496 - CVE-2018-17199 httpd: mod_session_cookie does not respect
  expiry time

* Thu Aug 22 15:00:00 2019 Joe Orton <jorton@redhat.com> - 2.4.6-92
- htpasswd: add SHA-2 crypt() support (#1486889)

* Wed Jul 31 15:00:00 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.4.6-91
- Resolves: #1630886 - scriptlet can fail if hostname is not installed
- Resolves: #1565465 - CVE-2017-15710 httpd: Out of bound write in
  mod_authnz_ldap when using too small Accept-Language values
- Resolves: #1568298 - CVE-2018-1301 httpd: Out of bounds access after
  failure in reading the HTTP request
- Resolves: #1673457 - Apache child process crashes because ScriptAliasMatch
  directive
- Resolves: #1633152 - mod_session missing apr-util-openssl
- Resolves: #1649470 - httpd response contains garbage in Content-Type header
- Resolves: #1724034 - Unexpected OCSP in proxy SSL connection

* Sat Jun  8 15:00:00 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.4.6-90
- Resolves: #1566317 - CVE-2018-1312 httpd: Weak Digest auth nonce generation
  in mod_auth_digest
- Resolves: #1696141 - CVE-2019-0217 httpd: mod_auth_digest: access control
  bypass due to race condition
- Resolves: #1696096 - CVE-2019-0220 httpd: URL normalization inconsistency

* Fri Mar 15 15:00:00 2019 Joe Orton <jorton@redhat.com> - 2.4.6-89
- fix per-request leak of bucket brigade structure (#1583218)

* Thu Jun 21 15:00:00 2018 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-88
- Resolves: #1527295 - httpd with worker/event mpm segfaults after multiple
  SIGUSR1

* Thu Jun 21 15:00:00 2018 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-87
- Resolves: #1458364 - RMM list corruption in ldap module results in server hang

* Thu Jun 21 15:00:00 2018 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-86
- Resolves: #1493181 - RFE: mod_ssl: allow sending multiple CA names which
  differ only in case

* Wed Jun 20 15:00:00 2018 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-85
- Resolves: #1556761 - mod_proxy_wstunned config needs the default port number

* Mon Jun 18 15:00:00 2018 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-84
- Resolves: #1548501 - Make OCSP more configurable (like CRL)

* Mon Jun 11 15:00:00 2018 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-83
- Resolves: #1523536 - Backport Apache BZ#59230 mod_proxy_express uses db
  after close

* Mon Jun 11 15:00:00 2018 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-82
- Resolves: #1533793 - Use Variable with mod_authnz_ldap

* Mon Mar 26 15:00:00 2018 Joe Orton <jorton@redhat.com> - 2.4.6-81
- don't terminate connections during graceful stop/restart (#1557785)

* Mon Jan  8 15:00:00 2018 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-80
- Related: #1288395 - httpd segfault when logrotate invoked

* Wed Nov  1 15:00:00 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-79
- Resolves: #1274890 - mod_ssl config: tighten defaults

* Tue Oct 31 15:00:00 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-78
- Resolves: #1506392 - Backport: SSLSessionTickets directive support

* Mon Oct 16 15:00:00 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-77
- Resolves: #1440590 - Need an option to disable UTF8-conversion
  of certificate DN

* Thu Oct 12 15:00:00 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-76
- Resolves: #1464406 - Apache consumes too much memory for CGI output

* Thu Oct 12 15:00:00 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-75
- Resolves: #1448892 - Cannot override LD_LIBARY_PATH in Apache HTTPD
  using SetEnv or PassEnv. Needs documentation.

* Mon Oct  9 15:00:00 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-74
- Resolves: #1430640 - "ProxyAddHeaders Off" does not become effective
  when it's defined outside <Proxy> setting

* Fri Oct  6 15:00:00 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-73
- Resolves: #1499253 - ProxyRemote with HTTPS backend sends requests
  with absoluteURI instead of abs_path

* Tue Oct  3 15:00:00 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-72
- Resolves: #1288395 - httpd segfault when logrotate invoked

* Tue Oct  3 15:00:00 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-71
- Resolves: #1368491 - mod_authz_dbd segfaults when AuthzDBDQuery missing

* Mon Oct  2 15:00:00 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-70
- Resolves: #1467402 - rotatelogs: creation of zombie processes when -p is used

* Tue Sep 19 15:00:00 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-69
- Resolves: #1493065 - CVE-2017-9798 httpd: Use-after-free by limiting
  unregistered HTTP method

* Tue Jul 25 15:00:00 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-68
- Resolves: #1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw()
  authentication bypass
- Resolves: #1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference
- Resolves: #1463207 - CVE-2017-7679 httpd: mod_mime buffer overread
- Resolves: #1463205 - CVE-2017-7668 httpd: ap_find_token() buffer overread
- Resolves: #1470748 - CVE-2017-9788 httpd: Uninitialized memory reflection
  in mod_auth_digest

* Tue May  9 15:00:00 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-67
- Related: #1332242 - Explicitly disallow the '#' character in allow,deny
  directives

* Tue May  9 15:00:00 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-66
- Related: #1332242 - Explicitly disallow the '#' character in allow,deny
  directives

* Thu Apr 27 15:00:00 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-65
- Resolves: #1445885 - define _RH_HAS_HTTPPROTOCOLOPTIONS

* Tue Apr 18 15:00:00 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-64
- Resolves: #1442872 - apache user is not created during httpd installation
  when apache group already exist with GID other than 48

* Wed Mar 22 15:00:00 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-63
- Related: #1412976 - CVE-2016-0736 CVE-2016-2161 CVE-2016-8743
  httpd: various flaws

* Wed Mar 15 15:00:00 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-62
- Resolves: #1397241 - Backport Apache Bug 53098 - mod_proxy_ajp:
  patch to set worker secret passed to tomcat

Note that while Ilia is indeed correct, we do plan on pushing out an Apache package to keep it up to date with what RedHat/CentOS are offering. I spoke with Joe about that today, he expects to have that out soon!

Excellent thanks for the update Eric. We'll probably wait for the official release rather than trying to roll our own. I'd be worried about making a mess!

Joe's picture
Submitted by Joe on Sat, 12/19/2020 - 00:46 Pro Licensee

-97 package is in all repos.

Excellent thanks a lot Joe. Very much appreciated!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.