[CentOS-devel] httpd CVEs in CentOS 8 Stream

Sun Apr 24 19:52:15 UTC 2022
Leon Fauster <leonfauster at googlemail.com>

Following hits in the same notch:

I noticed that CS(tream)8 had an old nodejs

nodejs-10.23.1-1.module_el8.4.0+645+9ce14ba2


while obsoleted CL(inux)8 had a newer one:

nodejs-10.24.0-1.module_el8.3.0+717+fa496f1d


Everyone that migrated a CL8 to a CS8 system without "yum distrosync"
but just with "yum update", should check the current status with a "yum 
distrosync". Differences (downgrades) that comes from the distag (el8 vs
el8_5) should be expected but not a downgrade like above. Following CVE
would be vanishing:


# rpm -q --changelog nodejs-10.24.0-1.module_el8.3.0+717+fa496f1d |head 
|grep -i cve
- Resolves CVE-2021-22883 and CVE-2021-22884


Like Ken asked - I would also appreciate any feedback about the general
process, especially looking forward: What work is done and what are
missed to incorporate  non-embargoed security updates into CentOS
Stream 8/9?

Thank you very much!

--
Leon








Am 19.04.22 um 16:18 schrieb Ken Dreyer:
> Is there any more information to share about what scripts or tools broke here?
> 
> RHSA-2022:0258 (rated Important) shipped January 15, and the CentOS 8
> Stream build shipped 71 days later.
> 
> There's no comment in https://bugzilla.redhat.com/show_bug.cgi?id=2071554
> 
> - Ken
> 
> On Wed, Apr 6, 2022 at 11:04 AM Johnny Hughes <johnny at centos.org> wrote:
>>
>> On 4/4/22 09:06, Johnny Hughes wrote:
>>> On 4/4/22 04:28, Nikolay Popov wrote:
>>>> Bug reported
>>>>
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=2071554
>>>>
>>>>
>>>> Regards,
>>>> Nikolay
>>>>
>>>> On 2022-04-01 20:56, Neal Gompa wrote:
>>>>> On Fri, Apr 1, 2022 at 2:55 PM Ken Dreyer <kdreyer at redhat.com> wrote:
>>>>>>
>>>>>> RHEL 8.5 has the following fixes in the httpd package over the past
>>>>>> couple of months:
>>>>>>
>>>>>> 2022-03-21 Luboš Uhliarik <luhliari at redhat.com> - 2.4.37-43.3
>>>>>> - Resolves: #2065247 - CVE-2022-22720 httpd:2.4/httpd: HTTP request
>>>>>> smuggling
>>>>>> vulnerability in Apache HTTP Server 2.4.52 and earlier
>>>>>>
>>>>>> 2022-02-25 Luboš Uhliarik <luhliari at redhat.com> - 2.4.37-43.2
>>>>>> - Resolves: #2059256 - CVE-2021-34798 httpd:2.4/httpd: NULL pointer
>>>>>> dereference
>>>>>> via malformed requests
>>>>>> - Resolves: #2059257 - CVE-2021-39275 httpd:2.4/httpd: out-of-bounds
>>>>>> write in
>>>>>> ap_escape_quotes() via malicious input
>>>>>>
>>>>>> 2022-01-10 Luboš Uhliarik <luhliari at redhat.com> - 2.4.37-43.1
>>>>>> - Resolves: #2035062 - CVE-2021-44790 httpd:2.4/httpd: mod_lua:
>>>>>> possible buffer
>>>>>> overflow when parsing multipart content
>>>>>>
>>>>>> I don't see builds that correspond to this in
>>>>>> https://koji.mbox.centos.org/koji/packageinfo?packageID=583 , and this
>>>>>> URL hangs in my browser: https://git.centos.org/rpms/httpd
>>>>>>
>>>>>> When should I expect these CVE fixes in CentOS 8 Stream?
>>>>>>
>>>>>
>>>>> Please file bugs in the Red Hat Bugzilla about this, as that's the
>>>>> only place that the right people will be guaranteed to see it.
>>>>>
>>>
>>> I have also asked for this module to be updated.
>>
>> I am currently building  httpd-2.4.37-47.module+el8.6.0*, should be
>> released later today if all goes well.
>>
>> Thanks,
>> Johnny Hughes
>>
>> _______________________________________________
>> CentOS-devel mailing list
>> CentOS-devel at centos.org
>> https://lists.centos.org/mailman/listinfo/centos-devel
> 
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> https://lists.centos.org/mailman/listinfo/centos-devel