[CentOS-devel] httpd CVEs in CentOS 8 Stream

Tue Apr 19 14:18:57 UTC 2022
Ken Dreyer <kdreyer at redhat.com>

Is there any more information to share about what scripts or tools broke here?

RHSA-2022:0258 (rated Important) shipped January 15, and the CentOS 8
Stream build shipped 71 days later.

There's no comment in https://bugzilla.redhat.com/show_bug.cgi?id=2071554

- Ken

On Wed, Apr 6, 2022 at 11:04 AM Johnny Hughes <johnny at centos.org> wrote:
>
> On 4/4/22 09:06, Johnny Hughes wrote:
> > On 4/4/22 04:28, Nikolay Popov wrote:
> >> Bug reported
> >>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=2071554
> >>
> >>
> >> Regards,
> >> Nikolay
> >>
> >> On 2022-04-01 20:56, Neal Gompa wrote:
> >>> On Fri, Apr 1, 2022 at 2:55 PM Ken Dreyer <kdreyer at redhat.com> wrote:
> >>>>
> >>>> RHEL 8.5 has the following fixes in the httpd package over the past
> >>>> couple of months:
> >>>>
> >>>> 2022-03-21 Luboš Uhliarik <luhliari at redhat.com> - 2.4.37-43.3
> >>>> - Resolves: #2065247 - CVE-2022-22720 httpd:2.4/httpd: HTTP request
> >>>> smuggling
> >>>> vulnerability in Apache HTTP Server 2.4.52 and earlier
> >>>>
> >>>> 2022-02-25 Luboš Uhliarik <luhliari at redhat.com> - 2.4.37-43.2
> >>>> - Resolves: #2059256 - CVE-2021-34798 httpd:2.4/httpd: NULL pointer
> >>>> dereference
> >>>> via malformed requests
> >>>> - Resolves: #2059257 - CVE-2021-39275 httpd:2.4/httpd: out-of-bounds
> >>>> write in
> >>>> ap_escape_quotes() via malicious input
> >>>>
> >>>> 2022-01-10 Luboš Uhliarik <luhliari at redhat.com> - 2.4.37-43.1
> >>>> - Resolves: #2035062 - CVE-2021-44790 httpd:2.4/httpd: mod_lua:
> >>>> possible buffer
> >>>> overflow when parsing multipart content
> >>>>
> >>>> I don't see builds that correspond to this in
> >>>> https://koji.mbox.centos.org/koji/packageinfo?packageID=583 , and this
> >>>> URL hangs in my browser: https://git.centos.org/rpms/httpd
> >>>>
> >>>> When should I expect these CVE fixes in CentOS 8 Stream?
> >>>>
> >>>
> >>> Please file bugs in the Red Hat Bugzilla about this, as that's the
> >>> only place that the right people will be guaranteed to see it.
> >>>
> >
> > I have also asked for this module to be updated.
>
> I am currently building  httpd-2.4.37-47.module+el8.6.0*, should be
> released later today if all goes well.
>
> Thanks,
> Johnny Hughes
>
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> https://lists.centos.org/mailman/listinfo/centos-devel