From a56902554f6069b61e9f19d404b6faa7dec6eb50 Mon Sep 17 00:00:00 2001 From: Joe Slater Date: Mon, 18 Apr 2022 17:59:11 -0400 Subject: [PATCH] httpd: fix four CVEs NOTE! commit fc00096e8... purports to fix the first 3 CVEs but uses the wrong rpm version. CVE-2021-26691: heap overflow CVE-2021-39275: out-of-bounds write CVE-2021-44790: buffer overflow CVE-2022-22720: http request smuggling Advance to version 2.4.6-97.el7.centos.5. === testing boot iso and log in; become root; httpd is not running systemctl stop lighttpd # free up port 80 systemctl start httpd # takes a while echo arf > /var/www/html/arf.txt # something to fetch wget http://localhost/arf.txt cat arf.txt This shows httpd is processing requests. === Closes-bug: 1960765 Closes-bug: 1969363 Change-Id: I4c90213f020762f037e1f207f73e0622a38984c2 Signed-off-by: Joe Slater --- centos-mirror-tools/config/centos/flock/rpms_centos.lst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/centos-mirror-tools/config/centos/flock/rpms_centos.lst b/centos-mirror-tools/config/centos/flock/rpms_centos.lst index 9f51277d..ae3212d7 100644 --- a/centos-mirror-tools/config/centos/flock/rpms_centos.lst +++ b/centos-mirror-tools/config/centos/flock/rpms_centos.lst @@ -293,8 +293,8 @@ horai-ume-uigothic-fonts-610-2.el7.noarch.rpm # hostname-3.13-3.el7.x86_64.rpm provided by mock httpcomponents-client-4.2.5-5.el7_0.noarch.rpm httpcomponents-core-4.2.4-6.el7.noarch.rpm -httpd-2.4.6-97.el7.centos.x86_64.rpm -httpd-tools-2.4.6-97.el7.centos.x86_64.rpm +httpd-2.4.6-97.el7.centos.5.x86_64.rpm +httpd-tools-2.4.6-97.el7.centos.5.x86_64.rpm hwdata-0.252-9.1.el7.x86_64.rpm hwloc-libs-1.11.8-4.el7.x86_64.rpm impallari-lobster-fonts-1.4-8.el7.noarch.rpm