The latest httpd rpm version in Rocky 8 is vulnerable and fix not available

Rocky Linux Tech Help
1

Hi Team,
There are many CVEs for which RHEL 8 already released the fixed version and it seems like ROcky 8 is still using the older version released on 21st August.
Examples :
https://access.redhat.com/security/cve/CVE-2024-38473
https://access.redhat.com/security/cve/CVE-2024-39573
and few more. So when we can expect to see the latest httpd version from RHEL 8 in Rocky Linux 8.

2

Already fixed:

[root@rocky8 ~]# dnf changelog httpd | egrep "38473|39573"
  mod_proxy (CVE-2024-38473)
  in mod_rewrite (CVE-2024-39573)

your scanner is wrong. Either that or you didn’t update your system, so try:

dnf update
3

I don’t follow your question. The CVEs you mention were fixed in July. There is no delta between the RHEL httpd packages and the Rocky httpd packages. The CVEs you mention are explicitly mentioned in the Changelog of the httpd package as fixed in 2.4.37-65.1.

In short, these have been fixed since August, when they were released.

1 Like
4

Thanks @iwalker , can you please share the what version of httpd you are running from where you have shared this result?
Also there are not information for these CVEs in the Rocky Errata

image
image1905Ă—312 35.4 KB

I am running ROcky 8.10 and the httpd version is httpd-2.4.37-65.module+el8.10.0+1842+4a9649e8.2.x86_64 but unfortunately I am not seeing similar results as you in the change logs.

5

@AdityaN17 Follow @iwalker advice and do:

dnf upgrade

Or if you just want the update for httpd (not adviseable-a full upgrade is always preferrable):

dnf update httpd

Also, check that your affected CVE’s are not already patched as @iwalker also advised.

1 Like
6

Hi @sspencerwire ,
I am running Rocky 8.10 and the httpd version is httpd-2.4.37-65.module+el8.10.0+1842+4a9649e8.2.x86_64 but unfortunately, I am not seeing similar results as you in the change logs.

7

Not possible, if you use the command I showed in my previous post using dnf, you would see it. The Rocky errata site doesn’t have up-to-date information at present, the team has other priorities right now. But the command I used works as I showed in my example, so it’s literally impossible that it doesn’t work for you especially when I have the same package as you installed…

8

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.