Hello,
I’m investigating a specific CVE and I noticed that there is no equivalent RLSA (on the Rocky Errata website) for the published RHSA. Is this normal or possibly just a one-off that got missed?
CVE: CVE-2021-40438
RHSA: RHSA-2021:3816
I can see from the RHSA that the fix was backported into the httpd package versions 2.4.37-39.module+el8.4.0+12865+a7065a39.1.
If I’m running Rocky httpd package versions 2.4.37-43.module+el8.5.0+727+743c5577.1 is it safe to assume that this version includes the backported fix since it is a newer more recent version?
Thank you for all your hard work on this project!
Brian
Hi,
According to this command:
[root@rocky ~]# rpm -q --changelog httpd | grep 40438
- Related: #2007236 - CVE-2021-40438 httpd:2.4/httpd: mod_proxy: SSRF via
- Resolves: #2007236 - CVE-2021-40438 httpd:2.4/httpd: mod_proxy: SSRF via
looks like it’s resolved. You can run this on your system to query - although httpd must be installed first. If it’s not installed, then you can check it with:
[root@rocky ~]# dnf changelog httpd | grep 40438
- Related: #2007236 - CVE-2021-40438 httpd:2.4/httpd: mod_proxy: SSRF via
- Resolves: #2007236 - CVE-2021-40438 httpd:2.4/httpd: mod_proxy: SSRF via
1 Like
Thanks Ian! I wasn’t aware of this method, but I will definitely be using it going forward.
1 Like