[CentOS-devel] httpd CVEs in CentOS 8 Stream

Fri Apr 1 19:58:03 UTC 2022
Stephen Smoogen <ssmoogen at redhat.com>

On Fri, 1 Apr 2022 at 14:54, Ken Dreyer <kdreyer at redhat.com> wrote:

> RHEL 8.5 has the following fixes in the httpd package over the past
> couple of months:
>
>
So I did a quick look and got a LOT of help from TrevorH and I think I know
what is happening.

The default branch that is getting built against is origin/c8s-stream-2.4 .
HOWEVER all the pushes are going to origin/c8-stream-2.4 which I believe
was meant for 'EL8 module stream' versus 'CentOS stream'. The test to see
if this is 'newer' than what was shipped already might be failing because
`43%{?dist}.3` looks the same as `43%{?dist}` with the idea that should be
`43.3{dist}`



> 2022-03-21 Luboš Uhliarik <luhliari at redhat.com> - 2.4.37-43.3
> - Resolves: #2065247 - CVE-2022-22720 httpd:2.4/httpd: HTTP request
> smuggling
> vulnerability in Apache HTTP Server 2.4.52 and earlier
>
> 2022-02-25 Luboš Uhliarik <luhliari at redhat.com> - 2.4.37-43.2
> - Resolves: #2059256 - CVE-2021-34798 httpd:2.4/httpd: NULL pointer
> dereference
> via malformed requests
> - Resolves: #2059257 - CVE-2021-39275 httpd:2.4/httpd: out-of-bounds write
> in
> ap_escape_quotes() via malicious input
>
> 2022-01-10 Luboš Uhliarik <luhliari at redhat.com> - 2.4.37-43.1
> - Resolves: #2035062 - CVE-2021-44790 httpd:2.4/httpd: mod_lua: possible
> buffer
> overflow when parsing multipart content
>
> I don't see builds that correspond to this in
> https://koji.mbox.centos.org/koji/packageinfo?packageID=583 , and this
> URL hangs in my browser: https://git.centos.org/rpms/httpd
>
> When should I expect these CVE fixes in CentOS 8 Stream?
>
> - Ken
>
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> https://lists.centos.org/mailman/listinfo/centos-devel
>


-- 
Stephen Smoogen, Red Hat Automotive
Let us be kind to one another, for most of us are fighting a hard battle.
-- Ian MacClaren
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20220401/a035ec55/attachment-0003.html>