We are currently on Rocky 8.8 and Apache 2.4.37. Are there any plans to make the most recent versions of Apache available on Rocky 8.8?
A pen test is reporting some vulnerabilities which appear to be fixed in Apache 2.4.38. Is an upgrade path available or schedule for backporting?
Rocky is 1:1 with RHEL so it has the same package versions as RHEL. If RHEL release 2.4.38 for EL8, then it will be. If not, then it will not be. Please also remember, RHEL backport fixes, so fixes potentially from 2.4.38 can be backported into 2.4.37.
This is why security scanners that go by version number alone are incorrect if they do not take into account the fact that backporting fixes occur.
This post gives you commands you can use to see if CVE’s were applied to the package or not: Errata missing a specific httpd security advisory - #2 by iwalker
Better would be search Red Hat Bugzilla for the CVE’s that your security scan came up with to see if they are being addressed in that future patches are likely. If the commands in the linked post do not show them as already resolved.
For example: https://bugzilla.redhat.com/buglist.cgi?quicksearch=cve%20httpd this does show a mod_rewrite regression for EL8 doing a search for “cve httpd”.
Adding on to this, a handy way I like to check my installed packages against particular CVE entries is via RPM changelog. You can view the changelog for httpd (Apache) with the following commands:
# Browse changelog with less:
rpm -q --changelog httpd | less
# You can also grab all "CVE" entries from the changelog, or dig for a particular CVE:
rpm -q --changelog httpd | grep 'CVE'
rpm -q --changelog httpd | grep 'CVE-2023-25690'
This works for every package installed on your system, not just Apache. As @iwalker said, a big part of the RHEL/Rocky/Enterprise Linux world is keeping software on older versions, but with backports of “little fixes” brought in from a newer version. This allows compatibility to be maintained for much longer while still benefiting from security fixes found in newer versions.
@iwalker @skip77 Thank you both for your feedback. Red Hat Bugzilla is showing all 3 vulnerabilities are fixed in httpd 2.4.38.
CVE-2018-17189
CVE-2018-17199
CVE-2019-0190
The changelog on the Rocky 8.8 server appears to show a couple are fixed:
[root@myserver ~]# rpm -q --changelog httpd | grep 'CVE-2018-17189'
[root@myserver ~]# rpm -q --changelog httpd | grep 'CVE-2018-17199'
- Resolves: #1677590 - CVE-2018-17199 httpd:2.4/httpd: mod_session_cookie does
[root@myserver ~]# rpm -q --changelog httpd | grep 'CVE-2019-0190'
- add security fix for CVE-2019-0190 (#1671282)
Can I safely say those two fixes are in if I’m seeing the following:
[root@myserver ~]# dnf update httpd
Last metadata expiration check: 3:01:46 ago on Wed 19 Jul 2023 10:12:42 BST.
Dependencies resolved.
Nothing to do.
Complete!
[root@myserver ~]# httpd -v
Server version: Apache/2.4.37 (rocky)
Server built: May 17 2023 16:27:49
If they show in the changelog, then yes that means those issues are fixed.
It looks like CVE-2018-17189 affects mod_http2 , which was broken out into its own source package in Rocky/RHEL 8: SPECS/mod_http2.spec · r8-stream-2.4 · staging / rpms / mod_http2 · GitLab . It’s been fixed.
Also with issues like the example above where the CVE or weakness is in a module, if you dont need the module, disable it.
I have disabled all the unnecessary modules on my apache installation, it just reduces the attack surface of potential vulnerabilities.
to find what modules are loaded its httpd -M, and not apache{2}ctl -M as so many forum examples suggest Rhel changed this a while back.
regards peter