Mailing List Archive

Apache HTTP Server Prior to 2.4.12 Multiple Vulnerabilities
How to patch Apache 2.4.6 to latest release on RHEL 7.4?



Thanks

Satish

IBM Bangalore

::DISCLAIMER::
________________________________________________________________________________________________________________
Confidentiality Notice from Dixons Carphone plc (registered in England & Wales No.07105905) of 1 Portal Way, London, W3 6RS ("Dixons Carphone"). The information contained in this e-mail and any attachments may be legally privileged, proprietary and/or confidential. If you received this e-mail in error, please notify the sender by return, permanently delete the e-mail and destroy all hard copies immediately. No warranty is made as to the completeness or accuracy of the information contained in this e-mail. Opinions, conclusions and statements of intent in this e-mail are those of the sender and will not bind any Dixons Carphone group company (Dixons Carphone Group) unless confirmed by an authorised representative independently of this e-mail. We do not accept responsibility for viruses; you must scan for these. E-mails sent to and from Dixons Carphone Group are routinely monitored for record keeping, quality control, training purposes, to ensure regulatory compliance and to prevent viruses and unauthorised use of our computer systems. The Carphone Warehouse Limited (registered in England & Wales No.02142673) is a member of the Dixons Carphone Group and is authorised and regulated by the Financial Conduct Authority.
________________________________________________________________________________________________________________
Re: Apache HTTP Server Prior to 2.4.12 Multiple Vulnerabilities [ In reply to ]
> Date: Tuesday, June 18, 2019 05:38:50 +0000
> From: Satish Chhatpar 02 <ChhatpS02@cpwplc.com>
>
> How to patch Apache 2.4.6 to latest release on RHEL 7.4?
>

RedHat backports patches to the base version, keeping the version
number stable within an OS release. I.e., RH-7 will maintain the
2.4.6 httpd version number. You need to look at the number after that
(currently 2.4.6-89) to see the incremental change numbering. You can
look up the CVEs against RH's change log and/or update announcements
for a package to see that an issue has been addressed. From what I
have seen, RH tends to have updated httpd packages out very quickly
following a vulnerability announcement.

By the way, RH-7 is currently at .6, which came out late last year. A
.4 system is missing about 18 months of updates.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache HTTP Server Prior to 2.4.12 Multiple Vulnerabilities [ In reply to ]
On Tue, Jun 18, 2019 at 6:41 AM Richard <lists-apache@listmail.innovate.net>
wrote:

>
> > Date: Tuesday, June 18, 2019 05:38:50 +0000
> > From: Satish Chhatpar 02 <ChhatpS02@cpwplc.com>
> >
> > How to patch Apache 2.4.6 to latest release on RHEL 7.4?
> >
>
> RedHat backports patches to the base version, keeping the version
> number stable within an OS release. I.e., RH-7 will maintain the
> 2.4.6 httpd version number. You need to look at the number after that
> (currently 2.4.6-89) to see the incremental change numbering. You can
> look up the CVEs against RH's change log and/or update announcements
> for a package to see that an issue has been addressed. From what I
> have seen, RH tends to have updated httpd packages out very quickly
> following a vulnerability announcement.
>
> By the way, RH-7 is currently at .6, which came out late last year. A
> .4 system is missing about 18 months of updates.
>

Alternately, look at the RHSCL repos for httpd24, which offers a far more
modern version of httpd, of other server and proxy software, and commonly
used web content authoring languages;

https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.3_release_notes/sect-RHSCL-Features#tabl-RHSCL-Components