On 4/4/22 09:06, Johnny Hughes wrote: > On 4/4/22 04:28, Nikolay Popov wrote: >> Bug reported >> >> https://bugzilla.redhat.com/show_bug.cgi?id=2071554 >> >> >> Regards, >> Nikolay >> >> On 2022-04-01 20:56, Neal Gompa wrote: >>> On Fri, Apr 1, 2022 at 2:55 PM Ken Dreyer <kdreyer at redhat.com> wrote: >>>> >>>> RHEL 8.5 has the following fixes in the httpd package over the past >>>> couple of months: >>>> >>>> 2022-03-21 Luboš Uhliarik <luhliari at redhat.com> - 2.4.37-43.3 >>>> - Resolves: #2065247 - CVE-2022-22720 httpd:2.4/httpd: HTTP request >>>> smuggling >>>> vulnerability in Apache HTTP Server 2.4.52 and earlier >>>> >>>> 2022-02-25 Luboš Uhliarik <luhliari at redhat.com> - 2.4.37-43.2 >>>> - Resolves: #2059256 - CVE-2021-34798 httpd:2.4/httpd: NULL pointer >>>> dereference >>>> via malformed requests >>>> - Resolves: #2059257 - CVE-2021-39275 httpd:2.4/httpd: out-of-bounds >>>> write in >>>> ap_escape_quotes() via malicious input >>>> >>>> 2022-01-10 Luboš Uhliarik <luhliari at redhat.com> - 2.4.37-43.1 >>>> - Resolves: #2035062 - CVE-2021-44790 httpd:2.4/httpd: mod_lua: >>>> possible buffer >>>> overflow when parsing multipart content >>>> >>>> I don't see builds that correspond to this in >>>> https://koji.mbox.centos.org/koji/packageinfo?packageID=583 , and this >>>> URL hangs in my browser: https://git.centos.org/rpms/httpd >>>> >>>> When should I expect these CVE fixes in CentOS 8 Stream? >>>> >>> >>> Please file bugs in the Red Hat Bugzilla about this, as that's the >>> only place that the right people will be guaranteed to see it. >>> > > I have also asked for this module to be updated. I am currently building httpd-2.4.37-47.module+el8.6.0*, should be released later today if all goes well. Thanks, Johnny Hughes