How can I update httpd to 2.4.62

Current OS version: Rocky Linux 9

Current Apache version: Apache/2.4.57 (Rocky Linux)

Version you want to install: httpd-2.4.62

I am trying to update the current version of Apache to httpd-2.4.62.

If I use Dandified Yum, 2.4.62 does not come out. Can you tell me how to update using dnf?

What does 2.4.62 give that 2.4.57 (the default) not provide?

We do not provide an updated httpd in any repository we provide.

Is there a specific reason you need to upgrade that version?

1 Like

Thank you for reply

I have been advised to take action against an Apache security vulnerability.

CVE-2024-27316
CVE-2024-24795
CVE-2023-38709

CVE-2024-27316 is addressed in mod_http2, not httpd. It has been patched in 8 and 9. There is no need to upgrade for this.

CVE-2024-24795 is a low impact CVE. The mitigation is to disable any of the following modules: mod_authnz_fcgi, mod_cgi, mod_cgid, mod_proxy_fcgi, mod_proxy_scgi and mod_proxy_uwsgi. See: 2273499 – (CVE-2024-24795) CVE-2024-24795 httpd: HTTP Response Splitting in multiple modules

CVE-2023-38709 is not patched for 9, but it is for 8. See: https://bugzilla.redhat.com/show_bug.cgi?id=2273491

2 Likes

The solution is thus to update the mod_http2 – if you do use it – and use the mitigations mentioned in the RHSAs (if necessary) until Red Hat (and then Rocky) releases fixes for the other two CVE.


The Apache in Rocky 9 is not “Apache/2.4.57” it is EL9 version originally forked from Apache/2.4.57.
See Security Backporting Practice - Red Hat Customer Portal and What is backporting and how does it affect Red Hat Enterprise Linux? - Red Hat Customer Portal

1 Like

nazunalika,

Hello,
Thank you for the clarification, and I’d like to take this opportunity to ask for some help if possible. I’m facing a similar situation after a black box cyber assessment. The following CVEs were reported. If you have any suggestions, I would greatly appreciate it.

CVE-2024-36387
CVE-2024-38472
CVE-2024-38473
CVE-2024-38474
CVE-2024-38475
CVE-2024-38476
CVE-2024-38477
CVE-2024-39573

@suraydan you can use dnf commands grepping the changelog for the CVE’s:

root@rocky9:~# dnf changelog httpd | egrep "36387|38472|38473|39474|38475|38476|38477|39573"
  response headers are malicious or exploitable (CVE-2024-38476)
  mod_proxy (CVE-2024-38473)
  mod_proxy (CVE-2024-38477)
- Resolves: RHEL-45749 - httpd: Potential SSRF in mod_rewrite (CVE-2024-39573)
  mod_rewrite (CVE-2024-38475)

as an example just picking parts of the CVE’s you listed above and you can see that it shows that some of them have been fixed. Otherwise, you can simply google the CVE number and RHEL9 and see what RHEL have done in relation to fixing it or whether RHEL have checked and found no problem for that particular CVE.

In fact, even googling CVE-2024-38474 it was enough to find this RHEL article which answers your question: https://access.redhat.com/solutions/7078219 which I’m guessing you didn’t do this since you asked here.

1 Like

Thank you again for your quick response and help. I will follow your guidance. Great work, and congratulations on the help you’ve been providing on the forum.

thanks for contributing

1 Like

Hi,

Are these two CVEs of mod_http2 in RHSA-2024:2368 fixed in mod_http2.x86_64 2.0.26-2.el9_4?

CVE-2023-45802
CVE-2023-43622

I couldn’t find them in any changelog of mod_http2 rpms.

Thanks!

Easy enough to find using google: 2243877 – (CVE-2023-45802) CVE-2023-45802 mod_http2: reset requests exhaust memory (incomplete fix of CVE-2023-44487)

Sorry about the confusion. I didn’t clarify my question. My question is that if mod_http2 package in Rocky Linux 9.4 - “2.0.26-2.el9_4 (lastest package)” has backporting fixes for these two CVEs - CVE-2023-45802 and CVE-2023-43622? I have this question because when I ran following command under Rocky Linux 9.4, I couldn’t find fixes for these two CVE. Following is the command I ran and result I got:

rpm -q --changelog mod_http2

* Fri Apr 05 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.0.26-2
- Resolves: RHEL-31855 - mod_http2: httpd: CONTINUATION frames
  DoS (CVE-2024-27316)

* Thu Jan 18 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.0.26-1
- Resolves: RHEL-14691 - mod_http2 rebase to 2.0.26

* Wed Aug 16 2023 Luboš Uhliarik <luhliari@redhat.com> - 1.15.19-5
- Resolves: #2177753 - CVE-2023-25690 httpd: HTTP request splitting with
  mod_rewrite and mod_proxy

* Mon Dec 05 2022 Luboš Uhliarik <luhliari@redhat.com> - 1.15.19-4
- Resolves: #2143176 - Dependency from mod_http2 on httpd broken

Thanks for your help!

Hi All,

I found this:

Looks like it imprts mod_http2-2.0.26-1.el9 from RedHat. Thus the latest mod_http2-2.0.26-2.el9 should have already fixed CVE-2023-45802 and CVE-2023-43622 in https://issues.redhat.com/browse/RHEL-14691

Am I correct?
Thanks,
-Eric

As from the link I already posted, if you had actually opened that link and saw that it mentions it fixes it for RHEL9, you would have found this link: https://access.redhat.com/errata/RHSA-2024:2368

Which says it’s fixed in the version you mentioned above for the CVE’s that you mentioned - I guess they just didn’t include the errata message to say it else it would have appeared in the changelog. If you had read that link you would have seen that the problem has been addressed.

Remember google is your friend, use it before posting - we are not here to google for you.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.