<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 1 Apr 2022 at 14:54, Ken Dreyer <<a href="mailto:kdreyer@redhat.com" target="_blank">kdreyer@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">RHEL 8.5 has the following fixes in the httpd package over the past<br>
couple of months:<br>
<br></blockquote><div><br></div><div>So I did a quick look and got a LOT of help from TrevorH and I think I know what is happening.</div><div><br></div><div>The default branch that is getting built against is origin/c8s-stream-2.4 . HOWEVER all the pushes are going to origin/c8-stream-2.4 which I believe was meant for 'EL8 module stream' versus 'CentOS stream'. The test to see if this is 'newer' than what was shipped already might be failing because `43%{?dist}.3` looks the same as `43%{?dist}` with the idea that should be `43.3{dist}`</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
2022-03-21 Luboš Uhliarik <<a href="mailto:luhliari@redhat.com" target="_blank">luhliari@redhat.com</a>> - 2.4.37-43.3<br>
- Resolves: #2065247 - CVE-2022-22720 httpd:2.4/httpd: HTTP request smuggling<br>
vulnerability in Apache HTTP Server 2.4.52 and earlier<br>
<br>
2022-02-25 Luboš Uhliarik <<a href="mailto:luhliari@redhat.com" target="_blank">luhliari@redhat.com</a>> - 2.4.37-43.2<br>
- Resolves: #2059256 - CVE-2021-34798 httpd:2.4/httpd: NULL pointer dereference<br>
via malformed requests<br>
- Resolves: #2059257 - CVE-2021-39275 httpd:2.4/httpd: out-of-bounds write in<br>
ap_escape_quotes() via malicious input<br>
<br>
2022-01-10 Luboš Uhliarik <<a href="mailto:luhliari@redhat.com" target="_blank">luhliari@redhat.com</a>> - 2.4.37-43.1<br>
- Resolves: #2035062 - CVE-2021-44790 httpd:2.4/httpd: mod_lua: possible buffer<br>
overflow when parsing multipart content<br>
<br>
I don't see builds that correspond to this in<br>
<a href="https://koji.mbox.centos.org/koji/packageinfo?packageID=583" rel="noreferrer" target="_blank">https://koji.mbox.centos.org/koji/packageinfo?packageID=583</a> , and this<br>
URL hangs in my browser: <a href="https://git.centos.org/rpms/httpd" rel="noreferrer" target="_blank">https://git.centos.org/rpms/httpd</a><br>
<br>
When should I expect these CVE fixes in CentOS 8 Stream?<br>
<br>
- Ken<br>
<br>
_______________________________________________<br>
CentOS-devel mailing list<br>
<a href="mailto:CentOS-devel@centos.org" target="_blank">CentOS-devel@centos.org</a><br>
<a href="https://lists.centos.org/mailman/listinfo/centos-devel" rel="noreferrer" target="_blank">https://lists.centos.org/mailman/listinfo/centos-devel</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div></div>Stephen Smoogen, Red Hat Automotive<br></div>Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren<br></div></div></div>