RHEL 8.5 has the following fixes in the httpd package over the past
couple of months:
So I did a quick look and got a LOT of help from TrevorH and I think I know what is happening.
The default branch that is getting built against is origin/c8s-stream-2.4 . HOWEVER all the pushes are going to origin/c8-stream-2.4 which I believe was meant for 'EL8 module stream' versus 'CentOS stream'. The test to see if this is 'newer' than what was shipped already might be failing because `43%{?dist}.3` looks the same as `43%{?dist}` with the idea that should be `43.3{dist}`
2022-03-21 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-43.3
- Resolves: #2065247 - CVE-2022-22720 httpd:2.4/httpd: HTTP request smuggling
vulnerability in Apache HTTP Server 2.4.52 and earlier
2022-02-25 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-43.2
- Resolves: #2059256 - CVE-2021-34798 httpd:2.4/httpd: NULL pointer dereference
via malformed requests
- Resolves: #2059257 - CVE-2021-39275 httpd:2.4/httpd: out-of-bounds write in
ap_escape_quotes() via malicious input
2022-01-10 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-43.1
- Resolves: #2035062 - CVE-2021-44790 httpd:2.4/httpd: mod_lua: possible buffer
overflow when parsing multipart content
I don't see builds that correspond to this in
https://koji.mbox.centos.org/koji/packageinfo?packageID=583 , and this
URL hangs in my browser: https://git.centos.org/rpms/httpd
When should I expect these CVE fixes in CentOS 8 Stream?
- Ken
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
https://lists.centos.org/mailman/listinfo/centos-devel