On Fri, 1 Apr 2022 at 14:54, Ken Dreyer kdreyer@redhat.com wrote:
RHEL 8.5 has the following fixes in the httpd package over the past couple of months:
So I did a quick look and got a LOT of help from TrevorH and I think I know what is happening.
The default branch that is getting built against is origin/c8s-stream-2.4 . HOWEVER all the pushes are going to origin/c8-stream-2.4 which I believe was meant for 'EL8 module stream' versus 'CentOS stream'. The test to see if this is 'newer' than what was shipped already might be failing because `43%{?dist}.3` looks the same as `43%{?dist}` with the idea that should be `43.3{dist}`
2022-03-21 Luboš Uhliarik luhliari@redhat.com - 2.4.37-43.3
- Resolves: #2065247 - CVE-2022-22720 httpd:2.4/httpd: HTTP request
smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier
2022-02-25 Luboš Uhliarik luhliari@redhat.com - 2.4.37-43.2
- Resolves: #2059256 - CVE-2021-34798 httpd:2.4/httpd: NULL pointer
dereference via malformed requests
- Resolves: #2059257 - CVE-2021-39275 httpd:2.4/httpd: out-of-bounds write
in ap_escape_quotes() via malicious input
2022-01-10 Luboš Uhliarik luhliari@redhat.com - 2.4.37-43.1
- Resolves: #2035062 - CVE-2021-44790 httpd:2.4/httpd: mod_lua: possible
buffer overflow when parsing multipart content
I don't see builds that correspond to this in https://koji.mbox.centos.org/koji/packageinfo?packageID=583 , and this URL hangs in my browser: https://git.centos.org/rpms/httpd
When should I expect these CVE fixes in CentOS 8 Stream?
- Ken
CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel