CVE-2019-0211: httpd

Hey! I’m trying to figure out if CVE-2019-0211 affects HTTPD within Rocky, and whether this has a remediated version available.

So far I’ve not been able to find it listed in any of the errata, but I was able to find some references within the r8-stream-2.4 repo on Git: SOURCES · r8-stream-2.4 · staging / rpms / httpd · GitLab
httpd-2.4.37-CVE-2019-0211.patch import httpd-2.4.37-30.module+el8.3.0+7001+0766b9e7

This commit leads to what appears to be a patch for this vulnerability: SOURCES/httpd-2.4.37-CVE-2019-0211.patch · r8-stream-2.4 · staging / rpms / httpd · GitLab
But I’m not overly familiar with HTTPD and can’t quite determine if there’s a fix for this vulnerability present in the code changes above.

From the commit above, would this version of httpd-2.4.37-30.module+el8.3.0+7001+0766b9e7 be considered a remediation for the vulnerability? If so, is it being missing from the errata an oversight or is there a reason for it not being included?

That CVE was fixed back in 8.0, long before Rocky Linux 8 ever existed. - that errata will not appear in our repositories because of that.

$ rpm -q httpd --changelog | grep CVE-2019-0211
- Resolves: #1695432 - CVE-2019-0211 httpd: privilege escalation

Aha, perfect thank you! Silly oversight on my part not checking the release and fix timing, appreciate the quick response :slight_smile:

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.