Bug reported

https://bugzilla.redhat.com/show_bug.cgi?id=2071554

Regards, Nikolay

On 2022-04-01 20:56, Neal Gompa wrote:

On Fri, Apr 1, 2022 at 2:55 PM Ken Dreyer kdreyer@redhat.com wrote:

...

RHEL 8.5 has the following fixes in the httpd package over the past couple of months:

2022-03-21 Luboš Uhliarik luhliari@redhat.com - 2.4.37-43.3

• Resolves: #2065247 - CVE-2022-22720 httpd:2.4/httpd: HTTP request smuggling

vulnerability in Apache HTTP Server 2.4.52 and earlier

2022-02-25 Luboš Uhliarik luhliari@redhat.com - 2.4.37-43.2

• Resolves: #2059256 - CVE-2021-34798 httpd:2.4/httpd: NULL pointer dereference

via malformed requests

• Resolves: #2059257 - CVE-2021-39275 httpd:2.4/httpd: out-of-bounds write in

ap_escape_quotes() via malicious input

2022-01-10 Luboš Uhliarik luhliari@redhat.com - 2.4.37-43.1

• Resolves: #2035062 - CVE-2021-44790 httpd:2.4/httpd: mod_lua: possible buffer

overflow when parsing multipart content

I don't see builds that correspond to this in https://koji.mbox.centos.org/koji/packageinfo?packageID=583 , and this URL hangs in my browser: https://git.centos.org/rpms/httpd

When should I expect these CVE fixes in CentOS 8 Stream?

Please file bugs in the Red Hat Bugzilla about this, as that's the only place that the right people will be guaranteed to see it.

On 4/4/22 09:06, Johnny Hughes wrote:

On 4/4/22 04:28, Nikolay Popov wrote:

...

Bug reported

https://bugzilla.redhat.com/show_bug.cgi?id=2071554

Regards, Nikolay

On 2022-04-01 20:56, Neal Gompa wrote:

...

On Fri, Apr 1, 2022 at 2:55 PM Ken Dreyer kdreyer@redhat.com wrote:

...

RHEL 8.5 has the following fixes in the httpd package over the past couple of months:

2022-03-21 Luboš Uhliarik luhliari@redhat.com - 2.4.37-43.3

• Resolves: #2065247 - CVE-2022-22720 httpd:2.4/httpd: HTTP request

smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier

2022-02-25 Luboš Uhliarik luhliari@redhat.com - 2.4.37-43.2

• Resolves: #2059256 - CVE-2021-34798 httpd:2.4/httpd: NULL pointer

dereference via malformed requests

• Resolves: #2059257 - CVE-2021-39275 httpd:2.4/httpd: out-of-bounds

write in ap_escape_quotes() via malicious input

2022-01-10 Luboš Uhliarik luhliari@redhat.com - 2.4.37-43.1

• Resolves: #2035062 - CVE-2021-44790 httpd:2.4/httpd: mod_lua:

possible buffer overflow when parsing multipart content

I don't see builds that correspond to this in https://koji.mbox.centos.org/koji/packageinfo?packageID=583 , and this URL hangs in my browser: https://git.centos.org/rpms/httpd

When should I expect these CVE fixes in CentOS 8 Stream?

Please file bugs in the Red Hat Bugzilla about this, as that's the only place that the right people will be guaranteed to see it.

I have also asked for this module to be updated.

I am currently building httpd-2.4.37-47.module+el8.6.0*, should be released later today if all goes well.

Thanks, Johnny Hughes

Following hits in the same notch:

I noticed that CS(tream)8 had an old nodejs

nodejs-10.23.1-1.module_el8.4.0+645+9ce14ba2

while obsoleted CL(inux)8 had a newer one:

nodejs-10.24.0-1.module_el8.3.0+717+fa496f1d

Everyone that migrated a CL8 to a CS8 system without "yum distrosync" but just with "yum update", should check the current status with a "yum distrosync". Differences (downgrades) that comes from the distag (el8 vs el8_5) should be expected but not a downgrade like above. Following CVE would be vanishing:

# rpm -q --changelog nodejs-10.24.0-1.module_el8.3.0+717+fa496f1d |head |grep -i cve - Resolves CVE-2021-22883 and CVE-2021-22884

Like Ken asked - I would also appreciate any feedback about the general process, especially looking forward: What work is done and what are missed to incorporate non-embargoed security updates into CentOS Stream 8/9?

Thank you very much!

-- Leon

Am 19.04.22 um 16:18 schrieb Ken Dreyer:

Is there any more information to share about what scripts or tools broke here?

RHSA-2022:0258 (rated Important) shipped January 15, and the CentOS 8 Stream build shipped 71 days later.

There's no comment in https://bugzilla.redhat.com/show_bug.cgi?id=2071554

• Ken

On Wed, Apr 6, 2022 at 11:04 AM Johnny Hughes johnny@centos.org wrote:

...

On 4/4/22 09:06, Johnny Hughes wrote:

...

On 4/4/22 04:28, Nikolay Popov wrote:

...

Bug reported

https://bugzilla.redhat.com/show_bug.cgi?id=2071554

Regards, Nikolay

On 2022-04-01 20:56, Neal Gompa wrote:

...

On Fri, Apr 1, 2022 at 2:55 PM Ken Dreyer kdreyer@redhat.com wrote:

...

RHEL 8.5 has the following fixes in the httpd package over the past couple of months:

2022-03-21 Luboš Uhliarik luhliari@redhat.com - 2.4.37-43.3

• Resolves: #2065247 - CVE-2022-22720 httpd:2.4/httpd: HTTP request

smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier

2022-02-25 Luboš Uhliarik luhliari@redhat.com - 2.4.37-43.2

• Resolves: #2059256 - CVE-2021-34798 httpd:2.4/httpd: NULL pointer

dereference via malformed requests

• Resolves: #2059257 - CVE-2021-39275 httpd:2.4/httpd: out-of-bounds

write in ap_escape_quotes() via malicious input

2022-01-10 Luboš Uhliarik luhliari@redhat.com - 2.4.37-43.1

• Resolves: #2035062 - CVE-2021-44790 httpd:2.4/httpd: mod_lua:

possible buffer overflow when parsing multipart content

I don't see builds that correspond to this in https://koji.mbox.centos.org/koji/packageinfo?packageID=583 , and this URL hangs in my browser: https://git.centos.org/rpms/httpd

When should I expect these CVE fixes in CentOS 8 Stream?

Please file bugs in the Red Hat Bugzilla about this, as that's the only place that the right people will be guaranteed to see it.

I have also asked for this module to be updated.

I am currently building httpd-2.4.37-47.module+el8.6.0*, should be released later today if all goes well.

Thanks, Johnny Hughes

---

CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel

---

CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel