How can I update httpd to 2.4.62

KIM · August 7, 2024, 5:01am

Current OS version: Rocky Linux 9

Current Apache version: Apache/2.4.57 (Rocky Linux)

Version you want to install: httpd-2.4.62

I am trying to update the current version of Apache to httpd-2.4.62.

If I use Dandified Yum, 2.4.62 does not come out. Can you tell me how to update using dnf?

nazunalika · August 7, 2024, 5:04am

What does 2.4.62 give that 2.4.57 (the default) not provide?

We do not provide an updated httpd in any repository we provide.

Is there a specific reason you need to upgrade that version?

KIM · August 7, 2024, 7:11am

Thank you for reply

I have been advised to take action against an Apache security vulnerability.

CVE-2024-27316
CVE-2024-24795
CVE-2023-38709

nazunalika · August 7, 2024, 7:46am

CVE-2024-27316 is addressed in mod_http2, not httpd. It has been patched in 8 and 9. There is no need to upgrade for this.

CVE-2024-24795 is a low impact CVE. The mitigation is to disable any of the following modules: mod_authnz_fcgi, mod_cgi, mod_cgid, mod_proxy_fcgi, mod_proxy_scgi and mod_proxy_uwsgi. See: 2273499 – (CVE-2024-24795) CVE-2024-24795 httpd: HTTP Response Splitting in multiple modules

CVE-2023-38709 is not patched for 9, but it is for 8. See: https://bugzilla.redhat.com/show_bug.cgi?id=2273491

jlehtone · August 7, 2024, 7:59am

The solution is thus to update the mod_http2 – if you do use it – and use the mitigations mentioned in the RHSAs (if necessary) until Red Hat (and then Rocky) releases fixes for the other two CVE.

The Apache in Rocky 9 is not “Apache/2.4.57” it is EL9 version originally forked from Apache/2.4.57.
See Security Backporting Practice - Red Hat Customer Portal and What is backporting and how does it affect Red Hat Enterprise Linux? - Red Hat Customer Portal

suraydan · August 21, 2024, 11:40am

nazunalika,

Hello,
Thank you for the clarification, and I’d like to take this opportunity to ask for some help if possible. I’m facing a similar situation after a black box cyber assessment. The following CVEs were reported. If you have any suggestions, I would greatly appreciate it.

CVE-2024-36387
CVE-2024-38472
CVE-2024-38473
CVE-2024-38474
CVE-2024-38475
CVE-2024-38476
CVE-2024-38477
CVE-2024-39573

iwalker · August 21, 2024, 11:43am

@suraydan you can use dnf commands grepping the changelog for the CVE’s:

root@rocky9:~# dnf changelog httpd | egrep "36387|38472|38473|39474|38475|38476|38477|39573"
  response headers are malicious or exploitable (CVE-2024-38476)
  mod_proxy (CVE-2024-38473)
  mod_proxy (CVE-2024-38477)
- Resolves: RHEL-45749 - httpd: Potential SSRF in mod_rewrite (CVE-2024-39573)
  mod_rewrite (CVE-2024-38475)

as an example just picking parts of the CVE’s you listed above and you can see that it shows that some of them have been fixed. Otherwise, you can simply google the CVE number and RHEL9 and see what RHEL have done in relation to fixing it or whether RHEL have checked and found no problem for that particular CVE.

In fact, even googling CVE-2024-38474 it was enough to find this RHEL article which answers your question: https://access.redhat.com/solutions/7078219 which I’m guessing you didn’t do this since you asked here.

suraydan · August 21, 2024, 12:04pm

Thank you again for your quick response and help. I will follow your guidance. Great work, and congratulations on the help you’ve been providing on the forum.

thanks for contributing

hcliao · September 12, 2024, 12:07pm

Hi,

Are these two CVEs of mod_http2 in RHSA-2024:2368 fixed in mod_http2.x86_64 2.0.26-2.el9_4?

CVE-2023-45802
CVE-2023-43622

I couldn’t find them in any changelog of mod_http2 rpms.

Thanks!

iwalker · September 12, 2024, 1:34pm

Easy enough to find using google: 2243877 – (CVE-2023-45802) CVE-2023-45802 mod_http2: reset requests exhaust memory (incomplete fix of CVE-2023-44487)

hcliao · September 13, 2024, 1:37am

Sorry about the confusion. I didn’t clarify my question. My question is that if mod_http2 package in Rocky Linux 9.4 - “2.0.26-2.el9_4 (lastest package)” has backporting fixes for these two CVEs - CVE-2023-45802 and CVE-2023-43622? I have this question because when I ran following command under Rocky Linux 9.4, I couldn’t find fixes for these two CVE. Following is the command I ran and result I got:

rpm -q --changelog mod_http2

* Fri Apr 05 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.0.26-2
- Resolves: RHEL-31855 - mod_http2: httpd: CONTINUATION frames
  DoS (CVE-2024-27316)

* Thu Jan 18 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.0.26-1
- Resolves: RHEL-14691 - mod_http2 rebase to 2.0.26

* Wed Aug 16 2023 Luboš Uhliarik <luhliari@redhat.com> - 1.15.19-5
- Resolves: #2177753 - CVE-2023-25690 httpd: HTTP request splitting with
  mod_rewrite and mod_proxy

* Mon Dec 05 2022 Luboš Uhliarik <luhliari@redhat.com> - 1.15.19-4
- Resolves: #2143176 - Dependency from mod_http2 on httpd broken

Thanks for your help!

hcliao · September 16, 2024, 6:35am

Hi All,

I found this:

Looks like it imprts mod_http2-2.0.26-1.el9 from RedHat. Thus the latest mod_http2-2.0.26-2.el9 should have already fixed CVE-2023-45802 and CVE-2023-43622 in https://issues.redhat.com/browse/RHEL-14691

Am I correct?
Thanks,
-Eric

iwalker · September 16, 2024, 6:53am

As from the link I already posted, if you had actually opened that link and saw that it mentions it fixes it for RHEL9, you would have found this link: https://access.redhat.com/errata/RHSA-2024:2368

Which says it’s fixed in the version you mentioned above for the CVE’s that you mentioned - I guess they just didn’t include the errata message to say it else it would have appeared in the changelog. If you had read that link you would have seen that the problem has been addressed.

Remember google is your friend, use it before posting - we are not here to google for you.

system · November 15, 2024, 6:53am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.