CVE-2019-0211: httpd

Hey! I’m trying to figure out if CVE-2019-0211 affects HTTPD within Rocky, and whether this has a remediated version available.

So far I’ve not been able to find it listed in any of the errata, but I was able to find some references within the r8-stream-2.4 repo on Git: SOURCES · r8-stream-2.4 · staging / rpms / httpd · GitLab
httpd-2.4.37-CVE-2019-0211.patch import httpd-2.4.37-30.module+el8.3.0+7001+0766b9e7

This commit leads to what appears to be a patch for this vulnerability: SOURCES/httpd-2.4.37-CVE-2019-0211.patch · r8-stream-2.4 · staging / rpms / httpd · GitLab
But I’m not overly familiar with HTTPD and can’t quite determine if there’s a fix for this vulnerability present in the code changes above.

From the commit above, would this version of httpd-2.4.37-30.module+el8.3.0+7001+0766b9e7 be considered a remediation for the vulnerability? If so, is it being missing from the errata an oversight or is there a reason for it not being included?

That CVE was fixed back in 8.0, long before Rocky Linux 8 ever existed. https://access.redhat.com/errata/RHSA-2019:0980 - that errata will not appear in our repositories because of that.

$ rpm -q httpd --changelog | grep CVE-2019-0211
- Resolves: #1695432 - CVE-2019-0211 httpd: privilege escalation

Aha, perfect thank you! Silly oversight on my part not checking the release and fix timing, appreciate the quick response

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.