Hello,
I am working on a CentOS Linux 2.6.32-71.el6.x86_64 system. I noticed that the system came with httpd-2.2.15-6 installed. After I run 'yum update' I get httpd-2.2.15-9.
I did some research on the Internet, but can't find the following information: are most of the security fixes that appear in httpd-2.2.21 applied to the update on httpd-2.2.15-9?
There was a security fix just last August, the CVE-2011-3192 on Range and DoS. I don't imagine that this is in the 2.2.15-9. Do you have plans to provide this patch in the repository so that 'yum update httpd*' would get this patch?
Thank you in advance,
Dirce Richards Systems Engineer, GlobalCerts
drsystems@globalcerts.net writes:
Hello,
I am working on a CentOS Linux 2.6.32-71.el6.x86_64 system. I noticed that the system came with httpd-2.2.15-6 installed. After I run 'yum update' I get httpd-2.2.15-9.
I did some research on the Internet, but can't find the following information: are most of the security fixes that appear in httpd-2.2.21 applied to the update on httpd-2.2.15-9?
There was a security fix just last August, the CVE-2011-3192 on Range and DoS. I don't imagine that this is in the 2.2.15-9. Do you have plans to provide this patch in the repository so that 'yum update httpd*' would get this patch?
$ cd $REPO $ rpm -qp --changelog httpd-2.2.15-9.el6.centos.3.x86_64.rpm * Fri Oct 21 2011 Karanbir Singh kbsingh@centos.org - 2.2.15-9.3.el6.centos - Roll in CentOS Branding
* Thu Oct 06 2011 Joe Orton jorton@redhat.com - 2.2.15-9.3 - add security fixes for CVE-2011-3347, CVE-2011-3368 (#743901) - fix regressions in CVE-2011-3192 patch (#736592)
* Tue Aug 30 2011 Joe Orton jorton@redhat.com - 2.2.15-9.2, - updated patch for CVE-2011-3192 from upstream (#733062)
* Fri Aug 26 2011 Jan Kaluza jkaluza@redhat.com - 2.2.15-9.1 - fix #733062 - backported CVE-2011-3192 fix from httpd trunk
* Fri Apr 08 2011 Joe Orton jorton@redhat.com - 2.2.15-9 - mod_ssl: complete fix for overlapping memcpy (#652335) ...
Thank you.
drsystems@globalcerts.net writes:
Hello,
I am working on a CentOS Linux 2.6.32-71.el6.x86_64 system. I noticed that the system came with httpd-2.2.15-6 installed. After I run 'yum update' I get httpd-2.2.15-9.
I did some research on the Internet, but can't find the following information: are most of the security fixes that appear in httpd-2.2.21 applied to the update on httpd-2.2.15-9?
There was a security fix just last August, the CVE-2011-3192 on Range and DoS. I don't imagine that this is in the 2.2.15-9. Do you have plans to provide this patch in the repository so that 'yum update httpd*' would get this patch?
$ cd $REPO $ rpm -qp --changelog httpd-2.2.15-9.el6.centos.3.x86_64.rpm
- Fri Oct 21 2011 Karanbir Singh kbsingh@centos.org -
2.2.15-9.3.el6.centos
- Roll in CentOS Branding
- Thu Oct 06 2011 Joe Orton jorton@redhat.com - 2.2.15-9.3
- add security fixes for CVE-2011-3347, CVE-2011-3368 (#743901)
- fix regressions in CVE-2011-3192 patch (#736592)
- Tue Aug 30 2011 Joe Orton jorton@redhat.com - 2.2.15-9.2,
- updated patch for CVE-2011-3192 from upstream (#733062)
- Fri Aug 26 2011 Jan Kaluza jkaluza@redhat.com - 2.2.15-9.1
- fix #733062 - backported CVE-2011-3192 fix from httpd trunk
- Fri Apr 08 2011 Joe Orton jorton@redhat.com - 2.2.15-9
- mod_ssl: complete fix for overlapping memcpy (#652335)
...
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hello Dirce,
On Wed, 2011-12-14 at 10:17 -0500, drsystems@globalcerts.net wrote:
I did some research on the Internet, but can't find the following information: are most of the security fixes that appear in httpd-2.2.21 applied to the update on httpd-2.2.15-9?
As CentOS is merely a rebuild of Red Hat Enterprise Linux it's probably best to subscribe to the enterprise watch list ( https://www.redhat.com/mailman/listinfo/enterprise-watch-list ) if you want to keep track of upstream security fixes. Note that this list only announces security fixes not bug fixes.
For a full list of update announcements visit https://rhn.redhat.com/errata/ . Note that CentOS-6 is a merge of the different versions Red Hat provides, so you might have to browse multiple lists to get a complete overview.
Regards, Leonard.
-
drsystems@globalcerts.net -
Lars Hecking -
Leonard den Ottolander